New HMRC refund phishing scam detected

Bitdefender has detected a new HMRC refund phish, version 2012. It comes in the form of an email complete with an HMRC logo. “After the last annual calculation of your fiscal activity,” it states, “we have determined that you are eligible to receive a tax return of : £209.87”

The scam appeals to at least three of the great human motivators: fear (who isn’t afraid of HMRC?); trust (who doesn’t trust HMRC?); and greed (who doesn’t want £200 effectively for nothing?). The phish comes in the attachment: “To receive your return, please complete and submit the Tax Return Form attached to this email...”

But as often happens in scams, the scammer gets some of it wrong. In this instance the logo is reassuring, the spelling is correct, and the grammar acceptable (although the month of 'May' is written 'may'). But the terms are wrong. Tax ‘returns’ are what we complete; tax ‘refunds’ or ‘rebates’ are what the lucky ones receive. Errors like these should put us on our guard. But if they don’t, and we foolishly open and complete any attachment, “cyber criminals have access to the vital banking and personal information required for identity fraud or the fraudulent access and emptying of victims’ bank accounts,” says Bitdefender.

“With over three million UK citizens expected to start receiving tax refund payouts from now until October,” said Catalin Cosoi, chief security researcher at Bitdefender, “there is clearly a large audience which could be duped by this convincing phishing scam. The scam is more intelligent than ever before and capable of bypassing many traditional antivirus systems. We advise the public to disregard emails claiming to offer a tax rebate and ensure they have an effective security solution in place.”

That is exactly the advice given by the real HMRC: “HM Revenue & Customs (HMRC) will never send notifications of a tax rebate by email, or ask you to disclose personal or payment information by email. Do not visit the website contained within the email or disclose any personal or payment information.”

What’s hot on Infosecurity Magazine?