29 Nov 2013
November 29, 2013

HMRC and Gateway Virus messages.


I have noticed over the last few weeks an increase in the number of fake messages which claim to come from the HMRC or Government Gateway and look at first glance quite realistic. They have a realistic return address such as noreply@hmrc.gov.uk or gateway.confirmation@gateway.gov.uk, but also have an attachment which is zipped up, which is not something that the HMRC would send out.

HMRC Spam Message

That last Gateway Registration Form zip file unzips to an .exe (program file) – which when it is checked against 47 antivirus products online, only 1 product flags it as being a virus – so it is likely to be missed by most people if they are JUST relying on their security software to keep them safe.

You need to engage common sense and also use the website www.virustotal.com to double-check suspicious files and attachments if you suspect that your own antivirus software has not flagged this very suspicious attachment. Or delete the email and log into your HMRC account in the normal way to check the validity of the message.

Be on your guard, and if you or someone in your office does click on the links, then let us know, as you might have infected your machine.  We also can recommend and help implement anti-virus and anti-spam solutions here at Silicon Bullet.

4 Responses to HMRC and Gateway Virus messages.
  1. Interesting. I’ve received one of these – having 3 days earlier registered on the HMRC website for their government gateway access. The fact that I received the virus email just 3 days later surely implies that the HMRC website has been compromised. It can’t be a coincidence!

  2. I have received one today. I didn’t register recently but am due to file my tax info within the next week This is prime time as so many people are registering and filing their returns so it may just be clever timing and not that the HMRC site is compromised.

    • Hi Kim, I think you might well be right. Mind you, it wouldn’t be the first time that the infection vector is via a website, rather than via email. The attraction of course is that it is a well known website with high traffic levels – thus making it a prime target, but of course this should mean that it gets strong protection to try to avoid such issues. But it wouldn’t be the first time that a high profile website gets compromised.

  3. The messages seem to come in waves John. I’m getting ones now about my VAT return as well as about self assessment and payroll PAYE code changes. We just don’t know.


Leave a Reply

Your email address will not be published. Required fields are marked *

  • The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.