A Familiar Phish Preludes The New Tax Season

Avoid This HMRC Tax Refund Phish

I wonder how many of us would struggle to remember if we were owed a tax refund from 2013, given there’s a piece of phishy spam in circulation right now claiming just that.

After the inevitable “Does that mean the 2012/13 tax year, or the 2013/14 tax year” confusion has passed many recipients would likely just say “Eh, YOLO” and fire up the reply cannon, ignoring the typos and other oddities included in the missive. However, you didn’t come here today to lose a lot of money – you came here to see the scammers at work and know exactly what to avoid. Without further ado, here’s the spam mail, which is titled

Tax Refund New Message Alert!

and claims to be from

Aplicant@HMRC.gov.uk (yes, that is an unfortunate typo).

TAX RETURN RECALCULATION OF YOUR TAX REFUND HMRC 2013 LOCAL OFFICE No. 3819 TAX CREDIT OFFICER: Elaine Andrews TAX REFUND ID NUMBER: 381716214 REFUND AMOUNT: 244.79 GBP

Dear Applicant, The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy. I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 244.79 GBP To complete the tax return form with the TAX REFUND NUMBER ID: 381716214, please download and fill the HMRC Refund Form Download Now

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Fake HMRC tax email

Some standouts:

  1. The typo in the sender address. Yes, we already mentioned it but it’s such an amazingly silly way to blow the cover of an attempted phish that I’m going to point and roll my eyes at it twice.
  2. Do Tax Departments send anybody emails with exclamation marks in the subject? It doesn’t seem in line with the notion of serious people sending out serious tax emails, really.
  3. “See this email? Yeah, don’t tell anyone about it okay? It’s our little secret. Cough cough.”
  4. “Download and fill out a form” HMRC don’t send out mails about tax rebates.
  5. “Allow 5 to 9 business days, because we won’t have enough time to rip off the card details you just sent us if you’re checking your account every five minutes”

Note that in the above example, the mail was sent to an Outlook account and was flagged as spam – not all mail providers catch something, so it pays to always be on your guard.

Clicking the link offers up a HTML file download from

liveinlove(dot)us/index(dot)php

Fake form download

Opening up the file in a browser will fetch elements of real HMRC pages to add that little extra splash of authenticity.

Never fill one of these in

There is, of course, no HTTPS / padlock which one would hope sets off a few alarm bells. The form follows the common pattern of not letting you proceed unless you’ve entered information in the relevant boxes.

They want full card details, bank name, security code, name, DOB, address – the works. Once the submit button is hit, the victim will be redirected to a real HMRC page via the liveinlove URL.

It seems the website being used for this scam has been hacked, as its one of those “We’re getting married, hooray” things. In a first for me, I’ve had to let someone know their site has been compromised via a wedding RSVP form.

As the wedding was due to take place back in 2014, I’m not entirely sure someone will be there to pick up the message but we’ll see how it goes. Should you receive one of these mails, feel free to delete it.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.