Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
Page 1
    • MrToads
    • By MrToads 4th Jan 18, 11:20 AM
    • 6 Posts
    • 0 Thanks
    MrToads
    • #2
    • 4th Jan 18, 11:20 AM
    • #2
    • 4th Jan 18, 11:20 AM
    Looks very scammy to me, tbh with anything like that, from banks or paypal etc, I tend to forward to the spam team. A lot of the time they have a dedicated email for it.

    I am not allowed to post links as im a noob here, but the email is
    Hmrc's is; "phishing AT hmrc dot gsi dot gov dot uk"

    or google "gov dot uk report-suspicious-emails-websites-phishing" for the main page.

    If everyone did that for emails not sure about, it helps HMRC to catch the bad guys.

    Also, if it is something very important they always like to follow up a physical letter anyway!


    Best
    Joseph
    • Farway
    • By Farway 4th Jan 18, 11:33 AM
    • 6,229 Posts
    • 9,942 Thanks
    Farway
    • #3
    • 4th Jan 18, 11:33 AM
    • #3
    • 4th Jan 18, 11:33 AM
    It is an old scam, HMRC never contact anyone to offer a refund

    If a refund is due they will automatically adjust your PAYE code
    • HogMan
    • By HogMan 4th Jan 18, 11:40 AM
    • 94 Posts
    • 66 Thanks
    HogMan
    • #4
    • 4th Jan 18, 11:40 AM
    • #4
    • 4th Jan 18, 11:40 AM
    Looks dodgy to me. The outlook link is the giveaway.

    Last time I had a tax refund the HMRC communicated via post and I then had to log on to the gov.uk website to request it to be processed. Payments are made into your bank account not credited to a card.
    • poppasmurf_bewdley
    • By poppasmurf_bewdley 4th Jan 18, 11:44 AM
    • 5,207 Posts
    • 5,328 Thanks
    poppasmurf_bewdley
    • #5
    • 4th Jan 18, 11:44 AM
    • #5
    • 4th Jan 18, 11:44 AM
    Looks dodgy to me. The outlook link is the giveaway.

    Last time I had a tax refund the HMRC communicated via post and I then had to log on to the gov.uk website to request it to be processed. Payments are made into your bank account not credited to a card.
    Originally posted by HogMan
    This is the correct information.

    The email you have received is a scam, and should be forwarded to HMRC as outlined above.
    "There are not enough superlatives in the English language to describe a 'Princess Coronation' locomotive in full cry. We shall never see their like again". O S Nock
    • spud17
    • By spud17 4th Jan 18, 11:51 AM
    • 4,263 Posts
    • 1,957 Thanks
    spud17
    • #6
    • 4th Jan 18, 11:51 AM
    • #6
    • 4th Jan 18, 11:51 AM
    From 2013, so yes, they've been around a while.

    https://www.moneysavingexpert.com/news/banking/2013/01/beware-fake-hmrc-tax-refund-emails
    Move along, nothing to see.
    • DoaM
    • By DoaM 4th Jan 18, 11:52 AM
    • 4,394 Posts
    • 4,424 Thanks
    DoaM
    • #7
    • 4th Jan 18, 11:52 AM
    • #7
    • 4th Jan 18, 11:52 AM
    On the subject of eur01.safelinks.protection.outlook.com links ... this is quite normal for links in emails received within an organisation; in my own company any external links in emails look very similar (except ours start ns01 as I recall).
    Diary of a madman
    Walk the line again today
    Entries of confusion
    Dear diary, I'm here to stay
    • grumpycrab
    • By grumpycrab 4th Jan 18, 11:53 AM
    • 3,570 Posts
    • 1,613 Thanks
    grumpycrab
    • #8
    • 4th Jan 18, 11:53 AM
    • #8
    • 4th Jan 18, 11:53 AM
    Is there a new scam purporting to be from HMRC doing the rounds. The text below has appeared in my in box. The 1st link brings me the outlook login screen and the 2nd link to gov.uk
    Originally posted by eamon
    Why are you clicking on these links? Either you're being very naive or, for some reason, you're encouraging other people to click on links in suspicious emails?
    If you put your general location in your Profile, somebody here may be able to come and help you.
    • Cookieie
    • By Cookieie 4th Jan 18, 11:55 AM
    • 4 Posts
    • 0 Thanks
    Cookieie
    • #9
    • 4th Jan 18, 11:55 AM
    • #9
    • 4th Jan 18, 11:55 AM
    Looks scam like to me!

    If received via email - check the senders email address, & should it a scam - block straight away to avoid anymore emails.
    • AndyPix
    • By AndyPix 4th Jan 18, 12:05 PM
    • 3,648 Posts
    • 2,856 Thanks
    AndyPix
    Good grief
    Do you even have to ask ??!!


    An obviously obfuscated link like that should be the prime giveaway.


    Aside from the fact that the HMRC would never send a refund like that,
    No reputable organisation would expect you to click on a link that


    And as for the comment above regarding email links, ns01 stands for name server 01 and is an internal routing thing. If the HMRC wanted you to click a link to a site owned by them then the link would be concise and end in .gov.uk .. They would have precisely no reason to obfuscate it with break codes like you see in that link.


    Delete and ignore - no point in blocking the sender as this will be rotated daily if not by the minute
    Running with scissors since 1978
    • DoaM
    • By DoaM 4th Jan 18, 12:11 PM
    • 4,394 Posts
    • 4,424 Thanks
    DoaM
    And as for the comment above regarding email links, ns01 stands for name server 01 and is an internal routing thing
    Originally posted by AndyPix
    Not quite ... the "obfuscation" of the link is something that is done by the internal email (Exchange?) server of the receiving organisation. It's not "obfuscated" by the sender ... at least not in the scenario I was explaining.
    Diary of a madman
    Walk the line again today
    Entries of confusion
    Dear diary, I'm here to stay
    • RumRat
    • By RumRat 4th Jan 18, 12:31 PM
    • 2,788 Posts
    • 1,597 Thanks
    RumRat
    Got two of these just before Christmas. Sent straight to bin and senders blocked.
    Sorry but they don't even look convincing.
    Drinking Rum before 10am makes you
    A PIRATE
    Not an Alcoholic...!
    • chrisw
    • By chrisw 4th Jan 18, 12:36 PM
    • 1,708 Posts
    • 942 Thanks
    chrisw
    I've recently completed a tax return so had a load of emails from HMRC. They invariably don't give away any information but simply advise that you have a new message and suggest you log on to your account.

    There are no links in the emails.
    • eamon
    • By eamon 4th Jan 18, 12:40 PM
    • 1,606 Posts
    • 1,133 Thanks
    eamon
    I wasn't trying to tempt other users. What interested me was the the use of the euro safe methodology and the use of https and the padlock symbol in this scam/phishing attempt. I don't recall seeing that before and no, apart from clicking the links to see where they went to I haven't been compromised.
    • grumpycrab
    • By grumpycrab 4th Jan 18, 12:42 PM
    • 3,570 Posts
    • 1,613 Thanks
    grumpycrab
    no, apart from clicking the links to see where they went to I haven't been compromised.
    Originally posted by eamon
    That's alright then - good luck!
    If you put your general location in your Profile, somebody here may be able to come and help you.
    • shaun from Africa
    • By shaun from Africa 4th Jan 18, 12:58 PM
    • 10,037 Posts
    • 11,306 Thanks
    shaun from Africa
    I don't recall seeing that before and no, apart from clicking the links to see where they went to I haven't been compromised.
    Originally posted by eamon

    "haven't been compromised" should read "I hope I haven't been compromised"

    You need to have a good read of this:
    https://tiptopsecurity.com/the-truth-about-clicking-links-in-email-and-what-to-do-instead/
    before you click on any more links in dodgy e-mails then when you've read that, carry out full malware and virus scans on your computer.
    • Inner Zone
    • By Inner Zone 4th Jan 18, 1:10 PM
    • 2,174 Posts
    • 1,227 Thanks
    Inner Zone
    Of course it' a scam. If you are due a refund the HMRC will send you warrant (cheque) in the post.
    • pappa golf
    • By pappa golf 4th Jan 18, 1:24 PM
    • 8,706 Posts
    • 9,308 Thanks
    pappa golf
    telephone TXT , do they HAVE your phone number?

    debit card ? why , they (if true) would need your bank account number and sort code


    PS: its fake
    • AndyPix
    • By AndyPix 4th Jan 18, 1:27 PM
    • 3,648 Posts
    • 2,856 Thanks
    AndyPix
    Not quite ...
    Originally posted by DoaM

    Yes it is ..


    It is done by exchange servers mainly when using outlook OWA to obfuscate (yes, that is the correct term) the users mailbox details.
    The mailbox will be obfuscated and the remaining URL (also obfuscated) will be tagged onto the end.
    In your example, ns01 is the name of the mailserver.
    In the OP's mail, the bit after "?url=" decodes to
    http://Gateway.RefIDConfirmation10aeeec.urefnk.com/&data=02|01||9516af5965dc4962aa4d08d5534ac25a|84df 9e7fe9f640afb435aaaaaaaaaaaa |1|0|636506502902824163&sdata=FfFyHh4qWIKnMg 9YLkAXFsaNtbwTTxKfux5WXb0WKpU=&reserved=0
    I didn't mean the whole thing was obfuscated by the sender, i was just referring to your comment in the middle of talking about this, to clear up why yours would be NS01
    Sorry for any confusion
    Running with scissors since 1978
    • pmduk
    • By pmduk 4th Jan 18, 6:41 PM
    • 8,515 Posts
    • 6,288 Thanks
    pmduk
    It is an old scam, HMRC never contact anyone to offer a refund

    If a refund is due they will automatically adjust your PAYE code
    Originally posted by Farway
    Not quite true, on occasions, you will be sent a SA800, which allows you to log online and request a payment to be made. This isn't done by email, ever.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

443Posts Today

4,834Users online

Martin's Twitter