You are eligible to receive a tax disc refund pretending to come from DVLA <firstname.lastname@example.org> is a brand new phishing attempt to steal your Personal information, driving licence details and your Bank details. I have never previously seen one of these and definitely have never seen any phishing attempt that asks you to scan/photograph your driving licence and upload a copy of that.
Update 10 July 2015: A new version of this scam today with the subject reading Confirmation of vehicle tax refund. pretending to come from email@example.com see below for full details
This one wants your personal details, A copy of your driving licence to be uploaded and bank details. Many phishes are also designed to specifically steal your email, facebook and other social network log in details as well.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
The original email looks like this It will NEVER be a genuine email from DVLA or any other Government department or agency or any other company so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine DVLA website but you can clearly see in the address bar, that it is fake. Some versions of similar phishes will ask you fill in the html ( webpage) form that comes attached to the email.
The link in the email, although looking like a genuine link https://www.taxdisc.direct.gov.uk/EvlPortalApp/tax-disc-refund/ID2803422 if you hover over the link you will see it actually goes to [DO NOT CLICK] http://www.nuclei.fr/.dvla/ where you are immediately forwarded to [DO NOT CLICK] http://www.baillysante.com/.dvla/90/
DVLA Driver and Vehicle License Agency Date: 19/February/2015
Dear customer, We are currrently upgrading our database and we found that you are eligible to recieve a refund from your last payment made on our behalf. A refund can be delayed for a variety of reasons. As example, for submitting invalid records or applying over the deadline. To complete your refund application with us, you are required to fill out the form in the link below. https://www.taxdisc.direct.gov.uk/EvlPortalApp/tax-disc-refund/ID2803422 If you refuses to complete your application within two weeks of receiving this email will cause the lose the specified amount and you will take full responsabilty for that. We sincerely apologise for any inconviniences this might have caused you. Thank you for your co-operation. (c) Driver and Vehicle Licensing Agency Swansea SA6 7JL
If you follow the link you see a webpage looking like:
After you upload a copy of your driving licence you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the name and date of birth is filled in
Update 10 July 2015: A new version of this phishing scam today
The email which has a html attachment that they want you to fill in looks like
Message Received: Jul 10 2015, 03:56 PM
Subject: *** SPAM *** Confirmation of vehicle tax refund
THIS IS AN AUTOMATED EMAIL – PLEASE DO NOT REPLY AS EMAILS
RECEIVED AT THIS ADDRESS CANNOT BE RESPONDED TO.
Confirmation of vehicle tax refund.
Due to an error we have determined that you are eligible to receive
a refund of GBP 199.00.
To access your vehicle tax refund, please download and fill the DVLA
Refund Form attached to this email
A refund can be delayed for a variety of reasons. For example :
-applying after the deadline.
Thank you for using DVLA Vehicle Licensing Online.
Reference Number: 9140 2473 9294 1869
Vehicle Tax Period: 12 months
Vehicle Tax Amount Refund: GBP 199.00
The law has changed, you do not need to display a tax disc, therefore we will not issue one to you.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with
Symantec. (CCTM Certificate Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
The html attachment looks like
If you are unwise enough to fill it in, you will have given them your bank account details, credit card, driving licence number, full name and address, phone number, email address and passwords. You will then be sent on to the genuine DVLA site on gov.uk
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.