UK Tax Refund Email Scam Uncovered

Written by

A newly discovered phishing scam attempts to hook Brits with the promise of a tax refund from Her Majesty's Revenue and Customs.

Research published today by Abnormal Security details a sophisticated fraud fest in which scammers impersonating the UK government target taxpayers via email.

Victims receive an extremely convincing message in their inbox informing them that they are to receive an outstanding tax refund from the 2018 tax year. Included in the email is a link to a fake website set up specially by the scammers to steal personal information from the victim.

The page has been designed to very closely resemble the official HMRC website, sporting the same logo, color scheme, graphic style, and font.    

A spokesperson for Abnormal Security said: "The URL in the email is masked with a link, and the real URL takes users to a site hosted at 'http://jaomshhemcn.lotion-tanning.com/,' which attackers likely control and will use to steal sensitive personal information from victims."

The criminals behind the fraudulent scam set a deadline on claiming the fake tax refund to increase pressure on victims to click on the malicious link.

"The attacker claims that the refund is time sensitive—the email was sent on April 16 and the attacker claims that the last day to claim is April 17. If the user does not immediately follow the link, they will lose access to their refund," wrote a spokesperson for Abnormal.

Researchers noted a high level of detail was included in both the email and the fake landing page to produce an air of authenticity.

"Recipients would find it difficult to recognize that this site [was] specifically designed to steal their credentials and personal information," said Abnormal's researchers.

"The email and landing page that the attacker created were convincing. The email subject appeared legitimate, even including a payment reference. Furthermore, the body of the email contains a specific monetary value for the tax refund, an issuing date, issuing number, and transaction ID. The landing page was similarly elaborate, appearing similar to the true government tax claim page." 

Researchers found that the malicious email had been sent to more than 20,000 mailboxes via the Office 365 platform. 

What’s hot on Infosecurity Magazine?