Protecting yourself online from phishing, malware and scams

Updated on 14 April 2022

Getting help

With many government services being available online, it is important to understand how to protect your equipment and your personal details and information from theft, loss, attack or damage.

Illustration of a man inside a computer with a fishing rod stealing documents from another computer

Techniques that cyber criminals may use to try to commit identity and financial theft and fraud may be tax related and may include malware and phishing. These are serious crimes. Unfortunately, many people do not realise that they are being targeted until it is too late.

⚠️ Do not give out private information, reply to text messages, download attachments or click on any links unless you are sure they are genuine.

In particular, if someone texts, emails or calls claiming to be from HMRC, saying that you are in serious trouble, are owed a tax refund, or can claim financial help and asks you to click on a link or to give information such as your name, credit card or bank details, it’s a scam.


Malware is the name given to software that has been designed to disrupt or damage data either your software or hardware. Types of Malware include viruses, worms and Trojans.

Malware can get into your computer or mobile phone in a variety of ways. Most involve a combination of technical factors and human interaction. For example, someone who is creating malware might:

  • get you to download their malware by putting a link in an email or attaching the malware to an email.
  • get you to download their malware by putting a link in an SMS text message.
  • spread malware via a USB drive which transfers to your computer when you plug it in.
  • spread malware via a downloadable mobile application (app).
  • reproduce what looks like a genuine webpage (known as a malicious webpage) or insert a link into a genuine web page (known as a malicious link) to entice you to download the malware to your device.


Phishing is when someone sends a fake email, purporting to be from a legitimate organisation such as a bank, online retailer or government department such as HMRC. Phishing emails are designed to steal your personal or financial details, or to deliver malware to your software or hardware.

HMRC is recognised as one of the most phished brands in the world. A common HMRC related phishing email heading is ‘Tax Refund Notification’. An email with this heading may ask you to update or to verify your personal and financial information. This may include your date of birth, login information, account details, credit card number or PIN.

To make the HMRC phishing emails look more authentic criminals will spoof, or masquerade, as legitimate HMRC domains, for example

These emails frequently appear to be genuine but if you divulge information you may be at serious risk of identity or financial theft. You also risk having your personal details sold on to other criminals.

⚠️ HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email. If you choose to receive paperless notifications from HMRC, you may receive email messages which will direct you to sign in to your HMRC online account from where you can view the notification. HMRC will never include a link to your account.

Types of Phishing


Unlike an ordinary phishing email which is sent out to a large number of people rather than targeted individuals, spear-phishing will have been specifically crafted and targeted. It will seemingly come from someone or a recognised organisation such as HMRC that seems relevant to the person targeted. The content of the email will also be pertinent to the person targeted.

Spear-phishing is often much more sophisticated and elaborate than ordinary email phishing. Attackers will find out information from social media sites (like Facebook and LinkedIn) to tailor the email so that it is extremely accurate and compelling. The purpose of spear-phishing is often to obtain sensitive information.

SMiShing: (SMS Phishing)

SMiShing is the text message equivalent of email ‘phishing’. It involves sending a message containing a malicious link that the recipient is enticed to follow.

⚠️ HMRC may occasionally send text messages but these messages will never request personal or financial information.

If you have any doubt about the authenticity of a SMS text message which claims to come from HMRC, please do not follow any links within the message, disclose any personal details or respond to it.

Vishing: (Voice Phishing)

Vishing is the act of using the telephone in an attempt to scam you into divulging private information that will be used for identity or financial theft. The scammer usually pretends to be a legitimate business and fools the victim into thinking he or she will profit.

Some people have received telephone calls or home visits from people claiming to be from HMRC. These bogus callers may threaten you with arrest or legal action unless you make a tax payment or encourage you to provide personal or financial information in exchange for ‘tax advice’ or a bogus refund.

Sometimes, when you call HMRC and they need to investigate your query further, they may offer to call you back. In this case, for extra protection, they may ask you to tell them a password that they must use before you will speak with them again. In other words, when they call you, you can ask them to quote back to you the password.

⚠️ Telephone numbers can be faked and you should never trust a number you see on your display, even if it looks like an official HMRC number. If you unsure about the identity of a caller, ask for their name and the purpose of their call and then dial the appropriate HMRC helpline number and either ask to speak to that person and/or explain the nature of the call you have received and ask HMRC to confirm whether it was a genuine call. If you are unable to verify the identity of a caller, we recommend that you do not liaise with them. Never call a number given to you by somebody who phones you unless you are sure it is genuine. A list of HMRC numbers is available on GOV.UK.

What should you do if you receive a suspicious contact from HMRC?

LITRG video: HMRC have sent me a refund notification by email by LITRG

  • If you cannot verify the identity of the person contacting you, do not liaise with them.
  • If you think you have received a HMRC related phishing email or text message, you can check it against the examples published on UK.
  • Forward every suspicious email from HMRC to their phishing team at (even if you receive the same email several times) and then delete it permanently from your computer and email account. HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email.
  • Forward details of letters to the same team at
  • If you get a scam call, even if you don’t fall for it, somebody more vulnerable might. You should complete HMRC’s form to report the incident, so HMRC can try and close down the scam.
  • If you receive a text message claiming to be from HMRC offering a ‘tax refund’ in exchange for personal or banking details, do not respond and do not open any links contained within the message. Forward a suspicious text message from HMRC to 60599 and then delete it permanently. You will be charged at your network rate to do this. HMRC may occasionally issue text messages, however these messages will never request personal or financial information.
  • You may also wish to consider reporting any incidents to Action Fraud.

What if you have fallen victim?

  • If you think you have been the victim of a HMRC related scam, contact HMRC at Include a brief outline of the information you disclosed. For example, you will need to tell HMRC whether you disclosed your name or address, or perhaps your HMRC User ID or password. But never include all of your actual personal details together, for example name, address and National Insurance number, in the email.
  • You should also monitor your bank and /or credit card statements for unusual transactions and notify your bank and/or card issuer of any breach or unauthorised activity as soon as possible. If you gave out card details you should also contact your bank or credit card provider to explain what has happened and follow their advice which may include getting a new card or replacing PINs or passwords

Coronavirus scams

Scammers have been using the coronavirus (COVID-19) situation to try to steal money or valuable personal information or get access to your computer or network.

For example, HMRC was aware of a phishing campaign telling customers they could claim a tax refund to help protect themselves from the financial impacts of the coronavirus outbreak.

Do not reply to emails of this kind, and do not open any links in the message.

The email has been issued in various formats.

An example of this scam is below:

HMRC scam phishing email example

Source: HMRC

‘Goodwill payment’ SMS scam

HMRC is aware of coronavirus SMS scams telling customers they can claim a ‘goodwill payment’. Do not reply to the SMS and do not open any links in the message.

This is an example of the scam wording:

‘As Part of the NHS promise to battle the COV- 19virus, HMRC has issued a payment of £258 as a goodwill payment. Follow link to apply.’.

Other scams

This bulletin from the National Crime Agency details some of the other COVID-19 fraud and scams that have been happening (there may be others) such as Online Shopping and Auction Fraud, Investment Fraud and Pension Liberation Fraud (which you can also read about on the Money Helper website).

Consumers are urged to:

  • Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.
  • Challenge: Could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
  • Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud. Reporting to Action Fraud can be done online or by calling 0300 123 2040.

Useful sources of information

Get Safe Online has practical advice on how to protect yourself, your computers and mobile devices and your business against fraud, identity theft, viruses and many other problems encountered online.

GOV.UK provides guidance on:

Cyber Aware is a Government-backed initiative that gives advice on how to make good cyber security habits second nature for both individuals and businesses. It gives useful information on passwords and backing up information.

Tax guides

Share this page