Covid-19 phishing scams: HMRC tax rebate analysis

COVID-19 phishing scams are prevalent and according to Google, are being sent to 18 million Gmail users every day.
Person with a face mask on in an empty office
Table of Contents


The Coronavirus is fast becoming the biggest phishing topic in history. As a result, this could see tens of thousands of organisations suffer from subsequent cyber-attacks for years to come.

How do organisations stay secure against phishing threats?

Security technology such as e-mail security, web security and endpoint protection are the likely candidates that first spring to mind. However, a much more effective method is to treat your staff as a working part of your organisation’s security posture. By this, I mean to ensure that your employees have a standardised awareness of cybercrime and proven skills and knowledge in identifying and stopping attacks sent to your organisation.

In this blog post, we will analyse a popular COVID-19 phishing scam doing the rounds, highlight the areas that make the e-mail suspicious and provide guidance on what to do if you or your staff receive an e-mail like this. This analysis is part of our Free Course around Coronavirus Phishing Scams.

HMRC tax rebate analysis

Let’s firstly take a look at the phishing e-mail we’re dealing with here…

This is a real phishing e-mail that has been received and reported by many people across the UK, including a member of our team. It combines the unprecedented nature of the Coronavirus with the apt timing of the tax year coming to a close to trick the recipient into claiming a false tax return.

Attacks like this are often successful as they are relevant to a large number of people. Cybercriminals understand the hushed and subtle fist bump we all do to ourselves when we find out we’re eligible for a tax return, and of course, try to capitalise on this.

This e-mail is classed as Deceptive Phishing as it impersonates an establishment you know but is not targeted towards your organisation or you as an individual. This would be known as Spear Phishing. Deceptive phishing e-mails bear some relevance to its recipients and are sent to large mailing lists to achieve a high success rate.

Let’s take a closer look at the e-mail…

Phishing red flags

Sender name and e-mail address

When you receive an e-mail like this, one of the first things you should notice in your mail client is who the e-mail is from. The sender name may appear to be relevant to the government but the sender e-mail address is clearly suspicious. For an e-mail to be sent, a domain must be commissioned or registered. When you sign up to services such as Gmail (Google), Yahoo or Outlook (Microsoft), by default, you are commissioning their domain (, or As a business, it’s more common to register a custom domain (for example ours is When registering a domain, you must register something that is unique and not already taken. Spoofing was born as a result of this limitation, where criminals register domains similar to existing ones to trick you into thinking it’s the real thing.

In this case, the domain ‘’ is used. This is a custom domain which bears no relevance to the Government or the content of the e-mail. However, we can see that the name before the domain is in some way relevant as it uses the NHS.

Overall, this is a poor effort from the criminal as it is easy to see that the sender e-mail address is not who you would expect an e-mail like this to be from.

Bonus tip: Only government departments, agencies and bodies can use the official domain’’. Usually, anything appearing from the government without this domain should be treated with caution.

Wording, spelling and grammar

In most phishing e-mails, you will often find something not quite right about the spelling and grammar. When dealing with people or organisations you know, you become accustomed to the way they speak, write and spell. I, for example, love to use commas, perhaps too much? As this is an e-mail appearing from the government, we should expect clear wording and accurate spelling and grammar. When this does not match your expectation, you should treat the e-mail with caution.

The first example of poor grammar is in the first line of the body text; “As a precaution measure…”. Here, we would expect the e-mail to say “precautionary” rather than “precaution”.

We might expect a comma after “National Health Services”.

Perhaps an “a” before “tax refund programme”.

Or “its action plan” rather than “is action plan”.

Subtle mistakes like this can be easy to miss as our brains are able to make sense of something without it needing to be grammatically correct.

According to a research at Cambridge University, it doesn’t matter in what order the letters in a word are, the only important thing if that the first and last letter be at the right place. The rest can be a total mess and you can still read it without problem. This is because the human mind does not read every letter by itself, but the word as a whole.

This makes it especially important to stop and carefully read the e-mail before you take any action.


Links within phishing e-mails can be dangerous. Ultimately, the cybercriminal is luring you into visiting their phishing website where a multitude of malicious activity can take place. It’s important to note that links are not always in blue and underlined, they can be attached to images, fake attachments and can even be disguised as text with formatting.

In this e-mail, there are two visible links. On the second link, the cybercriminal manually types out the web address they want you to believe it will go to. In both cases the links are suspicious and URLs do not have relevance to the content of the e-mail.

To identify if the link is suspicious, simply hover your mouse over it or hold-press your finger on a smart device. This will reveal the true destination of the link, displaying the HTTP/HTTPS connection, web domain and top-level domain. If the link has an unsecure ‘http’ connection, a spoofed or suspicious domain and an uncommon top-level domain (such as .biz), you should not click it.

Bonus tip: Government bodies should not provide links in e-mails or SMS messages.

Phishing e-mail best practice

If you identify a suspicious HMRC email, here are the Government guidelines as to what to do:

  • Do not open the attachment or follow any links, as this may infect your computer with a virus. Computer viruses can help criminals to steal data from your computer.
  • Do not reply to the e-mail.
  • Forward the e-mail, along with any attachments, to [email protected]. Where possible, use the ‘Forward as attachment’ option on your e-mail software. Netcraft will take action to remove any offending material or sites from the internet.
  • If you have lost money or information, or your computer has been taken over by a phishing or malware attack, report it to Action Fraud.
  • Delete the e-mail.

How to spot a phishing email

Woman typing on laptop in a dark room with light overhead

Penetration testing vs vulnerability scanning: Why your organisation might need them

Man with glasses typing on laptop with light shining down

Best practice for business passwords 2024