Don’t fall victim to HMRC scams

3 October, 2023

Have you ever received correspondence from HMRC that you weren’t sure was genuine? Fraudsters are resourceful in impersonating HMRC to obtain money or information from taxpayers. These tactics are often referred to as phishing.

This article looks at how to spot some common phishing approaches, what to do if you experience these tactics, and how taxpayers can protect themselves from these scams.

What is phishing?

Phishing is an attempt by fraudsters to trick victims into doing something by pretending to be a legitimate organisation like HMRC.

Phishing can use a range of communication methods to scam victims, including:

  • Phone calls
  • Emails
  • Text and WhatsApp messages
  • Social media direct messaging
  • QR codes

What do scammers want?

The aim of phishing is generally to trick victims into ‘doing the wrong thing’, according to the National Cyber Security Centre (who have a number of phishing guides on their website).

Ultimately, the scammers’ objective is likely to be to obtain money, sensitive information, or both.

In the context of HMRC based scams, the aim is generally to fool taxpayers into giving away personal information like bank details, or direct them to bogus websites which can harm their devices and lead to loss of money or personal information.

How to spot bogus HMRC correspondence

Whilst many phishing scams can be easy to spot, others are quite sophisticated and can look like genuine HMRC communications. Convincing phishing scams often use the correct HMRC logos, fonts and colour schemes.

Common themes among phishing scams purporting to be from HMRC include mention of a tax refund or urgency to take action – for example a threat of debt collection action.

Whilst scams vary in sophistication, the following might indicate that a communication is fraudulent:

  • Spelling mistakes and poor grammar.
  • Incorrect from addresses on emails – these may be similar to legitimate HMRC email addresses, but may contain small differences or even spelling errors (for example @hmmrc.gov.uk)
  • Links to bogus websites – these may look like genuine HMRC websites or web addresses, but often contain requests to input large amounts of personal information or can result in harmful files being downloaded.
  • The use of a generic greeting such as “Dear Customer”.

By way of contrast, genuine HMRC emails will:

  • Address you using the name you’ve provided to HMRC (usually when signing up for HMRC online services).
  • Never provide a link to a log-in page or a form asking for information – instead you will be asked to log into your online account through the normal channels.
  • Never ask for specific figures or calculations, or have attachments, unless you have given prior consent and formally accepted the risks.
  • Never give a non-HMRC email address to reply to.
  • Always include information on how to report phishing emails.

What’s the key advice?

1. Take your time

Try not to feel pressured into doing what a phone call, email or other message is asking you to do. If in doubt, end the call, or ignore the email, and consider how you can verify the request.

You can check whether a request is genuine by checking your Personal Tax Account for any amounts you owe to HMRC, or repayments due to you, as well as some correspondence if you’ve chosen to receive digital communication from HMRC. Alternatively, you can contact HMRC to confirm whether the message you’ve received is genuine.

2. Think what personal information you’ve provided to HMRC

If you haven’t provided HMRC with your phone number or email address, they are unlikely to contact you in that way.

3. Is a tax refund expected or likely?

If you do not complete tax returns, you will not be contacted by HMRC about a Self-Assessment refund due to you.

Most taxpayers’ affairs are dealt with via Pay As You Earn (PAYE). Under PAYE your employer deducts tax and national insurance directly from your pay. If an underpayment or overpayment of tax arises in relation to PAYE, HMRC will let you know by post – most likely in the form of a ‘P800’ tax calculation.

4. Consider the communication method

HMRC will never inform you of a tax refund or ask you for bank details or other personal information by email.

For payments due to HMRC, an email or text message is unlikely to be their first method of contacting you. Taxpayers owing money to HMRC should normally be contacted by letter, or receive hard copies of statements or other official documents such as the ‘P800’ tax calculation mentioned above.

The majority of routine HMRC correspondence still comes by post, especially if you don’t regularly interact with HMRC (eg if you don’t file tax returns). For taxpayers who have chosen to receive electronic communications via their Personal Tax Account, some correspondence will be digital. But you should always check for messages in your Personal Tax Account before acting on any information received by email, SMS or phone.

5. Check the small details

Always look carefully at any written communication from HMRC, especially emails and SMS or other digital messages.

Before you open any attachments or click on any links, inspect the ‘from’ email address and the detail of any weblinks contained within the messages. If you’re using a computer rather than a tablet/mobile phone, hovering over a link should show you the full address, which can help you spot anything suspicious such as spelling mistakes or unofficial websites.

What help is available?

HMRC publish examples of known phishing emails and bogus contact and how to spot them.

HMRC also maintain a list of genuine HMRC contact which may help you decide whether any communication you’ve received is legitimate. Please note these lists are not exhaustive, but are designed to cover non-routine correspondence which may at first glance appear suspicious. In many cases, this page confirms that genuine HMRC phone calls, emails and text messages will not ask for personal or financial information.

If you think you’ve received a phishing attack in any form, please report it. Suspicious emails can be forwarded to [email protected], and text messages can be forwarded to 60599 (network charges apply). For more details, and guidance on how to report other suspected phishing attacks, check the advice on GOV.UK on how to report any type of scam HMRC correspondence.

If you have fallen victim to fraud via a phishing attack, you can report it to Action Aid if you live in England, Wales or Northern Ireland. Scottish residents should report any such incidents to the police by calling 101.