I got an email.
From: HMRC Business Emails <firstname.lastname@example.org>
Subject: Your VAT return and payment of the VAT
1 Shown ~30 lines Text (charset: windows-1251)
2 183 KB Application
Date: 20 September 2016
VAT Registration Number *** **** 29
Period ref: 06 12
Your VAT return and payment of the VAT due period 1 April 2016 to 30 June 2016 was not sent in on time.
By law you must submit your VAT return and make sure that payment has cleared to HRMC’s bank account by the due date.
Because of this we have assessed the VAT due as GBP 14,965.13 and this will be debited from your bank's account on 22nd
For more information and how to pay us please see attached statement.
Make VAT Returns is just one of the many online services we offer that can save you time and paperwork. For the latest
information on all of our Online Services please visit www.hmrc.gov.uk
Except that isn't my Vat number. They only gave the last two digits, but that's not me. However, how many people reading such an email would be able to recollect their Vat number?
Also, HMRC don't send emails from email@example.com. They do send it from some third party address, which is silly of them, but not that one.
Also, the email address they sent it to, isn't the one that HMRC has for me.
So I sent the attachment to Virustotal, where 9 out of 55 products flag it as malware, which is the usual pathetic detection rate.
So, in my view, this malware email will catch out quite a lot of people, because an email from the Vatman is about as scary as it gets, and lots of people will click on the attachment.