I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be  a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine site complete with all branding & Postcode lookup.

I don’t have the original email, so I can’t get any sender’s details or what the email said. I do have an image of the PDF that was attached to the email. I am assuming it was pretending to come from HMRC in some way

The scammer has gone to extremes to make this as believable as possible. He has also made it slightly more difficult for a researcher to follow the trail or see exactly what happens. One of the ways this is done is to divert a known IP or one that has previously contacted the initial URL to the genuine site.

You can now submit suspicious sites, emails and files via our Submissions system

Screenshot of PDF attachment

Fake Council Tax refund phishing scam

fake Council Tax refund PDF attached to scam, phishing email

The link in the pdf goes to  which is a dynamic DNS service run by dyn dns services that just redirects you to the site the scammer has chosen.  which sets a cookie with a php session id & then redirects to ( this site was registered on 22 Feb 2019 via Godaddy as registrar and is also hosted on Godaddy network. )   (This was registered on 19 April 2019 via Godaddy as registrar and is also hosted on Godaddy network)

I also ran the links through Anyrun which also shows that this scam phishing site is able to misuse a large part of the genuine site. Stealing the images, layout & display from because there are no blocks on the site stopping unauthorised and unapproved users from hot-linking to the information & displaying on any site anywhere.  The UK Government can go a long way in helping to stop scams like this if they prevent hotlinking of images and set site origins on script files so they can only be used on approved sites on the domain

If you follow the link inside the pdf you see a web page  looking like this, asking you to start with your Postcode:

In this case I have inserted fake details for a resident of Number 10 Downing Street ( The Prime Minister’s residence)

Fake Council Tax refund site

Fake Council Tax refund site


Next, it looks up the post code & says which council it belongs to

Fake Council Tax refund site

Fake Council Tax refund site

Next it asks for name, address, phone number, date of birth, email address, mother’s maiden name

Fake Council Tax refund site

Fake Council Tax refund site

Next comes the financial details

Fake Council Tax refund site

Fake Council Tax refund site

Next you get a success page saying that you won’t be refunded until the due date and you will be diverted to the home page. You are then sent to the genuine website.

This final page on the phishing website is the only page that doesn’t match up properly & instead of the name of your council, it gives XXX council.

Fake Council Tax refund site

Fake Council Tax refund site


We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.


Main object- “”url requestsdomain payment34956273.from-ny.netdomain khalsacare.comdomain yourcouncil.cityConnectionsip requestsurl


Read more

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks

Security code