HMRC phish swipes email login, payment details

HMRC phish swipes email login, payment details

It’s not tax season in the UK, but that hasn’t deterred scammers from sending out mail looking to swipe both card details and email logins in one fell swoop.

The email, which claims UKGOV has issued a tax refund to the tune of 542.94 GBP, arrives under the following title, which is spectacularly poorly formatted:

[RCPT-07010144] processed your automatic payment is available – “Subscription- 10 SEPTEMBER 2018″[Email No.’6922′]

The body content states that recipients can reclaim the cash by logging in on their “gateway portal.” Better make haste though, as (in our case) the mail has a same day expiration date for the ability to put in a claim.

Fake email

Click to enlarge

Typically, we tend to see time limits of a few days on fake mails such as this one, so they’re really relying on pressure to get the job done here. We suspect anyone else receiving one of these will find themselves faced with a similarly pressing deadline.

Unlike many boilerplate tax phishes, we’re not sent directly to a fake HMRC page to enter card details.

With this scam, the first point of entry is on an imitation Outlook login, where potential victims are asked for their email address and password.

The scam site is located at:


Fake HMRC phish login

Click to enlarge

Fake login

Click to enlarge

Once the email details have been harvested, they’re then taken to a rather threadbare HMRC phish. There are no splash screens or fake logins or anything remotely resembling the process of having to sign into the so-called gateway portal. Instead, it’s just a page full of boxes to be filled with name, address, city, phone number, DOB, mother’s maiden name, and then full credit card information, just to round things off.

HMRC phish card harvesting

Click to enlarge

The site performs a basic validation check on some of the information entered. The reason for this is so the scammers can be reasonably confident that the person on the other side of the screen entered accurate information. They also gain some (slight) protection from doing this; you can’t enter some fake details to waste the scammer’s time, because when you hit the credit card number section, it’ll probably just prevent you from going any further.

Validation check

Click to enlarge

You could probably still do it given enough time, but they’re likely banking on most people giving up and simply moving on instead. Make no mistake, a site such as the above is expressly geared toward nothing but the victim.

While these scams tend to experience a boom period during tax season (in this case, around April for the US and UK), there’s nothing preventing scammers from firing these out at other times of the year. In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of “fake tax refund” articles making the rounds. Out of sight, out of mind and all that.

If you receive a mail similar to the above and you’re not sure if it’s real or not, the HMRC website has a number of pages giving advice on these specific situations. The main one to check out would be their phishes and frauds page, where you can see the type of correspondence they send out, and when they do (or don’t) send refund notices, as well as the method of said notification. They also provide some examples of phishing emails with their name on it.

One thing is for certain: You definitely won’t be sent from a HMRC refund email to an Outlook login. Don’t fall victim to a scam such as this, or you’ll have to chase down your bank and your email provider. If you have any logins tied to the compromised email account, you may have to play clean up for those, too.

Never underestimate how much trouble a fairly crude, simple phish can cause—it doesn’t take much to cause endless financial headaches and a large bundle of password resets.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.