HMRC phishing scams

Phishing is an attempt to obtain sensitive personal information by pretending to be a legitimate organisation like HMRC in communications such as emails, texts, phone calls and faxes. 

Whilst many phishing scams can be easy to spot, others are quite sophisticated and can look like genuine HMRC communications.  

How to spot phishing

A key feature of phishing scams is that they will ask you to provide personal or financial details (such as credit card or bank details) in order to, for example, receive a tax refund. 

HMRC stress that they will never use texts or emails to:

  • Inform you of a tax rebate or penalty, or
  • Ask for personal or payment information

General pointers which might indicate that a communication is fraudulent include:

  • Spelling mistakes and poor grammar.
  • Incorrect from addresses: these may be similar to, but not the same as, legitimate HMRC email addresses. 
  • Wording which unduly stresses that urgent action is required.
  • Links to bogus websites: these may look very similar to the HMRC website but often contain links to other websites or requests to input large amounts of personal information.
  • The use of a generic greeting such as Dear Customer.

Genuine HMRC emails will:

  • Address you using the name you’ve provided to HMRC (usually when signing up for HMRC online services).
  • Always include information on how to reporting phishing emails.
  • Never give a non-HMRC personal email address to reply to.
  • Never ask for specific figures or calculations, or have attachments, unless you have given prior consent and formally accepted the risks.
  • Never provide a link to a log-in page or a form asking for information: instead you will be asked to log into your online account through the normal channels.

HMRC publish up to date lists of genuine topical HMRC calls, letters and digital communications which can be referred to if you are in doubt.

Phishing examples

HMRC publish examples of known phishing emails and bogus contact and how to spot them. 

Current examples include:

  • Tax refund / rebate scams: emails or texts which say that you are eligible for a tax refund and ask you to click through to a website and/or provide personal and financial information.
  • Create a Government Gateway account scams: bogus emails which inform individuals they need to create a gateway account to receive a tax refund.
  • Social media scams: direct messages to taxpayers via social media, for example a Twitter scam offering a tax refund.
  • Export clearance process (delivery stop order) emails: Emails which claim goods have been withheld by customs and requiring a payment before release (known as 419 scams).
  • Bogus callers: Telephone calls or home visits from people claiming to be from HMRC who encourage individuals to provide bank account or other personal information in exchange for tax advice or a refund.
  • Recorded telephone messages threatening legal action: a widely reported scam particularly targeting old people where a recorded message is left stating that HMRC are bringing a lawsuit and are going to sue the taxpayer.  The recipient is asked to phone a number and select ‘1’ to speak to the officer dealing with their case.
  • Request to complete NRL1 forms and return by fax: scams which target letting agents and landlords living abroad who are asked to complete a non-resident landlord form including a considerable amount of personal information.

What to do if you suspect phishing

If you are at all in doubt that a message is genuine:

  • Don’t open it;
  • If you do open it, don’t click on any links, open any attachments or provide any information

Suspicious emails and texts should be deleted, but HMRC also encourage taxpayers to report them:

  • Forward suspicious text messages purporting to be from HMRC to 60599 (charges apply).
  • Forward suspicious emails to HMRC’s phishing team: phishing [at] hmrc.gsi.gov.uk
  • Contact HMRC’s security team (security.custcon [at] hmrc.gsi.gov.uk) if you have given personal information in relation to a suspicious email or text.