Payday Advance for Phishers on HMRC Tax Year Activity

As I recently have sent off my tax forms in preparation for the US Federal tax deadline on April 18 this year, a recent phishing scam piqued my interest. This attack is taking advantage of the new tax year beginning for folks in the UK on April 6, 2011.

The message in question was being sent in the name of the HMRC, Her Majesty’s Revenue and Customs, in an attempt to lure users into divulging bank account information with the lure of unclaimed tax overpayment money.

The path of the message had an international flavor, beginning at what looks like a computer at a hotel business center based in the US, then going through servers in New Zealand, then back to the US through the mail servers of a large free email service, and then presumably into the inbox of a user based in the UK.

The URLs in the message also contributed to this internationalized scam by utilizing a domain based in Serbia which would redirect users when they unsuspectingly clicked on the HMRC link.


When clicking on the link, a user is given a new page and provided a list of several banks to select from. This presumably would be the bank that their accounts are registered with so that the HMRC can deposit money quickly.

Finally, here is a sample of the original email asking HMRC users to click through to the hidden phishing link to update their information. This information will then be used by the phishers to extract money from bank accounts and participate in identity theft.

It is important to note that according to the HMRC website, users would never be contacted through email regarding a rebate.

“As a matter of policy, HMRC will only ever contact customers who are due a tax refund in writing by post. If anyone receives an email offering a tax rebate claiming to be from HMRC, we recommend they send it to [email protected] before deleting it permanently.” 

The HMRC also provides online security advice for users from their web site at:

Here are some best practices to try and limit the impact of spam a phishing attacks.

  • If you are entering personal or financial details online, look for visual cues that identify safe Web sites. Scan the Web page for a trust mark, such as the VeriSign Trust Seal. These marks demonstrate that trusted authorities have taken comprehensive measures to certify the Web site. Many browsers will also turn their address bars to the colour green to signify the site is authentic and protected by SSL encryption.
  • Be selective about the Web sites where you register your email address.
  • Avoid clicking on suspicious links in email or IM messages, as these may be links to spoofed Web sites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
  • Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection, visit
  • Do not open unknown email attachments. These attachments could infect your computer.
  • Do not reply to spam. Typically, the sender’s email address is forged, and replying may only result in more spam.
  • Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).
  • Do not buy products or services from spam messages.
  • Do not open spam messages.
  • Do not forward any virus warnings that you receive through email. These are often hoaxes.