Tax return season can be stressful, not least because it is a prime time for scammers looking to take advantage of unsuspecting individuals. HMRC-related phishing emails are particularly common during this period, as fraudsters attempt to mimic official communications to steal personal information and money.
Understanding how to spot and avoid HMRC phishing emails is essential to staying safe. Here are our top tips to help you recognise scams, protect your personal information, and respond effectively if you’re targeted.
Top tips for spotting HMRC phishing emails
Fraudsters go to great lengths to make phishing emails look convincing, but there are key indicators that can help you spot a scam:
Poor grammar or generic greetings
Look for spelling mistakes, awkward phrasing, or poorly written messages – these are common signs of phishing emails. Likewise, official HMRC communications will address you by name, not with generic greetings like “Dear Customer” or “Dear Taxpayer.”
However, scammers are getting increasingly sophisticated, so these errors are becoming less common. Always combine this clue with other warning signs to confirm whether an email is genuine.
Requests for sensitive information
HMRC will never ask for sensitive details such as your bank account information, passwords, or logins via email, calls, or texts. Be wary of communications claiming they need immediate access to your personal or financial information to process your tax return or refund.
A legitimate organisation will not pressure you to provide sensitive information urgently or threaten negative consequences for non-compliance.
Threats of penalties or offers of unexpected refunds
Phishing emails often rely on fear to trick recipients. Be cautious of messages threatening fines, legal action, or account suspension if you don’t respond.
Similarly, unsolicited offers of tax refunds or rebates that seem too good to be true likely are. HMRC does not notify taxpayers of refunds via email – these communications are usually sent by post or accessed via your secure online HMRC account.
Suspicious email addresses or links
Check the sender’s email address closely. Scammers often use addresses that look official but have slight alterations, such as [email protected]. Hover over links in the email (without clicking) to check the destination URL. If it doesn’t lead to an official HMRC website, it’s a red flag.
Examples of HMRC phishing emails
HMRC has provided some helpful examples of HMRC-related phishing emails, suspicious phone calls and texts which you can access here.
How to stay safe during tax return season
Taking proactive steps can help you avoid falling victim to HMRC phishing emails:
Verify emails directly with HMRC
If you’re unsure about an email’s authenticity, visit HMRC’s official website and use their contact information to verify the message. Avoid using phone numbers or links provided in the email itself, as they could lead to the scammer.
Never click on links or download attachments
Never click on links or download attachments from unknown sources. These could lead to fake websites designed to steal your information or infect your device with malware.
Even if a link looks genuine, hover over it to check the destination URL before clicking. Scammers often create links that mimic official websites but contain subtle differences, such as extra characters or misspellings. To be safe, it’s always better to navigate to the official website directly through your browser instead of clicking.
Attachments claiming to be invoices, tax statements, or refund forms can also contain malware. Avoid opening these unless you’ve verified the sender and their purpose through official channels
Use strong passwords and two-factor authentication
Ensure your online tax account is secure by using strong, unique passwords. Avoid reusing passwords across multiple accounts.
Enable two-factor authentication (2FA) wherever possible to add an extra layer of protection. This requires a second verification step, such as entering a code sent to your phone, making it harder for scammers to access your account.
What to do if you’re targeted by a scam
If you suspect you’ve received a phishing email or accidentally provided information to a scammer, act quickly:
- Don’t engage further: Stop replying to or interacting with the scammer. Delete the email and block the sender if possible.
- Report the incident: Forward the email to HMRC’s phishing team at [email protected] and report it to Action Fraud, the UK’s national reporting centre for fraud and cybercrime.
- Contact your bank: If you’ve shared financial information, notify your bank immediately so they can monitor your account for suspicious activity or freeze your account if necessary.
- Monitor accounts: Keep a close eye on your bank accounts, credit cards, and online accounts for any unusual transactions or activity.
- Inform the credit reference agencies: Notify credit reference agencies (such as Experian, Equifax, or TransUnion) so they can monitor for any fraudulent activity that could impact your credit report.
Stay vigilant this tax return season
HMRC phishing emails and scams are an unfortunate reality during tax return season, but with the right knowledge and tools, you can protect yourself from fraud. Stay cautious, trust your instincts, and follow these tips to stay scam safe.
Stay informed
Subscribe to the Join the Claim newsletter for updates on your rights, ongoing scams, and advice to help you protect yourself as a consumer. Let’s make tax return season a stress-free and secure experience!
