Tuesday 8 August 2017

HRMC scam

I got an email from HM Revenue & Customs <>

From: HM Revenue & Customs <>
Subject: Company Excel Documents  

                                             Gov UK

                                  HMRC   HM Revenue & Customs

 We need to check some details about your tax credits. We are working to ensure that people get

         the right amount of tax credits. We think that your payments might be wrong.

 Please check your company report and send us all the information we ask for by 15 Aug 2017. If
 we don't hear from you by this date we will suspend all or part of your tax credits payments.

 In order to complete our check we also need your completed tax credits renewal. You will soon
    receive your tax credits renewal pack. Please complete this and send it to us as soon as
possible, if you do not renew it by 31 August 2017, we will stop your tax credits. You can renew
                             online at .

Its really important that you don't ignore this letter. What we're trying to do is to make sure
you don't end up being paid too much tax credits, resulting in a debt which you'll have to repay


                                         Mr Gary Brooks
                                CCBC/Mcol Correspondence Section

 The security and confidentiality of your personal information is important for us. If you have
         any questions, please either call the toll-free customer service phone number.

 All content is available under the Open Government Licence v3.0 [],
                         except where otherwise stated Crown Copyright

An excel spreadsheet is enclosed. When I ran that through Virustotal, only three out of 59 products flagged it; Fortinet, Ikarus and NANO-Antivirus. All the well-known products passed it as clean. Which means that people who trust their antivirus, will be sadly let down.

And that's because this malware is very recent. Virustotal said that it was first sent to them 2 hours ago (it was sent to me 4 hours ago). There's no way that the antivirus companies can respond as quickly as that, so there's no way that you should rely on any antivirus to detect malware.

But look at the "from" address carefully. You see where it says "hrmc" instead of "hmrc"? A small detail, but very significant, and so obviously this is an attempt to get me to run the malware in their excel file. I haven't, of course. is registered via Godaddy, on 10 July 2017, but the owner's name and address is concealed via a privacy service. is also registered via Godaddy, pm 2 August 2017.The owner's name and address is given. Is that a legitimate name used by HMRC? I don't remember, but the name server it uses is which doesn't bode well. I think that's another scam address, used by a different scammer. Or maybe the same scammer, and he needed a new address after was rumbled?

Wouldn't it be great if hmrc sent all their email via I've suggested before that they should. But they don't. They use all sorts of domain names, making phishing much more profitable for the baddies.

So I've forwarded the email to the HMRC phishing reporting address, and they'll reply saying "Yes it's a phish, and there's nothing we can do about it". Except there is.

HMRC (and banks, and other financial institutions). Please, choose one domain name, preferably the same as your web site, and make all emails come via that domain name. It isn't difficult to do.

... update ...

Here's an analysis of this.

No comments:

Post a Comment