Email from HMRC, fake or real?

HM Revenue and Customs (HMRC) have asked to remove over 20,750 malicious sites in an effort to crack down on phishing attacks. Which simplify means a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Despite a record number of malicious sites being removed, HMRC is warning the public to stay alert as millions of taxpayers remain at risk of losing substantial amounts of money to online crooks.

Never asked don't give out either
Genuine organizations like banks and HMRC will never contact people out of the blue to ask for their PIN, password or bank details. So people should never give out private information, download attachments, or click on links in emails and messages they weren’t expecting.

Example of phishing attack
Here is an example from my own email account, I received a phishing email but the sender had no luck because I recognized it as a cyber-attack. You might get similar emails and can look for similar things to avoid any damage to your data by following the simple guidelines below.


As per the first image above you can see the email address itself is fake, it not coming from HMRC rather from another domain saunalahti.fi. Also no mention of the name to whom the email is sent. Unique reference is wrong too.

It is important that you don’t click on any link in the email, it can install malicious software on your machine or device without you knowing e.g a key-logger which will record every key you type or press on your display and hacker can know sensitive information. You can simply hover over the mouse on the link and read the detailed link at bottom of the browser as shown in arrow down

You can right-click and select the option copy URL to test your findings. It is crucial that you use a browser that does not save any password for your daily use and even better no cookies saved at all.

If you paste the URL copied from above in browser you will find a site which is not HMRC, it could be any site, if your antivirus software has an anti-spam option on for web, it will through warning message like above. There is a possibility that hackers might have replicated the looks of HMRC sites to another URL for deception. You can easily tell from URL in the address bar which is not HMRC URL. It’s common to have redirect of one URL to another as shown in the image above, URL in the address bar is different from what was copied before. This is done through URL 301 redirect.

As per the image above, there are no links to Crown copyright, HMRC term, and condition, privacy policy and accessibility sections of the email. Which is an odd thing to do in email? It would have been linked to some, not a genuine site too so better not to click on any link

Now dipping bit deeper if you like, as per the image above, if you look into message source codes by right-clicking on a message or in Hotmail down arrow of reply button and clicking on view message source, you will see more details in next image

Once message source code is displayed trigger search option (Ctrl+F in widows) and type from. You will notice the actual email address hidden in codes that are used to send emails to you in the first place. This is called masking.

The above image shows the website displayed when I typed in the actual domain as per senders' email in question.

Above image shows a genuine email from HMRC, notice URL mentioned in the email and hover over a link and email address itself is This email address is being protected from spambots. You need JavaScript enabled to view it.If you copy the link from the above image to the browser it will redirect to the genuine HMRC website section.


If you click on the padlock sign and click on the more detailed option you can see the certificate and wording of a trusted site. You would not see such wording on a doggy site.

Two Factor Authentication
HMRC has also introduced two-factor authentication methodology i.e you user name and password and security code SMS to your registered mobile number for added security. You should use two-factor authentication wherever possible to make the procedure more secure. Much online accounting software uses this as standard these days.

Report Spam or Phishing attack
People should forward suspicious emails claiming to be from HMRC to This email address is being protected from spambots. You need JavaScript enabled to view it. and texts to 60599.
They can also contact Action Fraud on 0300 123 2040 to report any suspicious calls, or use its online fraud reporting tool.

Here is a link for more guidance on countering phishing. 

Another way to prevent cyber crime is to check on this website if your online account with other businesses has been compromised in past or not, if it has then make sure to change password for that site and word of wisdom, DO NOT use the same password for everything. Here is the site https://haveibeenpwned.com/ recommended by the City of London Police’s Cyber Griffin team