Victims have received phishing emails/texts purporting to be from HMRC about tax rebates. After either downloading a file attached to the emails or clicking on a link, devices have been infected with Dridex (a type of banking malware) or Locky ransomware (which locks devices and demands a ransom) from a hacked website.
When victims click on the link in the HMRC spoofed texts they are redirected to a registration page requesting personal details. The emails and texts appear genuine and the victims who have provided their personal details have consequently had direct debits, mobile phone contracts and new bank accounts set up using their personal information. HMRC would never contact people using these methods.