Dan Qutaishat

View Original

“I fell for the HMRC scam and Lost £460”

Work belongs to Dan Qutaishat, this work can be referenced by using any of the established referencing methods such as Harvard.

I am assuming you fell victim to this scam, know someone who fell victim to it or is just generally interested in the scam - well whatever the case might be, you’re not alone, I fell to the scam myself. Yes, me, the cyber security student was scammed. This though was an extremely stressful event, threw me into social engineering attacks as a victim and showed me the severity of the problem and how advanced the malicious people’s technologies were getting.

To first let you know about my story, when I first moved to the UK in 2020, I was still getting used to the different culture that the UK had. I remember spending hours in my student accomodation studying everyday even at the start of term. One day, I was studying for an exam and all of a sudden I get a call from a number, a quick google of the number and it revealed they were the HMRC - this first trick that the manipulators used is called number spoofing and that means that the attacker made it so that the recipient receives fake details about the attacker’s caller ID hence making it look like the real number. I answered the call as I have never previously heard of the HMRC before and so was genuinely curious about what has happened. They started off the phone call by asking me if my name is Dan and I live in postcode XXXXXXX for example and obviously as I was living there and that was my name I began to believe them more and more. This way of using psychological manipulation though effective, showcased to me another issue that I have encountered and that is that there must have been a data leak. As I was a new international student in the UK, I knew that through all the paperwork and electronic documents that I filled either to apply for residency, apply for university, bank, accomodation, online shopping, any source in which I shared my address must have either experienced a data leak and they haven’t informed me or even sold my data. So far, to recap, a number called me from the HMRC number and knew my personal details.


The attacker on the phone seemed professional, she was reading a script to me, and explained to me how I owe the government taxes and how I can be called to court if I do not pay for them ASAP. I know how it sounds very scammy, but when you are someone who doesn’t really know much about the HMRC e.g. an international student. there is not really a way to tell if they are being legitimate from just a simple google search and that is due to the fact that you need to research and what the attacker does well is stress you out, they tell you about how you can be prosecuted by the law and how you need to quickly pay the money etc. all of which is very stressful and when someone is stressed they usually do not think very well. After the woman explained the legality issues, she then told me I need to transfer money and a stressed person who did not have anyone to talk to about it, I caved, I sent them the money. As soon as the call ended, my brain began functioning again, I called the police and told them what happened and they explained that it is a common scam and people fall for it often and there is no need to worry. I was then asked to contact Action Fraud which is the agency in the UK that you call and tell about a cybercrime occuring. And most importantly, I called my bank.


My bank put me on hold on the fraud line for about 20 minutes, I remember I was crying outside my accommodation because I fell victim to such a crime, by the time I told the bank what had happened, they said they will look into it and let me know if there is anything they can do. They told me, everything will be ok and I will get my money back.


1 month after this event, I get a call from my bank during one of my classes, I excuse myself to respond to it as it was an urgent matter and I remember the bank representative informing me that there is nothing they can do because the money was transferred to the attacker’s account and was taken out and that it was my fault and responsibility and they will not be compensating a single pound. After one month, I was back to square one. Not only was I upset, I was now furious. In 2020 alone, the HMRC reported that they received 915,762 reports of HMRC scams. So many people that get scammed yet banks decide to not compensate any of them? When you google the words bank and fraud what will show up is that money lost by fraud will be compensated by the banks and as the bank’s customer you would assume they would at least compensate some money. I was not going to settle for no compensation especially as though I made a stupid mistake, I believed the bank’s decision was unfair and shifted all the blame on me so to make themselves look not liable. So I contacted the financial ombudsman informing them about how I believe I was unjustly treated by my bank’s ruling and long and behold…


6 MONTHS LATER, I got all my money back. Though it was a stressful 6 months of thinking the ombudsman just forgot about my case, I was ecstatic that my money was returned to me and the ombudsman agreed about how the ruling of the bank was unfair. I have attached a snippet of my email but have blocked out the details about my bank.

The moral of the story is, don’t be disheartened if you have gotten scammed, there are many safeguards created to ensure you will be compensated and in the future, do your research and trust your gut. If you get a whiff of suspicion that the person on the other side of the call does not sound legitimate, end the call. Most agencies/organisations in the UK communicate by sending letters.

Hopefully this blog was useful in informing you about the dangers of social engineering, thank you for reading my anecdote, I appreciate the support. If you have any questions, feedback or inquires, let me know.