We take a look at a recent phishing email, claiming to be from the HMRC, to show how you can catch the scams
We received a scam email last week pretending to be from the tax man offering a refund if we just filled out an online form with our bank details. Many of you alerted us to the scam as well so we thought we would share some of the methods we used to spot that this wasn't a legitimate email.
Granted, the tax man does occasionally give money back, but not like this. You'll either know about it from submitting a tax return, or you'll just receive a cheque in the post as my wife did a couple of years ago. HMRC says it will never send notifications of a tax rebate by email.
Think about if you've ever given the tax man this email address. You may have done in the past so apply the common-sense test as well.
Don't click on the links, but hover the mouse over them to see a preview of what they are. Be sure to check the whole link, especially the last two words as these are the actual server of the web server. Some of the links may well be genuine to help fool you. You may find this easier in the view source mode – we'll cover the basics of HTML in a moment.
The scammers might be hoping that you'll respond so check both the From and To address. The from address isn't fail safe because its very easy to spoof, but the reply address might give the game away. After all, they don't want you to get in touch with real tax man.
Now we get a little more technical. An email travels through several servers on its way to your inbox and each one leaves its address in the email. You can't normally see this but if you use the View Source option in Thunderbird you can see the trail. It's the first server you want to check, the servers in the middle are most likely innocent.
This particular scam wants you to enter some information in a web form attached to the email. This is where this particular scam really happens so it gets more interesting here. The golden rule is don't open the form in a browser just in case it contains some malicious code. Instead we're going to use a text editor called Notepad++. Notepad++ will colour-code the web page code to make it easier to read. Save the HTML file to your computer, start Notepad++ and load it from there.
Looking at the code shows how this is a clever scam – all of the images and styling information, references to CSS files, are taken from the hmrc.gov.uk website. There's no particular trick here as you can just take the links from legitimate emails or web pages. The main part of this document is the form for you to fill in and it starts here.
What we're looking at is how the information is going to be transferred when you click on the submit button and, more importantly, where the information is going. For the first time we don't have an hmrc.gov.uk link but instead an IP address. If nothing else has got alarm bells ringing this should, and it confirms that this is a scam.
Every IP address on the Internet is accountable to someone. Whether they care about the scam is another matter, but you can usually find out more about the address using a whois service. We're going to copy and paste the IP address from the scam email in to the Whois service from APNIC. This IP address is registered in New Zealand, so unless there are some very serious Lord of the Rings fans in HMRC, this isn't legitimate.
We don't recommend trying to contact the person listed in the details here,though you might want to report it to the registrant if they sound legitimate. To be honest, you're best off leaving any action to the HMRC by forwarding the email to their fraud-reporting service.
Updating your subscription status