Beware fake tax refund notification emails, claiming to come from HMRC

Graham Cluley

There’s a simple truth I’ve found during my years in computer security.

Often, the oldest tricks in the book will work just fine – you don’t need to make an attack sophisticated for it to dupe the unwary.

Here’s an example, a phishing campaign that has been spammed out claiming to come from the UK tax body, the much-beloved Her Majesty’s Revenue & Customs:

Phishing email

Dear Applicant:

After the last annual calculations of your fiscal activity we have determined that you are eligible to recieve a tax refund

A refund can be delayed for a variety of reasons. As example, for submitting invalid records or applying over the deadline.

To submit your tax refund please click here

Please submit a tax refund request and allow us 2-5 days in order to process it

You would like to think that the taxman would know the rule about spelling “recieve” correctly (“i” before “e”, except after “c”) but maybe you wouldn’t notice that error in your excitement about clawing back some cash from HMRC.

And if you were foolish enough to click on the link you would find yourself taken to a convincing-looking website.

Fake HMRC website

Did you notice how they cheekily point you towards their “privacy notice” as they trick you into handing over your email address, name and date of birth?

Of course, you don’t have to be a security greybeard to know that it’s a good idea to check out the web address in the browser’s URL bar, but how many people do?

Close-up of URL

The truth is, as the organisation explains on its real website, HMRC will never inform you about a tax rebate via email:

HMRC will never send notifications of a tax rebate, or ask you to disclose personal or payment information by email. If you have any doubt that an email you receive from HMRC is genuine, please do not follow any links, disclose any personal details or respond to it. Please forward it to HMRC at phishing@hmrc.gsi.gov.uk then delete it.

Take care folks, and don’t let a simple phishing email trick you into handing over your personal information to scammers and fraudsters.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Beware fake tax refund notification emails, claiming to come from HMRC”

  1. There are other little things that people don't see in spam too. The original email has "Sincerely," at the bottom. This is something very common in US-letter writing but virtually unheard of within UK organisations. If you expect an email to be sent from the UK but it has this form instead of "Yours sincerely" or "Yours faithfully", it's almost certainly a fake.

    1. Thanks – now they will update their tactics.

      Surest way to know is to look at the source address of the mail first, if you can.
      Even after all these years, it is still scandalous that mail clients, and especially mobile mail clients can't use 1 line to show the resolved ip address of the source of the message.
      Even a 3 year old would know that anything coming from *.vn, .br, .ua, .ru, .id, .in etc is going to be bad for your health, regardless of how convincing or tempting the content may be.

      Also, the sender won't know your name, and will use Dear valued customer or something else or nothing. Report straight to Spamcop and be done.

      It's also a gross oversight by Message Labs who look after mail for hmrc.gov.uk *still* have no SPF or DKIM records for it to protect against spoofing.
      How irresponsible is that? Government and IT = facepalm.

      So, if you want to deal with them, don't use mail. Only https.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.