Beware fake tax refund notification emails, claiming to come from HMRC

There's a simple truth I've found during my years in computer security.

Often, the oldest tricks in the book will work just fine - you don't need to make an attack sophisticated for it to dupe the unwary.

Here's an example, a phishing campaign that has been spammed out claiming to come from the UK tax body, the much-beloved Her Majesty's Revenue & Customs:

Phishing email

Dear Applicant:

After the last annual calculations of your fiscal activity we have determined that you are eligible to recieve a tax refund

A refund can be delayed for a variety of reasons. As example, for submitting invalid records or applying over the deadline.

To submit your tax refund please click here

Please submit a tax refund request and allow us 2-5 days in order to process it

You would like to think that the taxman would know the rule about spelling "recieve" correctly ("i" before "e", except after "c") but maybe you wouldn't notice that error in your excitement about clawing back some cash from HMRC.

And if you were foolish enough to click on the link you would find yourself taken to a convincing-looking website.

Fake HMRC website

Did you notice how they cheekily point you towards their "privacy notice" as they trick you into handing over your email address, name and date of birth?

Of course, you don't have to be a security greybeard to know that it's a good idea to check out the web address in the browser's URL bar, but how many people do?

Close-up of URL

The truth is, as the organisation explains on its real website, HMRC will never inform you about a tax rebate via email:

HMRC will never send notifications of a tax rebate, or ask you to disclose personal or payment information by email. If you have any doubt that an email you receive from HMRC is genuine, please do not follow any links, disclose any personal details or respond to it. Please forward it to HMRC at phishing@hmrc.gsi.gov.uk then delete it.

Take care folks, and don't let a simple phishing email trick you into handing over your personal information to scammers and fraudsters.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. Paul Golder

    June 9, 2014 at 10:41 am #

    There are other little things that people don't see in spam too. The original email has "Sincerely," at the bottom. This is something very common in US-letter writing but virtually unheard of within UK organisations. If you expect an email to be sent from the UK but it has this form instead of "Yours sincerely" or "Yours faithfully", it's almost certainly a fake.

    • Andy Lee Robinson in reply to Paul Golder.

      June 11, 2014 at 4:39 pm #

      Thanks – now they will update their tactics.

      Surest way to know is to look at the source address of the mail first, if you can.
      Even after all these years, it is still scandalous that mail clients, and especially mobile mail clients can't use 1 line to show the resolved ip address of the source of the message.
      Even a 3 year old would know that anything coming from *.vn, .br, .ua, .ru, .id, .in etc is going to be bad for your health, regardless of how convincing or tempting the content may be.

      Also, the sender won't know your name, and will use Dear valued customer or something else or nothing. Report straight to Spamcop and be done.

      It's also a gross oversight by Message Labs who look after mail for hmrc.gov.uk *still* have no SPF or DKIM records for it to protect against spoofing.
      How irresponsible is that? Government and IT = facepalm.

      So, if you want to deal with them, don't use mail. Only https.

Leave a Reply