January 15, 2019

Good day, welcome to another bulletin from Breaking Scams…

Scam, just in…


It’s That Time of Year Again: The HMRC Scam!


As we scramble to meet the deadline of 31 January 2019 to complete our tax returns, so the beady eyes of the cybercriminal turn towards us.  Yes, it is that time of year again when the HMRC scam emails arrive thick and furious into our inbox.


I have had three such phishing emails in the last two days. Each, more or less the same, using the same tricks, an example is shown below. The format of the emails is typical of phishing email campaigns, namely:


  1. Reward – in this case, money. Hundreds of pounds (apparently) is owed to me – a tempting idea in January after you recently splurged on Christmas presents.
  2. Urgency – the emails point out an expiry date – click after that date and the money owed will no longer be available.
  3. Safety and uncertainty – HMRC is a well-known government service and it is that time of year when tax refunds happen so it could be real – couldn’t it?


The crafty phishers have also added in warnings about phishing emails to add legitimacy and to make it look like it really did come from HMRC. And, in one of the emails, there was an anti-virus check message to indicate that the email had been checked and was malware free. Cute touch.


How do I know it wasn’t real?

The following information made me suspicious it was a phishing email:


  1. The email did not have my name in the greeting.
  2. The tone was threatening.
  3. It was poorly written.
  4. HMRC don’t get in touch about tax refunds, via email – UK Government said this about their use of email as a communication method:


“HMRC only informs you about tax refunds through the post or through your pay via your employer. All emails, text messages, or voicemail messages saying you have a tax refund are a scam. Do not click on any links in these messages and forward them to HMRC’s phishing email address and phone number.”  – Treasury Minister Mel Stride MP, the Financial Secretary to the Treasury


What happens if you click the link?

Never, ever click a link in a phishing email. I, however, did click the link, under controlled conditions so you can see what happens when you do, click the link.


The link took me to a site which displayed a convincing online tax refund form (see image below). However, the URL was clearly not UK Government. The “tax form” required you to complete form fields asking for name and date of birth. On clicking ‘Start Claim’ I was then taken to a new page with another button ‘Start Claim’. I stopped at that point. The cybercriminal behind the scam would, by now, have my name and date of birth, but it is also possible that the next submission button would have taken me to an infected spoof site which would have attempted an install of malware onto my computer.

hmrc tax phishing website

HMRC are often the brand behind scam emails, especially at certain times of the year, like January, when people lodge tax returns. If you receive an email from HMRC which looks suspicious you can forward it onto them at phishing@hmrc.gsi.gov.uk


Why not help your colleagues in infosec stay safe and share this post – or, alternatively, feel free to copy and paste the below for sharing:


HMRC Scam Emails


It is January, and to celebrate tax return time, cybercriminals are sending out scam emails that seem to be from HMRC. The email claims that you are owed a tax refund of hundreds of GBP. The email will ask you to urgently click a link to claim this tax.




If you do, your details will be stolen and/or you will be infected by malware.

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Share this: