Today we received a convincing email malware scam posing at the HMRC (the UK’s tax entity) that attempted to lure us into opening a malicious email attachment.
The email started with the logo belonging to the HMRC, and then went on to explain that the email’s contents and attachments had been “scanned for viruses by the Government Secure Intranet virus scanning service”.
Of course, this is essentially just a scammer telling you that the contents of their email scam are safe, which of course cannot be trusted. The full text of the email can be seen below –
The secure communication with reference number ID201NLD0012192016 sent by HM Revenue & Customs (HMRC) .
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
HM Revenue & Customs
Sent to: *****@c************.co.uk
Date: December 19, 2016
Type: Protected Document
File Format: Microsoft Word
Encryption Type: RSA 2048
The email may – upon a cursory glance – appear convincing. And because those in the UK those who complete self-assessment tax online have a deadline date in January, many may not be surprised to see an email waiting for them from the HMRC.
However beyond the design and unusually sound grammar, warning signs are still lurking. In the example above, common red flags are still present; one being the email does not address us by name, only by our email. Companies like the HMRC will always address you by your name in the emails that they send you, so consider this a tell-tale sign of a scam.
Secondly and crucially, you’re lured into opening an email attachment. Again this isn’t something that the HMRC are ever going to ask you to do.
The same advice applies to all these email scams. Never open the attachment, and if you suspect something may be up with your account – be it an HMRC account, social/banking account or PayPal etc. – go straight to the website instead, and login. Don’t click on links inside an email and certainly don’t open up any attachments. Email scammers rely on their victims opening up an email attachment after being enticed to do so, so be aware!
In this case the email comes attached to an infected Word document. Upon opening the Word document you are asked to “enable content”; this means enabling macros, which are then able to download and execute a malicious file onto your computer, infecting it with malware. Such malicious email attachments are the primary way in which ransomware is distributed.