Phishing campaigns banking on the HM Revenue & Customs (HMRC) tax claim is not unheard of, especially in the UK. We have covered them as we see them in the wild, each slightly different than the other. This year, we’ve also seen a more prominent shift in methodology as to how such scams are delivered to likely targets:
- Which? has reportedly busted a tax fraud in April that started off as an SMS
- The Mirror has also covered a similar case the month after
- the Money Saving Expert has received reports of cold-calls from individuals claiming that recipients are asked to pay their debts and taxes using iTunes gift cards
But, alas, fraudsters can’t keep away from using emails as hook.
We recently spotted a phishing email claiming to have come from “HM Customs” with the subject “PAYE tax calculations 2015/16 (or earlier)” and is set on high importance. Below is a screenshot of the email:
Message body: Dear Customer, We would like to notify you that you still have an outstanding tax refund of £1705.00 from overpaid tax from year ending 2015. * You have until 10 September 20 to make your claim * Reference No: 11117824/2015/P800 * Claim Your Tax Here If you find this message wrongly classified as spam, you can unmark the message. Just select the message, and click the Not Spam button that appears at the to and bottom of your current view. Unmarking a message will automatically move it to your inbox. Email origin: 85[DOT]214[DOT]93[DOT]1 (Germany)
Hovering the mouse pointer over the text link, “Claim Your Tax Here”, shows the URL, mywayisthebest[DOT]2waky[DOT]com, that (once clicked) redirects users to a phishing page housed on the compromised if not abandoned site of lacanadamovers[DOT]com, which appears like this:
The above purports to be a Tax Refund form, which in reality, HMRC doesn’t offer on its domain because a legitimate tax rebate form (called P800) is a physical, paper document that HMRC generally sends over to those who are either eligible for a tax refund/rebate for overpaid taxes or who may need to pay more if they have underpaid taxes. Not all taxpayers in the UK are sent this document. When it comes to tax refunds, remember that HMRC never contacts refund claimers via email nor will it ask for their other personal info and card details.
Below is an archived Tweet of HMRC’s official Twitter channel to taxpayers who continue to receive messages from about tax refunds but continue to get confused as to whether these are real or not:
HMRC will never send a text message offering a tax refund in exchange for personal/banking info. Report scams here: http://t.co/eP9tEXHxUm
— HM Revenue & Customs (@HMRCgovuk) January 28, 2015
If claimants have unwittingly fallen for this scam and filled in the form with the details, clicking the “Submit” button redirects them to another phishing page specifically aimed at TSB Bank clients. Note that this is also housed in the same domain.
It asks for the claimant’s TBS user ID, password and memorable information, all items necessary for them to access their online accounts. In the end, the phish page then displays all information the claimant entered—purportedly for verification if they are correct—and then makes a show of processing the information when in fact it’s just a pop-up window with an embedded GIF.
Click to view slideshow.
Lastly, users are directed to the legitimate HMRC website at Gov.uk.
Should you may have received the above phishing mail, or others like it, forward them to firstname.lastname@example.org before permanently deleting the mail. HMRC will shut down these sites for you. And for those who may have received SMS banking on HMRC tax refund, forward the text to the number 60599 (UK-based residents only) and then forward a screenshot of the SMS to the aforementioned email address. This way, you are contributing to the curbing of HMRC-themed fraud and helping others avoid falling for them.
Other HMRC-themed scam coverage:
- “Automated Tax Refund Notification” spam…
- Avoid this HMRC tax refund phish
- Another day, another HMRC tax phish…
- Fake HMRC tax refund mail goes phishing
- A familiar phish preludes the new tax season
Jovi Umawing (Thanks to Steven for finding this)
Powered by WPeMatico