Zyra's front page //// TAX //// Scams and Rogues //// Site Index

Tax Refund email? It's a Hoax!
HM Revenue and Customs sending a tax refund notice by email telling you to click on a form.


Hoaxers and scamsters are known to impersonate banks, and more recently there has been a message pretending to be from the UPS Postal Service Support Team saying that the recipient's address is not correct and they'll charge you if you don't open the attachment. But now they are falsely impersonating the tax office, the HM Revenue & Customs. (I wonder if that's a criminal offence in itself, like "impersonating a police officer"?). Anyway, here's an example of such a hoax email message...

Message - Cyrillic (Windows)
----- Original Message -----
From: HM Revenue & Customs - refundtax@hmrc.gov.uk
To: none - (actually sent to our own Circular Subscription address)
Sent: Monday, October 27, 2008 10:34 PM
Subject: HM Revenue & Customs Notification - Tax refund (Message ID: BLOARVIZITKU)

HM Customs and Revenue
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 209.40 GBP. Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please
click here

Regards,
HM Revenue & Customs

Copyright 2008, HM Revenue & Customs UK.

Now don't be fooled by the official logo, because they've just pinched that, and also don't be fooled by the fact that the return address is refundtax@hmrc.gov.uk , because that's not where it's come from. The hoaxers have faked up the sender address. The first clue it's not genuine is that it's in the Cyrillic (Russian) character set, which even in modern cosmopolitan times is uncharacteristic of the British Tax Office. However, the thing that really gives it away as a SCAM is where the "click here" goes to. Obviously I've replaced the destination in this stuffed-and-mounted version, but the original went to http;//91-173-114-200.fibertel.com.ar which is in Argentina. That is clearly not the British HM Revenue & Customs, and if you were fooled into going there you would probably find a faked-up official-looking form in which you would be expected to enter your personal data, which rogues would then use for identity theft. It is almost certainly a phishing attempt. So, don't be fooled by it!

Now let's look at the commonsense about this: Since when did official government stuff arrive in email? How often do you get a tax rebate (in the message termed "tax refund")? Plus, even if you did get a tax rebate, you'd not be expected to click on a link to claim it. In other words, the whole thing stinks.

Also note: The hoax email is a minor criminal matter, and isn't actually anything to do with the government, or tax. This is not to be confused with the situation where the government tries to fish out your new secret location by sending you a cheque for a tax rebate in the hopes you'll cash it and reveal where you are so they can spy on you.

One of the ways you can avoid being such easy prey to e-mail scamsters is by having special email addresses so that each organisation you have dealings with has a different e-mail identity for you, so when someone's database is compromised, you know, and you also know immediately that various incoming messages are bogus as they are addressed to the wrong e-mail address!

Beware of hoaxes. You can learn more about ways to avoid them by having a look at the Rogues Gallery

If you're looking for a tax refund, see Refunds Direct and Income Tax Relief

If you are interested in avoiding tax generally, there are some tax havens listed here too.


Ooh look, here's another of these SCAM messages...

Message - Cyrillic (Windows)
Priority - High

----- Original Message -----
From: HM Revenue & Customs - refundtax@hmrc.gov.uk
To: none - (actually sent to our own Newsletter Subscription address)
Sent: Thursday, October 09, 2008 10:11 PM - actually this was faked-up, as the message was received on 208/12/21
Subject: Tax refund - Message ID: MOKRUIZRTKY

HM Revenue & Customs UK

Dear Applicant:

After the last annual calculations of your fiscal activity
we have determined that you are eligible to receive
a tax refund under section 501(c) (3) of the
HM Revenue & Customs. Tax refund value is 188.50 GBP.
Please submit the tax refund request and allow us 6-9 days in order to IWP the data received.


To access the form for your tax refund, please
click here


• If you distribute funds to other organization, your records must show wether they are exempt under section 497 (c) (15). In cases where the recipient org. is not exempt under section 497 (c) (15), you must have evidence the funds will be used for section 497 (c) (15) purposes.

• If you distribute fund to individuals, you should keep case histories showing the recipient's name and address; the purpose of the award; the maner of section; and the realtionship of the recipient to any of your officers, directors, trustees, members, or major contributors.


This notification has been sent by the HM Revenue & Customs Service, a bureau of the Department of the UK

Sincerely Yours,
John Stewart
John Stewart
Director, Exempt. Organization
Rulings and Agreements Letter
HM Revenue & Customs


Note:
• If you received this message in your SPAM/BULK folder, that is because
  of the restrictions implemented by your ISP
• For security reasons, we will record your ip address, the date and time.
• Deliberate wrong imputs are criminally pursued and indicted.


Copyright 2008, HM Revenue & Customs UK.

Again, some dead giveaways that it's bogus. For one thing, the poor use of English. Also, uncharacteristic terminology in use. The tax office would not say "deliberate wrong inputs". John Stewart's job title in the HMRC, "Director, Exempt". Also, since when is HM Revenue & Customs "a bureau of the Department of the UK". Let's be serious about this.

Interesting that a signature should be on the message. That doesn't make it any more genuine, and in fact John Stewart's signature was taken (or should that be "stolen"?) from http://www.nabgroup.com/vgnmedia/images/ARsig_johnstewart.gif . In fact, John Stewart isn't a British taxman at all, but is the managing director of National Australia Bank!

Another interesting feature of this particular bogus tax refund message is the link. Where it says "click here" it doesn't go to HM Revenue & Customs, but instead goes to... http;//www,aol.com/redir.adp?_url=http://colecoes.inpa.gov.br/sb/aves/web.php?SecurityWebApp/?_nfpb=true&_pageLabel=httpsslPageMySite_MyServices , which is a redirect via AOL, and then it seems to go to a subpage within www.inpa.gov.br which is an ecological Amazon-forest saving government agency in Brazil.

Nomatter how you look at it, none of these people are anything to do with the scam, and also they are not part of the UK's HM Customs & Revenue!


Here's another ridiculous tax hoax scam message, except in this case they've used threats rather than the temptation of a refund...



----- Original Message -----
From: HM Revenue and Customs
To: <your harvested address>
Sent: Monday, October 12, 2009 3:33 PM
Subject: ***** SPAM ***** Notice of Underreported Income


Taxpayer ID: shirtliffshipping-00000233604101UK
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on HM Revenue and Customs (HMRC) website (click on the link below):

review tax statement for taxpayer id: shirtliffshipping-00000233604101UK

HM Revenue and Customs


Again, this is easy to spot if you have any clue on how to read a web address. The link does not go to HMRC and instead it goes to...

http;//online.hmrc.gov.uk.neaazax.cn/ SecurityWebApp/httpsmode/statement.php? id=279481211925383504163275010070357225415&email=shirtliffshipping@westac.couk&tid=shirtliffshipping-00000233604101UK

...which is not at hmrc.gov.uk and instead is at neaazax.cn which is a Chinese site where you may presume the details are harvested in a phishing attack style.

Ignore the e-mail return address, as it goes to HM Revenue and Customs <no-reply@hmrc.gov.uk> which has easily been spoofed


Here's another stupid message pretending to be from the Tax Authority. However, this is slightly different. Instead of being a direct "phishing" attack, it's a Malware attachment. Also, instead of offering you a tax rebate, they are demanding that you pay up or else! However, the scam is so badly done, it's a joke. Well it would be if it were funny!

Whatever you do, don't open the attachment!

(If you have already opened it, get some antivirus software and clean it up)

The message is laughable...

From - Mon Oct 17 13:22:48 2011
X-Account-Key: account2
X-UIDL: UID41570-1301168918
X-Mozilla-Status: 0007
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
Return-path: <
status@hmrc.gov.uk>
Envelope-to: <
Ladbrokes>
Delivery-date: Mon, 17 Oct 2011 04:06:15 -0700
Received: from 91.30.220.87.dynamic.jazztel.es ([87.220.30.91] helo=hmrc.gov.uk)
by server.vivostar.net with smtp (Exim 4.69)
(envelope-from <
status@hmrc.gov.uk>)
id 1RFl0o-0006uE-AF
for
Ladbrokes [at] zyra .org.uk; Mon, 17 Oct 2011 04:06:15 -0700
Message-ID: <001a01cc8cbc$b2c617ee$8101a8c0@CHEMA>
From: "Inland Revenue" <
status@hmrc.gov.uk>
To: <
Ladbrokes>
Bcc: <
ladbab [at] blueyonder.co.uk> Subject: Tax report
Date: Mon, 17 Oct 2011 13:05:36 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0015_01CC8CCD.764C7BD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0015_01CC8CCD.764C7BD0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0016_01CC8CCD.764C7BD0"

------=_NextPart_001_0016_01CC8CCD.764C7BD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Debt report,

There are arrears reckoned on your account over a period of 2010-2011 year.
You will find all calculations according to your financial debt, enclosed.
You have to sick the debt by the 28 December 2011.
If not we will have to forward your case to the court.

Yours sincerely,
Rodrigo Vebel,
Commissioner of taxation.

------=_NextPart_001_0016_01CC8CCD.764C7BD0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">

------=_NextPart_001_0016_01CC8CCD.764C7BD0--

------=_NextPart_000_0015_01CC8CCD.764C7BD0
Content-Type: application/x-zip-compressed;
name="HMRC_Calculations_id#8048.zip"
Content-Transfer-Encoding: base64

Content-Disposition: attachment;
filename="HMRC_Calculations_id#8048.zip"


------=_NextPart_000_0015_01CC8CCD.764C7BD0--

What a joke! "You have to sick the debt" ?! What does that mean? I suspect that there is a language in which the term for "pay up" is similar to "disgorge", and therefore "sick". That would narrow-down the origin of the linguistic style. Maybe it's like some old gangster film where they say "They owe us the loot and we'll make them cough-up or else!".

Also note the following points:

* The Tax Authority doesn't send you e-mails.

* Even if HMRC (Her Majesty's Revenue & Customs) were to start sending you e-mails, you would surely have a different email address for each place, and so you'd know such ridiculous hoax messages as this were not from HMRC.

* It is very easy for criminals to pretend to be an authority and to send daft messages out. It's not possible for the authority to stop this. It's like someone putting on a disguise and going around pretending to be some sort of authority figure that they are not! It's up to you to avoid being fooled by them. Also, it is possible to track down the crooks. The messages are full of clues.

* The language usage is poor, but also "forward your case to the court"... when? You have a right to turn up at the court and have something like a "fair trial", don't you?

* If you're not in the same geographical region as the tax authority alleged to be sending the message, you already know it's a hoax.

* Look at the timezones in the e-mail headers. They're not in the UK, and yet they are pretending to be the British tax authority.

* Commissioner of Taxation? An unusual job title.

* Anything sent as an attachment is not valid unless the attachment is readable. Attachments such as .doc , .pdf , etc are not valid as they are encrypted, encumbered, or proprietary. Files that are .zip are especially dodgy because the format can contain all manner of dangerous items.

* It is not a "debt report" unless you actually owe some money. As you are paid up to date, you don't owe it, and therefore it is not a debt.

* It's typical for a variety of different tax scam messages to arrive in one day, to different addresses, and with slightly different <from> and <to> and a few other details. This further undermines any shreds of credibility the fiasco had.

* If you were in any doubts about this sort of thing, you could just phone your local tax office. Generally the people that work for the tax office are friendly to talk to. Tax may be a monstrous imposition on your life, but tax people are not monsters. They are friendly, and anyway it's not an easy job to do. They'll soon point out how absurd these messages are. Also, if the messages are faked-up to look as if they have come from hmrc.gov.uk , you can forward the hoax messages to phishing [at] hmrc.gsi.gov.uk

* In correspondence, please remember that the hoax messages did not come from the Tax Office! It's not their fault.

It's not often I get a chance to say "Well Done to the Tax Office", but well done to them for publishing examples of tax hoax messages like this! Take a look at some examples of fake messages at www.hmrc.gov.uk/security/examples.htm and see their advice about security at www.hmrc.gov.uk/security/index.htm