Simulated Phishing Email of April 2025 – “Your HMRC Tax Refund Notification”

Author:Author Leo
Published: Posted on

Can you trust this page?
If you look in the address bar (at the top of this page) you will see that this page is on the blog.bham.ac.uk site. This tells you that the page is within the bham.ac.uk internet domain which is owned by the University of Birmingham. If you came to this page to confirm if a test phishing email really was a test, then also check that the image of the email below matches the email you were sent.

On Tuesday 1st April, IT Security sent a number of staff a simulated phishing email claiming to be
– From: GOV.UK at support@hrmc.me.uk
– Subject: Your HMRC Tax Refund Notification
– it pretended to about Claim for Working From Home Tax Allowance
– with a link to Sign in to HMRC online services self assessment

If you clicked on that link you were asked for your username and password. Those people who entered a username and password were taken to a page reassuring them this was a benign phishing simulation by IT Security. No passwords were collected or stored!

Why we did this
Our aim is not to penalise, embarrass or make anyone feel bad if they “fell for the scam”. You are not in any trouble because of this. No-one will be “named and shamed”. Your line manager will not be told. We think of this as serving the same purpose as an unannounced fire drill, to make people more aware of the most common way that criminals steal passwords.

Criminals usually have more experience in conning honest people, than honest people have in protecting themselves. We want to help you to protect yourself (and the University) by raising awareness of how easy it is to be lured into giving away your personal details and password by malicious emails that appear genuine.

This simulated phishing email is based on recent real-life phishing emails intercepted by our automated defences.

The email – with the suspicious parts marked in red

Screenshot of benign phishing email with red highlights showing it claims to be from gov.uk domain but email address and sign-in link is different hMrc.me.uk

This email is suspicious because:

  1. Why would HMRC contact me via my work email?
    Yes – HMRC knows where I work.
    Yes – I might have given HMRC my (personal) email address if I’ve had to eg do a Tax Self-Assessment.
    BUT – did I give HMRC my work email? Why would HMRC use my work email address if it already had my personal email eg for Tax Self Assessment?
    YET – this phishing email is extra devious, and claims you can connect to HMRC using SSO (Single Sign On) using your work email and password. This is theoretically possible, (as with signing into external library resources) but there is no facility at the University to do this with HMRC and and you would probably have been informed of of this, if it existed.
  2. The screen where you are asked to enter your work email and password looks wrong
    • it does not look like the screen you would normally enter your work email and password
    • the address at the top of the sign in screen shows hRmc.me.uk not hMrc.gov.uk or gov.uk or bham.ac.uk or login.microsoft.com.com as you might expect
      NB I have put some letters above in capitals to show the transposition of the letters in
      hMRc with hRMc
  3. It comes from outside the University, as you would expect if it was HMRC, BUT
    • the email address is hRmc.me.uk not gov.uk as you would expect if it was from a UK government department. Scammers cleverly add GOV.UK and official-looking logos to parts of the email to fool you – if you don’t look carefully enough.
  4. Criminals try to cloud your judgement (with the possibility of free money) so that you rush to the “prize”. They try to trigger your emotions to cloud your judgement so that you don’t Pause, Verify, Protect.
    • Greed, lust, anger, fear, pride, vanity, shame, envy, love for relatives, compliance with authority (both to be pro-social and to avoid threats) are used by criminals to cloud your judgement.
    • Anyone offering you money, get rich scheme, a prize, sex … should be treated with caution. If something sounds too good to be true then pause and think before you click.
    • Clever criminals often use phishing “hooks” which are topical eg tax near the new financial year, issues currently in the news etc..
  5. The logo doesn’t look quite right and the tone may seem less formal than you might expect from a Government Department.
    • Although spelling and grammar mistakes are often an indication of spam or phishing, perfect spelling and grammar do not mean that it is a genuine email – as in this example. Some scammers can write perfect English – with or without the help of AI tools such as Microsoft CoPilot or ChatGPT.
    • Genuine logos are easily copied from the official sites.
  6. It is coming from hRmc.me.uk not gov.uk
    hRmc.me.uk is a fake domain pretending to be gov.uk.
  7. It asks for a username and password. Any email which links to a place where you are asked to give your username and password, should be treated with caution – you should pause, think and ask yourself:

Who is it really from?
Does the sending address match the alleged Sender?
In this case, the Sender’s email domain address is 
@hRmc.me.uk
not
@gov.uk or hmrc.gov.uk or bham.ac.uk or login.microsoft.com.com
as you might expect if were really from a government Department or the University of Birmingham or Microsoft.

Where does the link take you?
You can reveal the full address:

  • on a computer, by hovering the mouse pointer over the link (without clicking on it!)
  • on a phone/tablet by a long press holding down on the link.

In this example, Sign in to HMRC online services self assessment links to hRmc.me.uk which is not a UK Government website.


You should always ask yourself the following:

  • was I expecting this email?
  • is the Sender known to me?
  • and was I expecting them to send such a message or (in some cases) share a file?

Fraudsters are very devious in using addresses which look similar to genuine ones. This page, from CalTech, shows you how to read URLs (web addresses) correctly to help you to avoid some of the dirty tricks used https://www.imss.caltech.edu/services/security/recommendations/how-to-read-urls

You can test your knowledge by identifying which of 10 emails are legitimate or phishing here https://www.phishingbox.com/phishing-iq-test/quiz.php

If you work or study at the University of Birmingham and have questions or comments about this phishing campaign then contact: itsecurity@contacts.bham.ac.uk

 

1 thought on “Simulated Phishing Email of April 2025 – “Your HMRC Tax Refund Notification””

  1. This was a good exercise. I thought I was always vigilant and this has taught me I am not vigilant enough. Thank you. Nice work.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *