Cyber criminals try swiping email logins and bank data in single HRMC phishing scam

MalwareBytes has uncovered an HMRC phishing scam that aims to swipe taxpayers' personal details (including mother's maiden name) and card details.

What is phishing? Scammers are using GDPR email alerts to conduct phishing attacks

The hackers send an email to victims, claiming to be from HMRC regarding a tax refund. The email specifies how much is due as a refund (around the 500 mark) and says that the refund claim deadline falls on the date of the email - prompting anyone wanting to get their money back to click on it immediately.

The victim is then taken to a login screen where they are asked to enter their login details via "HMRC's gateway portal" - suspiciously looking like an Outlook email login page (giving the criminals their email address and password) and this is forwarded to a form where they're asked to enter personal information.

Details requested here are name, address, phone number, date of birth and mother's maiden name. This information is seemingly checked against some sort of database so the scammers can make sure the details look as though they're genuine. If they don't pass the validation, the victim is unable to enter their card details, which appears at the bottom of the form.

Once the personal details are shown to be at least believably correct, the victim is prompted to enter the details of the card they wish their refund to be sent to, including expiry date and CVV number. What should set alarm bells ringing if the huge amount of data already requested isn't enough to flag it as a scam, is that the criminals also ask for a sort code and bank account number too - pretty much exposing every piece of personal data they could possibly ask for.

"While these scams tend to experience a boom period during tax season (in this case, around April for the US and UK), there's nothing preventing scammers from firing these out at other times of the year," MalwareBytes' Chris Boyd, lead malware intelligence analyst at Malwarebytes said. "In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of "fake tax refund" articles making the rounds. Out of sight, out of mind and all that."

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.