Fake HMRC Email Phishing Attack Steals Login And Payment Data

Special Olympics New York phishing

Email phishing, despite being an old hacking method, is still a very lucrative option for many cyber criminals. This time focus is on HMRC with many targeted through an email phishing campaign with the intent to steal users’ logins and payment card details.

New HMRC Email Phishing Tricks Users For Tax Refunds

Researchers at Malwarebytes Labs have uncovered an old phishing trick being exploited in the wild once again. The attackers make use of HMRC email phishing attacks to pilfer email login details and payment data of the users.

The attackers seemingly bait the users by offering tax refunds. To put some pressure on the recipients, they further provide deadlines in their emails for the users to claim said refunds. The emails claim to be from the UKGOV tax office. These emails offer a refund of GBP 542.94 to be sent directly into the customers’ accounts.

How Does It Work

Since only the researchers at Malwarebytes Labs received such an email, they explained about this new HMRC phishing attack in detail. Reportedly, the scam begins by asking the recipient to click on a given link to the “gateway portal”. Upon clicking the link, the user reaches a new page that appears like Microsoft Outlook. Here, the user will supposedly enter their email and password to the login portal. From this point, the attackers gain access to the email login credentials.

Afterward, the user reaches a fake HMRC portal that displays a form. A tricked user would unknowingly begin entering all the details as asked, thus falling a prey to the hackers. The details asked at this stage include users’ name, contact address, contact number, date of birth, mother’s maiden name (a common secret question for most accounts), and card details.

The reason why phishing is still so successful is that most users tend to be more trusting when receiving emails.  As in this case, the attackers offer tax refund  a typical issue one would come across every few years.

To stay protected from such attacks, make sure you double check the sender’s address before opening emails, additionally avoid following direct links and log in to a website directly.

Related posts

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

European Cyber Report 2025: 137% more DDoS attacks than last year – what companies need to know

INE Security Alert: Using AI-Driven Cybersecurity Training to Counter Emerging Threats