Beware of Scams

What Are HMRC Tax Scams?

Tax scams involve criminals pretending to be HMRC staff or systems to steal money or sensitive information. Scammers frequently exploit the trust and authority HMRC holds, using various communication channels, including:

• Phishing emails: Deceptive messages mimicking HMRC formatting and branding, often asking you to click links or provide personal details.
• Smishing (SMS phishing): Fraudulent text messages that direct you to imposter websites or ask for information.
• Vishing (voice phishing/calls): Threatening or urgent calls from people posing as HMRC, demanding instant payment or personal info.
• Social media communication: Scammers pretending to represent HMRC, usually by commenting publicly or, less frequently, sending direct messages.
• Fake letters: Official-looking correspondence, sometimes with QR codes or fabricated reference numbers.

Scammers often target people around tax deadlines or busy reporting seasons - when legitimate HMRC contact is more likely.

Why Do Scammers Target HMRC?

Because nearly every UK adult interacts with HMRC, the agency is an appealing cover for fraudulent activity. Scammers exploit:

• Fear: Threats of legal action or arrest unless you act fast.
• Excitement: Promises of unclaimed tax refunds you must claim quickly.
• Urgency: Pushing you to act on the same day, without time to check authenticity.

This emotional manipulation often pressures otherwise cautious people into risky actions.

How Does HMRC Really Communicate With Taxpayers?

Knowing how HMRC actually conducts outreach is vital to avoid falling for scams:

• Letters: Genuine HMRC letters include your Unique Taxpayer Reference (UTR) or National Insurance (NI) number, return addresses, and reference numbers you can confirm with HMRC. Any official QR code should direct only to a gov.uk website. If you’re unsure, validate the contents by using contact details on gov.uk.
• Phone calls: While HMRC may call you, typically it's after initial written contact or when you've requested it. They will never ask for your full bank details, passwords, security information, or other sensitive data over the phone.
• Emails and texts (SMS): It's true that HMRC legitimately sends informational emails and texts. These may include links, but the links always direct to official gov.uk domains. However, HMRC will never ask for your password, full bank details, or confidential information via links or by responding to the message. When in doubt, visit the HMRC or gov.uk site by typing the address manually - do not click the link.
• Social media: HMRC maintains verified, public social accounts (such as @HMRCgovuk on X/Twitter). While they reply to general inquiries in public, they do not send private/direct messages to discuss your tax matters, nor will they ever request sensitive information or send login links in private conversations. Should your situation require sharing personal information, HMRC will send you to an official channel instead.

Recognising Fake HMRC Contact - A Channel-by-Channel Guide

Phishing Emails

- Authentic HMRC emails end in .gov.uk (e.g., noreply@hmrc.gov.uk).

- Scams often use urgent language, threaten consequences, or promise unexpected rebates.

- Real emails may have links - to gov.uk only - but will not request confidential details through these links or in replies.

- Unsure? Instead of clicking, navigate to the HMRC or gov.uk website yourself.

Texts (SMS)

- Official texts might include gov.uk links; any request for personal details by reply is a scam.

- Never input sensitive information unless you have independently confirmed the site is official.

Phone Calls

- Watch for intimidation, urgency, or callers asking for personal information, payment to unusual accounts, or payments via links sent in texts/emails.

- Caller ID can be falsified. If in doubt, end the call and use official numbers from gov.uk (https://www.gov.uk/contact-hmrc).

Social Media

- HMRC will not initiate private messages to ask for details or payment.

- Any redirection to personal information will always be to official, published channels.

Physical Letters

- Genuine HMRC letters contain verifiable UTR/NI numbers, reference codes, and official return addresses.

- If a letter features a QR code, it must only resolve to a gov.uk address. If uncertain, use gov.uk contact details to inquire.

HMRC Payment Methods - What's Legitimate and What's Not

Only use these payment routes:

- Official government website pay tax page (https://www.gov.uk/pay-self-assessment-tax-bill) - this will vary slightly for other forms of Tax

- Bank transfers to accounts listed on gov.uk

- Direct Debits set up through HMRC procedures

- Cheques by post, as instructed on gov.uk

HMRC will never:

- Request payment to any personal or third-party bank account

- Ask for payment by gift card, voucher, cryptocurrency, or by links sent in an email or SMS

- Use any channel/request outside those on gov.uk

How to Report HMRC Scam Attempts

If you suspect a scam:

• Emails: Forward to phishing@hmrc.gov.uk (HMRC scams) and report@phishing.gov.uk (all phishing, managed by the National Cyber Security Centre/NCSC).
• Texts: Forward to 60599 (charges apply) or email to phishing@hmrc.gov.uk.
• Calls: Report via HMRC's scam reporting site (https://www.gov.uk/report-suspicious-emails-websites-phishing).
• Other phishing attempts: Send to report@phishing.gov.uk (covers all suspicious phishing activity, NCSC).
• If you've shared information: Immediately alert your bank and contact Action Fraud (https://www.actionfraud.police.uk/) at 0300 123 2040.

By reporting, you help authorities protect the public. In 2023, HMRC responded to over 230,000 scam reports and shut down thousands of fraudulent websites and numbers

What Will HMRC Never Do?

- Ask for full bank details, passwords, or PINs via email, SMS, or unsolicited phone calls.

- Request personal data by QR code or via links in unexpected messages.

- Announce refunds or penalties through WhatsApp, unsolicited direct messages, or texts requesting sensitive data.

- Request payment to private/third-party accounts or via non-gov.uk payment methods.

- Give payment instructions via email or text links.

Protecting Yourself from Tax Scams

• Familiarise yourself with best practices: Visit the NCSC Cyber Aware site (https://www.ncsc.gov.uk/cyberaware/home).
• Take your time: Don't let urgent language force you into hasty action.
• Verify before you act: Authenticate contacts using information found independently on gov.uk.
• Secure your devices: Use up-to-date software and strong, unique passwords.
• Dispose of documents properly: Shred or securely destroy paperwork with sensitive details.
• Share knowledge: Warn friends, family, and those who may be at risk.

Illustrative Case Studies

Case 1:

A freelance designer receives an email about a “tax refund” with a link. She notices the sender isn't using a .gov.uk email, so she deletes it and reports to phishing@hmrc.gov.uk.

Case 2:

A retired person gets a call demanding immediate tax payment or face arrest. The caller wants bank details. The individual instead contacts HMRC using gov.uk info and confirms the call was fake.

Case 3:

A business owner is texted about a refund at a non-gov.uk site. She recognizes the suspicious link, deletes the message, and reports it.

*(Case studies are illustrative examples, not official reports from HMRC or Action Fraud.)*

Emerging Scam Tactics—The Technology Angle

Scammers now leverage artificial intelligence to craft convincing emails, texts, and even voice messages. There are, as of June 2024, no prevalent reports of deepfake audio in HMRC scams, but authorities warn to be alert as such threats could emerge.