Cyber criminals have been targeting UK taxpayers with fake VAT return messages claiming to come from HMRC which, when opened, could infect PCs with a Trojan virus and allow them to take over the victim’s computer, according to information security specialists Trustwave

The firm says its research shows that on 6 September scammers launched a phishing attack using spoofed e-mail messages appearing to come from a HMRC support service domain and containing links to the JRAT malware disguised as a VAT return document.

The scam email was sent using a registered HMRC-like domain (, which was registered on the same date and contained no web content at the time.

The fake emails had the subject header ‘VAT return query’, while the body of the email encouraged the recipient to click on the embedded image of a PDF document by suggesting that there were some errors in the user’s recently submitted VAT return.

Clicking on the link results in the user being taken to a Microsoft OneDrive file sharing service that downloads the ‘VAT return’ zip file, which contains the malware.

Dr. Fahim Abbasi, senior security researcher at Trustwave, who discussed the phishing attack in a company blog, said: ‘We have witnessed an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service). We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defences. Users need to be particularly careful since such scams are quite active during tax return season.’

HMRC has been contacted for comment.

Trustwave’s blog about the HMRC phishing attack, with images of the emails, is here.

HMRC guidance on Phishing and Scams is here.