HMRC email tells you to download its software update, via a link that doesn't point to its site

Check out the following email that has been sent out, claiming to come from the UK tax collector, HMRC.

It asks recipients to download a new version of the Basic PAYE Tools (BPT) software, used to calculate and submit payroll information.

HMRC email

How would you tell if the email was legitimate or not?

One method would be to hover your mouse over the download link embedded in the email, and see if it really goes to gov.uk, right?

It doesn't.

Instead, it goes to a url at govdelivery.com.

Code in the email claims to link to gov.uk, but actually goes through govdelivery.com

Surely HMRC, which offers advice on how to spot phishing emails, wouldn't have deliberately manipulated the gov.uk link they included to actually point to a third-party site?

It's understandable that security conscious users would assume that this has to be a malicious email, right?

HMRCAnti-virus veteran Alan Solomon was one of those who received the email, and was understandably suspicious.

The email smells a bit phishy, and is asking you to install software on the computer that you run your payroll on.

It's precisely the kind of thing that we see all the time - attackers posing as an organisation, using a little HTML subterfuge to trick recipients into believing they are going directly to a legitimate website, in order to download a software update.

But in this case, it doesn't appear that the email has criminal intentions. It's just incompetence by HMRC.

Govdelivery.com appears to be a legitimate American company, and claims to be a platform used by "over 1000 government organizations" to communicate with the masses. If you click on the link in the email you will be taken, via govdelivery.com, to the real webpage on the HMRC website.

HMRC is presumably using Govdelivery's services in order to track who clicks on their email links.

But that raises the question of why they are making the email body look as though you are going to be clicking directly to www.gov.uk. I think it's okay to collect stats on how successful an email campaign has been at engaging recipients, but you shouldn't give a link as www.gov.uk if it really goes to govdelivery.com!

Alan Solomon followed the advice at the bottom of the email he received, and contacted HMRC.

HMRC reminds you to say safe

(That clickable link, by the way, also goes via govdelivery.com)

HMRC assured him that the email was legitimate:

Thank you for contacting HM Revenue & Customs.

The e-mail / phonecall was from HM Revenue & Customs and is nothing to be concerned about.

But he's still unimpressed:

HMRC have told their users "It's fine to follow a link in an email and download and install software from a URL that isn't gov.uk"

I think he's right.

HMRC, don't put clickable links in your email that make the recipient believe they are going directly to your site when the URL will actually take them someplace else first. If you can't get it right, how will we ever teach users what to look out for?

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

9 Responses

  1. Jon B

    March 17, 2015 at 1:46 pm #

    Could I ask that you provide the FROM header as well? I am curious what the sender domain was.

    • Graham Cluley in reply to Jon B.

      March 17, 2015 at 1:51 pm #

      Here is part of it:

      Return-Path: <info99@service.govdelivery.com>
      Received: from mailer383.service.govdelivery.com
      (mailer383.service.govdelivery.com [208.42.137.83])
      X-Accountcode: UKHMRCED
      Errors-To: info99@service.govdelivery.com
      Reply-To: no-reply@hmrc.gov.uk

  2. Anonymous

    March 17, 2015 at 5:10 pm #

    Very strange. I'm also quite surprised that the software would be available on the internet like that but then we are moving into an age where every little thing has to have, or be, a web application.

    I wonder how long it will take for a criminal to download and dissect the software and find some flaw in it. Let's hope the people who write the code are more competent that the people sending out the emails.

  3. Coyote

    March 17, 2015 at 9:51 pm #

    "Govdelivery.com appears to be a legitimate American company, and claims to be a platform used by "over 1000 government organizations" to communicate with the masses. "

    Wait… isn't that a bit of an oxymoron? Okay, I admit I'm not being nice there. But at the same time it is also rather curious – why does an American company have anything to do at all with HMRC ? Ah, but then I guess what it is is a bulk mailer software (or corporation). So then I wonder if there is a UBE header in the mail ? (Of course I wouldn't expect that, and it is obviously ridiculing, but I do find it rather interesting that they have it set up this way). I think indeed it is phishy and whether they are legit or not is besides the point – it is shameful and then some. Shameful and harmful; it is saying to the masses: even though the general wisdom is that THIS is a red flag, when WE use it it is perfectly fine. Therefore, don't worry! Well it is worrying, isn't it? If they do it then others could claim the same thing, and then what and now what to believe, what is sound advice, what isn't? It is the reverse of crying wolf, in a way – "yes, it is generally harmful, what we're doing, but in our case it is a good thing; it is very wolfish, yes, but there isn't a wolf here…"

  4. Keith Appleyard

    March 18, 2015 at 1:02 pm #

    Yes well HMRC don't seem to have the brains they were born with.
    My experiences with on-line submission (in this case to do with Corporation Tax) was
    a) because the form can only be submitted on-line, they actually prevent you from printing the form off, so that you can study all the questions, and collect together all the reference material you might need before you start.
    b) then because you can't 'see' what's coming up on later pages beforehand, you put the wrong information in the wrong box. Later on, when you try to delete the erroneous entry, the software says you cant leave the box blank, nor can you put '0' in the box, but it must be an amount greater than zero. The only way to overcome the problem is to cancel the submission, logoff their system, and 'purge' the document from your cache as well!

    Meanwhile the Charity Commission Newsletter comes distributed courtesy of Google Inc, date & timestamped California. What are we paying for this?

  5. drsolly

    March 18, 2015 at 2:14 pm #

    Phish or not phish? Opinion is divided on this. I phoned the HMRC help line at 0300 200 3600 and spoke to a lady there, and explained what I had. She said "It's a phish" and asked me to forward it to phishing@hmrc.gsi.gov.uk

    And I went to the HMRC "How to tell if an email is fraudulent" page. It scores six out of six on their tests for fraudulent emails.

    http://blog.drsolly.com/2015/03/phish-or-no-phish.html

    At this moment, I'm about 80% confident that it's kosher. If it is, someone at HMRC needs a serious application of the cluestick.

  6. Spryte

    March 18, 2015 at 3:48 pm #

    Disappointing indeed…

    I often hover a suspicious link and Copy it to Notepad (or your favourite text editor) to examine it more carefully.
    Many times it **is** legit but going through some redirect or tracker. To avoid this I just find the legitimate link in the redirect and Copy ***only that legitimate portion*** to use in a new browser window and get to the service I want without the redirects/trackers.

  7. Fred

    March 19, 2015 at 12:07 pm #

    Are they flopping crazy?

  8. Penrod Shero

    October 27, 2017 at 3:43 pm #

    They appear to still be doing this today (October 2017)

    I received an email this morning, supposedly from HMRC but delivered by govdelivery.com

    Even if it is legit it's crazy that they do this.

Leave a Reply