Check out the following email that has been sent out, claiming to come from the UK tax collector, HMRC.
It asks recipients to download a new version of the Basic PAYE Tools (BPT) software, used to calculate and submit payroll information.
How would you tell if the email was legitimate or not?
One method would be to hover your mouse over the download link embedded in the email, and see if it really goes to gov.uk, right?
Instead, it goes to a url at govdelivery.com.
It’s understandable that security conscious users would assume that this has to be a malicious email, right?
Anti-virus veteran Alan Solomon was one of those who received the email, and was understandably suspicious.
The email smells a bit phishy, and is asking you to install software on the computer that you run your payroll on.
It’s precisely the kind of thing that we see all the time - attackers posing as an organisation, using a little HTML subterfuge to trick recipients into believing they are going directly to a legitimate website, in order to download a software update.
But in this case, it doesn’t appear that the email has criminal intentions. It’s just incompetence by HMRC.
Govdelivery.com appears to be a legitimate American company, and claims to be a platform used by “over 1000 government organizations” to communicate with the masses. If you click on the link in the email you will be taken, via govdelivery.com, to the real webpage on the HMRC website.
HMRC is presumably using Govdelivery’s services in order to track who clicks on their email links.
But that raises the question of why they are making the email body look as though you are going to be clicking directly to www.gov.uk. I think it’s okay to collect stats on how successful an email campaign has been at engaging recipients, but you shouldn’t give a link as www.gov.uk if it really goes to govdelivery.com!
Alan Solomon followed the advice at the bottom of the email he received, and contacted HMRC.
(That clickable link, by the way, also goes via govdelivery.com)
HMRC assured him that the email was legitimate:
Thank you for contacting HM Revenue & Customs.
The e-mail / phonecall was from HM Revenue & Customs and is nothing to be concerned about.
But he’s still unimpressed:
HMRC have told their users “It’s fine to follow a link in an email and download and install software from a URL that isn’t gov.uk”
I think he’s right.
HMRC, don’t put clickable links in your email that make the recipient believe they are going directly to your site when the URL will actually take them someplace else first. If you can’t get it right, how will we ever teach users what to look out for?