This is fairly interesting though.
The e-mail address cited is TaxRefunds@HMRC.gov.uk.
That means that in order for a scammer to acutally pick up the returned e-mails, they most be able to access this domain - they must be able to get to xxxxxxxx.hmrc.gov.uk.
However, this domain is fully owned by the HMRC - it's not a shared area.
So whats going on here:
Either:
1) it's a spoof - like those "send this mail to ten people in order to make fairies happy" type e-mails - in which cae, what's the point in it in the first place?
or
2) Some one has ( or had ) access to the HMRC.gov.uk domain who shouldn't have, in wich case the tax man significantly needs to increase the quality of their security measures.
I have to say that 2) is much less likely, but if someone had enough access to set up their own e-mail addresses on a government server, it doesn't make a lot of sense for them just to stop at that.
Steve