Cofense spots new HMRC phishing scamThreat researchers at Cofense have spotted a new phishing campaign claiming to be a tax rebate from HMRC. The details are contained in a blog written by threat researcher Milo Salvia.

Victims are told that they are due a tax rebate of £458.21. All they have to do to claim their rebate is create a Government Gateway ID and provide their credit card details.

The latter should be the giveaway. HMRC does not pay tax rebates to credit or debit cards. It either posts a cheque or it refunds money directly to a bank account. The latter is its preferred method as it moves towards being a digital enterprise.

How does it work?

Milo Salvia, Threat Analyst, Cofense
Milo Salvia, Threat Analyst, Cofense

The attack is simple and effective. An email purporting to be from HMRC is sent to the victim. The email tells them that they are due an Income Tax rebate. The email looks very convincing and even contains an expiration date by which a claim must be made.

Victims are directed to a copy of the UK Government Gateway site. They are told that they need to create an account to make a claim. That fake site gathers all the data required to back-up a credit card payment such as name, address, date of birth, telephone number and mother’s maiden name.

Once the user has completed this they are asked to enter their credit card data. This includes the CRC code on the back of the card. For good measure, the scammers then ask for the users bank account number and sort code.

After entering their details the user gets presented with a fake Government Gateway ID and told the refund will take 5-10 days. Salvia writes: “Armed with this information, an attacker would be able to commit credit card fraud and identity theft and possibly compromise the victims bank account by setting up direct debits to fraudulently pay for services and goods.”

What identifies this as a fraud?

There are several indications that this is a fraud but they are not all simple to spot. The details are in the email header, something that most email programmes hide from users. Here is a good link to a blog post on how to display the full email header. In this case, Salvia points out that the email appears to come from not from HMRC.

The second giveaway is the registration page for the Government Gateway. The real site asked for just a name, email address and a password. This phishing site asks for much more data which the scammer will use and probably sell later.

The third is the request for credit card data and bank account details. HMRC would not ask for this type of information.

What does this mean

HMRC scams are nothing new. This is just the latest to hit email accounts. Over the last few years the National Cyber Security Centre and HMRC have tried to reduce the number of fake emails. They have issued press releases congratulating themselves on their success. The problem is that they seem unable to stop the constant stream of attacks that users face.

This attack is sophisticated and will claim victims. As HMRC moves towards contacting users by email rather than sending out letters, we will see more of these attacks. If HMRC is to become a purely digital agency, something it is aiming for, it needs to do more to spot and deal with this type of attack.


Please enter your comment!
Please enter your name here