I worked on this investigation into a number of mysterious thefts from online HMRC accounts for The Sunday Times.
One hacker told us that he was able to access the HMRC systems and obtain log in details for accountants’ online profiles. HMRC have a centre in northern Ireland devoted to combatting online fraud cases like these.
Full text is available on the Sunday Times website here, or after the fold.
Tax rebates stolen by Revenue and Customs hackers
HMRC has emerged as the most recent target of hackers after fraudsters tap refunds system and divert funds into their own accounts
An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.
Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.
Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.
HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.
Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.
“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.
The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.
One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.
Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.
Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.
She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.
Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.
He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.
“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”
On hmrconline.com, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.
“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.
“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”
Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.
Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”
A spokesman for HMRC said: “We take the security of our customers’ data extremely seriously and we do not discuss the details of our security defences … We actively monitor repayment transactions and continue to address any fraudulent repayments.”