Cyber Criminals Pose as HMRC to Capitalize on UK Tax Rebates

As UK taxpayers await tax refunds, a malicious spam campaign analyzed by Bitdefender labs is seducing them with a false promise of £209.87 under the guise of HMRC officials.

According to, “over 3 million to start receiving tax refund payouts [last] week, 14/05/12″. The number of potential victims is significant.

The suggestive subject tag NOTICE OF TAX RETURN FOR YEAR 2011, the signature of an Officer of HM Revenue & Customs and the HMRC logo make all for a pretty convincing con.

The phishing scam aims to collect credit card or bank account data. It usually includes an attached form and advises the recipient he is owed a tax rebate of £209.87. Once the form is complete, cyber criminals have access to the vital banking and personal information required for identity fraud or the fraudulent access and emptying of victims’ bank accounts.

Spam e-mail message impersonating an HMRC official announcement

This type of tax refund phishing scam was first detected in 2009. It has since resurfaced periodically with little variation. The most common approach is to require recipients to fill in a form with critical bank-related information. To maximize its success in 2012, the scam’s attached form no longer opens using the cyber criminals’ registered domains, but downloads onto the user’s PC and opens through their locally installed browser. This way it bypasses the anti-phishing module in local security solutions, allowing it to execute. Bitdefender suspects the form is sent to a domain registered in New Zealand.

The scam is more intelligent than ever and capable of bypassing many traditional antivirus systems. We advise the public to disregard emails claiming to offer a tax rebate and ensure an effective security solution is in place.

The official HMRC site says “NEVER send notification of a tax rebate by email, or ask you to disclose personal or payment information by email.” Some of the most common examples of fake email addresses, email content or attachments used in tax rebate phishing scams are here.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.