This week, we’re featuring a guest post from Carrie Morgan at Contemsa about her recent experience with a HMRC scam call.
I consider myself a fairly tech-savvy person: I used to work for a technology company, I used to sell IT security products and my business now is all based online.
Yet, I’m still finding it harder and harder to distinguish between genuine emails or texts, and scams.
Identifying social engineering scams
Social engineering amongst scammers is becoming so sophisticated that more and more people will inevitably fall prey to it. In one year alone, 900,000 people received scam texts, emails or calls claiming to be from HMRC.
Recently, I received a call from HMRC, supposedly from their Debt Recovery Team. On the call, I could hear the usual background noises of a call centre, and the person talking to me sounded exactly like what I’d expect someone calling from HMRC to sound like: professional and knowledgeable. And that’s what scammers are playing on: they align their ‘performance’ to what we as the public are expecting to hear.
The victim of a scam call
We receive quite a few scam calls every week so we’re quite attuned to them, but this call was different. Everything lined up.
My partner took the call initially and was hesitant, but then decided that the call was legitimate when the caller appeared to have a number of pieces of information that lined up. On the face of it, it sounded like HMRC.
But something wasn’t right, so I asked to speak to them instead. I explained to the caller that we’d had quite a few scam calls recently, and that we didn’t want to share any more info so could we call them back.
This was the point that I first thought, ‘this sounds off’. When I asked if we could call them back, the person I was speaking to was very understanding (tick), and said I could go check out the website at hmrc.gov.uk (another tick) – well yes, that’s HMRC’s web address but any scammer could give you the address of an official company or organisation – it still doesn’t help me prove the identity of the person calling.
Then the caller said, ‘You could call us back, but you’ll likely be waiting for over 45 minutes as our lines are very busy.’ Now, I don’t know about you, but HMRC have never been concerned about how long I’ve had to wait on their phonelines.
So, let’s look at the evidence so far.
What made this call sound legitimate?
- The call ‘sounded’ right – the background noise of the office environment.
- The caller himself ‘sounded’ right – the tone, the professionalism, the information he was providing.
- It was around the time that HMRC payments are due, so although we were up to date with everything, we were worried that there had been an issue so because it was at the right ‘time’ – it passed our mental scam check to some extent.
- The caller was happy for us to go and ‘check the website’ and call them back – which made it sound legitimate as a scammer would surely tell us not to do this? Right – well no.
But what didn’t sound right about the call?
- The caller tried to talk us out of waiting on hold for 45 minutes to get back through to them. HMRC are unlikely to do this.
It was at this point in the call that I queried a few things, and everything went sour.
I asked for more details to verify that this call was, in fact, from HMRC. The caller refused to speak to me as I wasn’t the ‘named’ person on their list. I put him on speakerphone so my partner could speak to him instead, and this was met with the caller saying that they had given us more than enough information to verify their identity, but that because of our unwillingness to cooperate, we were going to be landed with a penalty from HMRC!
These all sounded like big red flags, but a little voice in my head said, ‘What if it really is HMRC?’; ‘What if we are being uncooperative by asking for more information?’
I asked the caller for his name and details so that we could go away and contact HMRC ourselves and follow up. At this point, he hung up on us abruptly. Another big red flag.
Is it really a scam?
So, did we think it was a scam at this point? Well, we did to some extent, but we were still unsure. We were worried that maybe our accountant or one of us had missed something and that we were being difficult by not answering the caller’s questions – it was, after all, a new process that we weren’t familiar with, so all we could do was apply common sense as we had no experience about this particular process.
In the end though, it was a scam. We spoke to our accountants and verified that we had no outstanding HMRC bills.
But, I’ll admit, I was a little shook up from the experience. We didn’t lose anything, we didn’t give over any sensitive information and no money was exchanged. But I felt stupid. I’d not recognised that this was a scam, just that something felt slightly off.
If the call had have been from a foreign number, then I’d have automatically known it couldn’t be HMRC.
If it had sounded like the call was being made from someone’s bedroom with a dog barking in the background, I’d have known it couldn’t be HMRC.
And so on.
But the fact is, lots of things added up. It plays into confirmation bias because many of the existing beliefs I had about what a call from HMRC usually sounds like, fitted with this call.
And this is why scams are getting so incredibly hard to distinguish the good from the bad.
Protecting vulnerable people from cyber scams
I regularly give my mum pointers about avoiding social engineering calls, because she is the type of person who gets a call saying, “Hi, this is a call regarding your Lloyds bank account,” only to respond with: “No, that’s not right, I bank with Barclays!” And then with just that one sentence, you’ve given them a titbit of data to go away and use on the next call.
So next time, when she gets a call about her Barclays bank account, it will pass her inner gatekeeper and she might be tricked into giving even more identifying info out.
The point of this story is to highlight that even though I consider myself fairly well up on cyber scams and the psychology of social engineering, I was still played to some extent. By entertaining the call in the first place, we inadvertently gave over information that said, ‘Hey, we are people who do get calls from HMRC from time to time’.
My worry is that as email spoofing and social engineering gets ever more sophisticated, if I’m not picking up on some fairly obvious-looking scams, then what hope is there for protecting more vulnerable people who don’t know the signs to look out for.
What are organisations doing to protect their customers from scams?
Thankfully, companies and government organisations are now doing more to educate their customers and users about scams, whether that’s by running TV adverts warning customers not to hand over personal details, or by HMRC launching campaigns to educate the public about common scams.
But when one avenue closes and the public becomes more aware of a type of scam, criminals will look for other, more sophisticated ways to target people – so we all need to stay vigilant and double check whether we’re being stringent enough when assessing if a scam is real or whether we’re letting our confirmation bias lead us in the wrong direction.
Subscribe to the Proofpoint Blog