We are aware of a new form of VAT fraud which came close to stealing £m from HMRC last week, after fraudsters impersonated a FTSE 100 company. At least two other FTSE companies have been targeted the same way, plus an unknown number of smaller businesses. The fraud is remarkably easy to implement, and immediate action from HMRC is required to close it down.
Over £4bn each year is stolen from the UK by organised criminal gangs manipulating the tax system. We’re not talking about ordinary VAT fraud committed by a normal business or individual (such as failing to disclose income), but something more akin to theft that takes advantage of weaknesses in the tax system.
The criminal gangs who run these schemes appear to have found a new trick.
Last week, the head of tax at a FTSE 100 company had a call from HMRC. HMRC had received a form VAT484 from the company changing its bank details. The company was due a VAT refund next quarter – if HMRC had processed the form, the refund would have gone to the fraudsters. Two other FTSE 100 companies had identical experiences, plus an unknown number of smaller businesses. I missed the first public report on this, two weeks ago from Tony Cochrane at RSM.
This was a very easy fraud. All the details for the VAT484 are publicly available. One dodgy bank account, one Google search to get the company’s details, and filling in the form takes two minutes.
In this case, the size of the target, and the strangeness of receiving a paper form, meant that alarm bells rung at HMRC and the fraud was prevented. But the fraudsters have likely sent out many VAT484s for many companies, and they are presumably more likely to succeed where the target is smaller… particularly if it ordinarily files using paper forms.
This won’t be an issue for the majority of companies, who don’t normally receive VAT refunds. But some businesses are almost always in a refund position, e.g. retailers supplying 0% VAT goods (eg a children’s clothing shop), exporters and residential property developers.
I understand HMRC are already tightening up their procedures. There are several obvious steps that could be taken:
- HMRC should not accept VAT484 forms at all from businesses that have an online account – they have a much easier and more secure way to change their details.
- The VAT484 form needs to be made more secure given its significance. At a minimum HMRC should require the company to add its unique tax reference (UTR) number, which isn’t publicly available (although it would not be that difficult to find it).
- Changing bank details should always trigger a verification process: for example, where HMRC receives a paper form, it should write to the business and ask for confirmation.
- HMRC should review its procedures to see if there are other paper forms which could be exploited by fraudsters.
We’d also suggest that businesses regularly check their Government Gateway page to verify that the bank account listed is as expect. Large businesses that have a Customer Compliance Manager should speak to them urgently, and request that any VAT484s or other paper tax forms received by HMRC are rejected.
We will be writing more about VAT fraud soon.
10 responses to “A new VAT fraud targets FTSE 100 companies”
Hi Dan,
Thanks for the amazing work you do here. One question though. I understand this might be a simple fraud to implement as you’ve clearly demonstrated in the report, my puzzle revolves around the end-game of the fraudsters in the execution of such brazen scheme. Can a company change its bank account to a different one in name? I am not too sure they can actually register a bank account in the very name of the company they’re trying to defraud. For instance, can someone open a bank account in the name of Alphabet Co (parent company of Google)? The more pertinent question to ask is whether HMRC will okay a bank account change in such circumstance?
A policy at HMRC that triggers alarm bells when YZ Co (with bank account in that name) seeks to change their banking details, for purposes of VAT refund, to an unrelated name might be an easier one to implement.
Thanks once more.
Any reason why HMRC don’t require the name on the bank account to match the name of the company? Most UK banks won’t let you make a transfer if you don’t know the account name, and it would require defrauding the receiving bank to impersonate the receiving company too.
Lots of cleaning up to be done by corporates/banks: recently my bank jibbed at paying to SomeName Media Ltd because in their datbase it shows as SomeName Ltd.
I wondered whether the company had changed its name, and forgot to notify the bank, but Companies House records showed not.
Another useful check for forms like VAT484 would be to require at least some of the old details to be provided. It would be harder for a fraudster to direct money to a new bank account if they had to fill in the details for the old one as well. A bit like typing in your old password to change to a new one.
Except that bank accounts for receipts are often published (and the money in them is swept out each day, so the risk of their being drained inappropriately is small)
What surprises me is how often “One dodgy bank account” is set up. Presumably these fraudsters then disappear and the person who opened the account cannot be found. I assume fraudulent ID’s abound – perhaps this is a major contributor to the problem.
In my day, a lot of forms had to be signed by a director and were rejected if not.
But how much security does that really add?
If the director’s signature has ever gone public (E.g. on accounts at Companies House) then it is easy enough to copy.
Had the same thing happen to us. Thankfully HMRC checked before action but I’ve heard it is pretty widespread.
Amazing work again,Dan
It’s sunny in Hunny today
Enjoy
Martin Spittle