Phishing emails imitate HMRC (again)

Phishing scams, data breaches and ransomware attacks can all too easily be thought of as things that happen to ‘other people’. There are countless news stories about an ‘unnamed employee’ at some company or local government body who clicks on a link and costs their company millions of pounds.

But, as IT Governance knows only too well, phishing emails are not something that only happen to other people. A member of our staff recently shared a phishing email he received, supposedly from HM Revenue and Customs. Had he not been so aware, he could have found himself victim to one of the most common types of cyber attack.

HMRC scam

The email claimed that the recipient was due a large tax refund:

HM Revenue and Customs claims to be one of the most ‘phished’ brands in the world because of emails such as these. Fortunately, this scam isn’t particularly persuasive, with plenty of signs that point to its true nature.

The email is sent from an address ending “”, imitating the UK government’s “” web address, and the message’s content lacks any of HMRC’s branding or imagery.

The content is also littered with spelling and grammatical errors: a randomly capitalised “Can”, the phrase “As example”, the space between it and the comma that follows – and again before the full stop at the end –  and whatever is happening with “c’lick”.

The message itself is also suspicious. Rarely are unsolicited messages claiming that the recipient has received a large windfall genuine – and HMRC makes a point of not notifying people of tax rebates or repayments by email.

These all make this email identifiable as a phishing scam. Nonetheless, the scammer’s hook – the big blue link that they want you to click – looks authentic. It would be easy to skim over the message and just see the link, which uses the UK government’s actual address, “”, and which legitimates itself with the secure protocol “https”. But this is a masked address. Hovering the mouse over the link reveals that its true destination is a completely different website with a different domain name.

Don’t fall victim

Not all phishing attacks are as easy to spot as this one. It only takes one untrained employee, or one momentary lapse in concentration from an otherwise informed employee, for information to be compromised. The danger of phishing emails is that there is no foolproof technology that can prevent it. Phishing emails target people – and people make mistakes.

The only true defence against phishing attacks is an awareness of how they work. The more that people know about them, the less likely they are to fall for them.

HM Revenue and Customs offers guidance on how to recognise genuine contact from them and provides avenues to report phishing attacks and other spam.

To see the full picture of phishing emails, though, employees should be trained to spot potential attacks. IT Governance’s Phishing Staff Awareness E-Learning course uses real-life examples and practical tips to help employees become an active part of their company’s cyber security strategy.

Find out more about the Phishing Staff Awareness E-Learning course >>