UK Government Tax Refund

In this attack, attackers are posing as government employees notifying recipients that they possess outstanding tax returns, but require the recipient to follow a link to a fraudulent landing page to request the return.

Quick Summary

  • Platform: Office 365
  • Mailboxes: More than 20,000
  • Email Gateway: Proofpoint
  • Email Security Bypassed: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation, Email Spoofing

What was the attack?

  • Setup: This attack leverages the end of the tax season, in the United Kingdom, tax returns are eligible to be filed on the first day of the next tax year – April 6th. Attackers can take advantage of this period to send out fake tax return reminders, urging the victim to claim their refund before it expires.

  • Email Attack: This attacker crafted a convincing email and landing page that appears to come from a government service office. The attacker requests that the user enter their personal and bank information in order to claim their tax refund.

  • Payload: The email contains a link to a fake government website. The URL in the email is masked with a link, and the real URL takes users to a site hosted at “”, which attackers likely control and will use to steal sensitive personal information from victims.
  • Result: Should recipients fall victim to this attack, attackers will have access to sensitive personal information, which can then be used to impersonate the victim and further compromise their accounts.

Why is this attack effective?

  • Urgency: The attacker claims that the refund is time sensitive – the email was sent on April 16th and the attacker claims that the last day to claim is April 17th. If the user does not immediately follow the link, they will lose access to their refund.
  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The email subject appeared legitimate, even including a payment reference. Furthermore, the body of the email contains a specific monetary value for the tax refund, an issuing date, issuing number, and transaction ID. The landing page was similarly elaborate, appearing similarly to the true government tax claim page. Recipients would find it difficult to recognize that this site specifically designed to steal their credentials and personal information.
  • Concealed URL: The URL where the landing page was ultimately hosted ( was clearly not a site owned or run by the UK government. However, the email concealed this URL, and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content