Scam hunter scammed by tax office impersonators

The next time you shake your head at another online scam and vow that you’d never fall for it, remember that even the most tech-savvy people can sometimes slip up.

A case in point: Julie-Anne Kearns. This self-made scam-hunter told her story to the Guardian last week, revealing how she had been duped by people pretending to be from His Majesty’s Revenue and Customs (HMRC), which is the UK’s version of the US Internal Revenue Service (IRS).

Kearns had first pursued scam-hunting when spotting an attempt to scam her in 2022. After reporting on it on her TikTok account, she started hearing from plenty of people sharing their own experiences of online scams. Although she worked full time for the UK’s National Health Service, she began helping victims track down online criminals.

As her following grew, more online scammers tried to dupe her. Eventually, one succeeded.

It was a classic refund scam, with the criminals impersonating HMRC and sending Kearns a letter telling her she had a rebate. They asked for extra details to confirm her identity, and because the letter seemed consistent with others from the real HMRC, Kearns complied.

Kearns sent the scammers copies of her passport and driving license. The scammers promptly used those materials to claim Kearns’s rebate, and also sold the information on the dark web. The identity thieves started a business in Kearns’s name and took out loans. This tanked her credit rating and also left her battling a legal claim for non-payment of a £16,000 loan that she never took out.

“I worried about whether to share that I’d been scammed,” Kearns told the Guardian. She decided to tell all, because she hoped it might help others avoid the same fate.

Kearns isn’t the only savvy person in the cybersecurity field to fall victim to scammers. Others who are clued into scams have also been taken in. Cybersecurity researcher Troy Hunt fell victim to a phishing attack in March, after someone pretending to be from his newsletter distribution provider Mailchimp sent a bogus notification about penalties to his account. In the attack, the scammer stole around 16,000 records belonging to his blog subscribers.

“I’m enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list,” Hunt wrote at the time.

Jim Browning, a scam hunter who regularly goes after online criminals halfway around the world, also suffered from a phishing attack in 2021. Criminals pretending to be from YouTube used Google Chat to send an email from the Google domain, convincing him to delete his YouTube channel.

“It wasn’t exactly my finest hour, but it does go to prove that anyone can be scammed if the circumstances are exactly right,” he said after getting his channel reinstated.

These experiences illustrate why victim shaming is such a pointless exercise. If people with experience in scamming sometimes get scammed themselves, then it’s understandable that those with less expertise in online crime also get taken in.

Even those trying to protect themselves will run across situations where they let their guard down, whether it’s phishing, answering seemingly legitimate letters from the tax department, or falling for a romance scam because they’re lonely.

Shame is a powerful weapon. When someone is caught in a scam, fear of speaking out can make things worse. So, if there’s someone you know who has been caught in a scam, have some compassion, and a non-judgmental ear.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.