The season for HMRC letters… and scams: how to spot phising?

Byadmin

Every year, as the UK tax season approaches, taxpayers’ inboxes and phones fill up with messages from HMRC. Unfortunately, not all of them are genuine. In 2024 alone, more than 200,000 phishing attempts impersonating HMRC were reported. Fraudsters exploit stress, haste and uncertainty to trick people into clicking fake links or sharing personal details.

In this article, we will show you how to recognise phishing, how to distinguish genuine contact from HMRC from fake contact, and what to do if you suspect fraud.

What is phishing and why do fraudsters target HMRC?

Phishing is a type of online scam where criminals send fake emails, texts or even make phone calls to steal login credentials, personal information or bank details. Because almost every adult in the UK interacts with HMRC at least once a year, it’s a popular target for scammers.

The tax return season is often stressful and full of deadlines – the perfect opportunity for scammers to take advantage of distracted taxpayers and commit tax fraud. They play on emotions, promising quick tax refunds or threatening imaginary debts to HMRC.

How does real contact with HMRC work?

Before you start to worry, remember: HMRC will never ask you for your payment card details, account number or passwords in an email or text message. Genuine contact with the HMRC usually happens through:

  • formal letters,
  • logging into your Government Gateway account,
  • and occasionally emails from the @hmrc.gov.uk domain (but never with payment links).

Be aware that scammers often use lookalike domains or subtle spelling mistakes – keep your Government Gateway account secure by carefully checking addresses. If anything looks suspicious, do not reply or click — log in directly to your Government Gateway account to check for genuine messages. HMRC posts all official updates there.

HMRC may send emails reminding you of upcoming deadlines or encouraging you to log in to your account – but they never contain active links to payments or requests for personal information.

Watch out for these red flags

How to recognise phishing? Look out for ‘red flags’, i.e. such as:

  • typos in the sender’s name or domain,
  • poor grammar, odd wording or an unusual tone (e.g. “Dear taxpayer”),
  • time pressure (“Your account will be blocked in 24 hours!”),
  • threats or offers of a tax refund in exchange for clicking a link,
  • requests to confirm your login or bank details,
  • shortened links or QR codes that lead away from GOV.UK.

The Stop! Think Fraud campaign reminds people: if a message makes you feel anxious, pause before clicking any links. Messages pretending to be from HMRC often look convincing, but the devil is in the detail – don’t fall for messages that seem urgent or too good to be true or promising a tax refund (this is HMRC phishing).

What do fake messages look like?

The most common HMRC scams are text messages informing you of a ‘tax overpayment’ or emails with a link to a ‘refund form’. Some emails even copy HMRC’s logo and design to look legitimate, but the links lead to fake websites that steal login or card details.

A typical fake text message might read, for example, ‘HMRC: you have a £275 overpayment. Click here to claim your refund’ – and the link leads to a website that looks deceptively similar to GOV.UK.

Scam phone calls are also on the rise – callers pretend to be from HMRC, threaten fines or arrest and demand immediate payment. The real HMRC never operates in this way. If you have any doubts, go to the official GOV.UK website and compare the phone number or email address. Never click on links or call back numbers from suspicious messages – these are classic tax scams.

Where and how should suspicious messages be reported?

Reporting scams helps protect not only you, but also other taxpayers. If you receive a message that looks suspicious, you can send it:

  • by e-mail to phishing@hmrc.gov.uk,
  • text message to 60599,
  • online form on GOV.UK,
  • for social media – security.custcon@hmrc.gov.uk

HMRC analyses every report and removes fake websites from the internet, limiting the scope of fraudsters’ activities. It is worth knowing how to report phishing to HMRC, because every case potentially saves money and data. Do not delete the message immediately – forward it through the correct method, then delete it.

What should you do if you clicked on the link or provided your details?

It happens to everyone — clicking a link in haste doesn’t have to spell disaster, as long as you act quickly. First things first:

  1. Change your passwords for your Government Gateway account and email.
  2. Contact your bank if you provided payment details.
  3. Report the incident to HMRC and Action Fraud (0300 123 2040).
  4. Monitor your tax account and login history.
  5. Enable two-factor authentication (2FA) for added security.

Keeping your Government Gateway account secure is essential to protecting yourself from further consequences – the sooner you take action, the lower the risk of losing your funds or data.

Mini-checklist: how to avoid pitfalls?

Want to make sure you don’t get scammed? Use our mini checklist:

  • check the sender’s domain.
  • never click on suspicious links.
  • do not share your details over the phone or by e-mail.
  • always use official GOV.UK sources.
  • enable 2FA on your Government Gateway account.  

Following these tips can save you a lot of stress and money.

Do you already know how to spot fraudsters?

Staying alert is the best protection during the tax season. Recognising potential threats and knowing what genuine communications from HMRC look like can protect you from losing money and data.

At Essence Accounting, we don’t just help with tax returns – we also help clients communicate safely with HMRC. Use our checklist to stay protected, and if you need help verifying a message or filing your tax return, get in touch with Essence Accounting.

Similar Posts