Updated on 6 April 2026

Tax: protecting yourself against HMRC related scams

With HMRC now using different methods of supporting and contacting people, it is important to understand how to protect your equipment and your personal details and information from theft, loss, attack or damage.

A keyboard with a Green key, a person is pressing this key. The key has white text on it that reads 'STAY SAFE' an old fashioned brass coloured key is placed on top of the keyboard.
kenary820 / Shutterstock.com

Content on this page:

Introduction

Techniques that criminals may use to try to commit identity and financial theft and fraud may be tax related and may include texting, calling, malware and phishing. These are serious crimes. Unfortunately, many people do not realise that they are being targeted until it is too late.

  Do not give out private information, reply to text messages, download attachments or click on any links unless you are sure they are genuine. If you are not sure whether a call is genuine, you should hang up and call HMRC back using a number from the official GOV.UK website. HMRC will never call you from a mobile number. 

In particular, if someone texts, emails or calls claiming to be from HMRC, saying that:

  • you are in serious trouble,
  • are owed a tax refund,
  • or can claim financial help, 

and then asks you to click on a link or to give information such as your name, credit card or bank details – it’s a scam. 

Be aware that your online tax account may also be targeted by fraudsters. See our dedicated guidance for more on the security considerations and keeping your online tax account protected. 

Malware

Malware is the name given to software that has been designed to disrupt or damage either your software or hardware. Types of malware include viruses, worms and trojans.

Malware can get into your computer or mobile phone in a variety of ways. Most involve a combination of technical factors and human interaction. For example, someone who is creating malware might:

  • get you to download their malware by putting a link in an email or attaching the malware to an email.
  • get you to download their malware by putting a link in an SMS text message.
  • spread malware via a USB drive which transfers to your computer when you plug it in.
  • spread malware via a downloadable mobile application (app).
  • reproduce what looks like a genuine webpage (known as a malicious webpage) or insert a link into a genuine web page (known as a malicious link) to entice you to download the malware to your device.

Phishing

Phishing is when someone sends a fake email, purporting to be from a legitimate organisation such as a bank, online retailer or government department such as HMRC. Phishing emails are designed to steal your personal or financial details, or to deliver malware to your software or hardware.

HMRC is recognised as one of the most phished brands in the world. A common HMRC related phishing email heading is ‘Tax Refund Notification’. An email with this heading may ask you to update or to verify your personal and financial information. This may include your date of birth, login information, account details, credit card number or PIN.

To make the HMRC phishing emails look more authentic criminals will spoof, or masquerade, as legitimate HMRC domains, for example @HMRC.gov.uk.

These emails frequently appear to be genuine but if you divulge information, you may be at serious risk of identity or financial theft. You also risk having your personal details sold on to other criminals.

  HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email. If you choose to receive paperless notifications from HMRC, you may receive email messages which will direct you to sign in to your HMRC online account from where you can view the notification. HMRC will never include a link to your account.

Spear-phishing

Unlike an ordinary phishing email which is sent out to a large number of people rather than targeted individuals, spear-phishing will have been specifically crafted and targeted. It will seemingly come from someone or a recognised organisation such as HMRC that seems relevant to the person targeted. The content of the email will also be pertinent to the person targeted.

Spear-phishing is often much more sophisticated and elaborate than ordinary email phishing. Attackers will find out information from social media sites (like Facebook and LinkedIn) to tailor the email so that it is extremely accurate and compelling. The purpose of spear-phishing is often to obtain sensitive information.

SMiShing: (SMS Phishing)

SMiShing is the text message equivalent of email ‘phishing’. It involves sending a message containing a malicious link that the recipient is enticed to follow.

  HMRC may occasionally send text messages, but these messages will never request personal or financial information.

If you have any doubt about the authenticity of a SMS text message which claims to come from HMRC, please do not follow any links within the message, disclose any personal details or respond to it.

Vishing: (Voice Phishing)

Vishing is the act of using the telephone in an attempt to scam you into divulging private information that will be used for identity or financial theft. The scammer usually pretends to be a legitimate business and fools the victim into thinking he or she will profit.

Some people have received telephone calls or home visits from people claiming to be from HMRC. These bogus callers may threaten you with arrest or legal action unless you make a tax payment or encourage you to provide personal or financial information in exchange for ‘tax advice’ or a bogus refund.

Sometimes, when you call HMRC and they need to investigate your query further, they may offer to call you back. In this case, for extra protection, they may ask you to tell them a password that they must use before you will speak with them again. In other words, when they call you, you can ask them to quote back to you the password.

  Telephone numbers can be faked. You should never trust a number you see on your display, even if it looks like an official HMRC number. If you are unsure about the identity of a caller, ask for their name and the purpose of their call and then dial the appropriate HMRC helpline number and either ask to speak to that person and/or explain the nature of the call you have received and ask HMRC to confirm whether it was a genuine call. If you are unable to verify the identity of a caller, we recommend that you do not liaise with them. Never call a number given to you by somebody who phones you unless you are sure it is genuine. A list of HMRC numbers is available on GOV.UK.

Quishing (QR code Phishing)

Quishing (or QR code phishing) is when scammers attempt to trick you into scanning a fake QR code to direct you to malicious websites. HMRC will sometimes include genuine QR codes on their letters. When scanned, these codes take you to relevant GOV.UK guidance or information pages. Genuine HMRC QR codes will never take you to pages where you are asked to give personal information. You should avoid scanning any QR codes which look suspicious, as they can infect your device with a virus or malware, if scanned. If you do accidentally scan a QR code which pertains to be from HMRC (for example, in an email offering you a tax refund) but does not take you to a GOV.UK webpage, you should leave that webpage immediately and carry out a virus scan of your computer, if possible. 

If you receive suspicious contact

To watch this video, you need to accept Marketing cookies.

To do this: Click on the link below, scroll to "Marketing" and click on the white button on the right hand side then click "Allow selection".

Change your cookie preferences
  • If you cannot verify the identity of the person contacting you, do not liaise with them.
  • If you think you have received a HMRC related phishing email or text message, you can check it against the examples published on GOV.UK (links at the end of this page).
  • Forward every suspicious email from HMRC to their phishing team at [email protected] (even if you receive the same email several times) and then delete it permanently from your computer and email account. HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email.
  • Forward details of letters to the same team at [email protected].
  • If you get a scam call, even if you don’t fall for it, somebody more vulnerable might. You should complete HMRC’s form on GOV.UK to report the incident, so HMRC can try and close down the scam.
  • If you receive a text message claiming to be from HMRC offering a ‘tax refund’ in exchange for personal or banking details, do not respond and do not open any links contained within the message. Forward a suspicious text message from HMRC to 60599 and then delete it permanently. You will be charged at your network rate to do this. HMRC may occasionally issue text messages, however these messages will never request personal or financial information.
  • Any suspicious HMRC-related social media accounts or messages can be reported to [email protected],which is HMRC’s security team. 

If you have fallen victim to a scam

If you think you have been the victim of a HMRC related scam, in line with the guidance on GOV.UK, contact HMRC at [email protected]. Include a brief outline of the information you disclosed. For example, you will need to tell HMRC whether you disclosed your name or address, or perhaps your HMRC User ID or password. But never include all of your actual personal details together, for example name, address and National Insurance number, in the email.

You should also monitor your bank and /or credit card statements for unusual transactions and notify your bank and/or card issuer of any breach or unauthorised activity as soon as possible. If you gave out card details you should also contact your bank or credit card provider to explain what has happened and follow their advice which may include getting a new card or replacing PINs or passwords.

You may should report any incidents to the Report Fraud website.

Other scams

This bulletin from the National Crime Agency details some of the fraud and scams that have been happening (there may be others) such as Online Shopping and Auction Fraud, Investment Fraud and Pension Liberation Fraud (which you can also read about on the Money Helper website).

Consumers are urged to:

  • Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.
  • Challenge: Could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
  • Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to the Fraud Report website. You can also contact them by calling 0300 123 2040.

Useful sources of information

Get Safe Online has practical advice on how to protect yourself, your computers and mobile devices and your business against fraud, identity theft, viruses and many other problems encountered online.

GOV.UK provides guidance on:

  • Phishing emails and bogus contact - This guidance includes examples of emails, letters, text messages and phone calls used by scammers and fraudsters pretending to be HMRC and is updated regularly.
  • HMRC have shared a checklist on GOV.UK which can be used to decide if the contact you have received is a scam. You can use it for phone calls, emails and text messages.
  • Genuine HMRC contact and recognising phishing emails – This guidance will help you decide whether different types of messages from HMRC are genuine. The lists are organised by subject in alphabetical order. Not every possible HMRC communication is included.
  • Official guidance on avoiding and reporting internet scams and phishing can be found on GOV.UK, including what to do if you have fallen victim.

Cyber Aware is a government-backed initiative that gives advice on how to make good cyber security habits second nature for both individuals and businesses. It gives useful information on passwords and backing up information.

Back to top