HMRC Scam Texts & Emails: How To Report Phishing And Stay Safe
HMRC Scam Texts & Emails: How To Report Phishing and Stay Safe in the UK
HMRC-related phishing via text and email remains one of the most persistent threats facing UK taxpayers, business owners, landlords, directors, freelancers and the self-employed. In the 2025β26 tax year, scammers continue to exploit deadlines for Self Assessment, VAT returns, Making Tax Digital transitions and new reliefs such as creative industries tax relief changes from April 2026. A single convincing message can lead to lost money, identity theft or unauthorised access to your HMRC online account.
The good news is that the rules for genuine HMRC contact have not changed in any material way. HMRC publishes clear, regularly updated lists of the exact emails and texts it does send. Anything outside those patterns is almost certainly fraudulent. Knowing the distinction, reporting promptly and following a short set of protective habits can stop most scams before they cause harm.
What genuine HMRC contact actually looks like
HMRC communicates in specific, predictable ways and never uses unsolicited texts or emails to demand immediate action involving your personal or financial details.
Genuine emails come only from addresses ending in @hmrc.gov.uk (or very occasionally other verified government domains). They fall into a limited set of categories that HMRC itself lists publicly. Recent genuine examples include:
- βYour Annual Tax Summary is readyβ β simply notifies you the summary is available online.
- VAT Returns reminders with direct GOV.UK sign-in links.
- Child Benefit claim acknowledgements or processing updates.
- Help to Save eligibility notices for Universal Credit customers (running until March 2027).
- Making Tax Digital for Income Tax or VAT service updates for beta testers or agents.
- R&D tax relief support messages after a claim has already been notified.
Crucially, these emails never ask you to supply bank details, National Insurance numbers, passwords or make an immediate payment. Even when they contain links, the links lead only to GOV.UK pages you can verify by typing the address yourself.
Genuine text messages are equally narrow in scope. They typically confirm receipt of a form or claim, summarise a recent helpline conversation, provide expected processing times for a query you have already raised, or remind you of a booked appointment. Branded messages show βHM Revenue and Customsβ as the sender with the official logo. They do not request personal or financial information and rarely contain clickable links except to official GOV.UK pages or approved survey platforms.
HMRC will also never contact you solely by text or email to offer a tax refund in exchange for details, threaten immediate court action or arrest, or demand payment to a personal account. If a message claims to be from HMRC but does any of those things, treat it as fraudulent.
HMRC Scam Texts & Emails
How To Report Phishing and Stay Safe in the UK
HMRC-related phishing remains one of the most persistent threats facing UK taxpayers. In the 2025β26 tax year, scammers are relentlessly exploiting deadlines for Self Assessment, VAT returns, and Making Tax Digital. A single convincing message can lead to severe financial loss or identity theft. Knowledge is your strongest defense.
The 2026 Threat Landscape
Scammers adapt quickly to the UK tax calendar. They leverage current HMRC initiatives, creating sophisticated campaigns designed to trigger immediate panic or greed. Understanding the distribution of these tactics is crucial. Refund baiting remains prevalent, but highly targeted attacks on directors and landlords using realistic-looking public data are surging.
β Key Takeaway
Over half of all phishing attempts rely on "Refund Bait" or "Urgent Debt Demands" to manipulate emotional responses and bypass logical scrutiny.
High-Risk Targets
While anyone can receive a blanket phishing text, certain demographics face targeted, sophisticated attacks. Freelance accountants, tax agents, and company directors frequently receive emails concerning Making Tax Digital compliance or VAT registration errors, often containing accurate reference numbers lifted from public registers to appear legitimate.
- βͺ Landlords: Targeted with fake "unpaid tax on rental income" alerts.
- βͺ Creative Industries: Exploited via early "claim processing" verification requests.
Spotting the Difference: Genuine vs. Fake
HMRC communicates in specific, predictable ways. They never use unsolicited texts or emails to demand immediate action involving your personal or financial details.
β Genuine HMRC Contact
- β Emails end strictly in @hmrc.gov.uk
- β Notifies you that a summary or update is available online
- β Reminders for VAT returns with direct GOV.UK links
- β Texts only confirm receipt of forms or summarise helpline conversations
β Fraudulent Scams
- β Offers a tax refund in exchange for banking details
- β Threatens immediate court action, bailiffs, or arrest
- β Warns of suspicious account activity with a direct login link
- β Demands payment to a personal or "safe" account
The Urgency Red Flag
Staying safe does not require technical expertise. It requires recognising that HMRCβs genuine communication style is predictable, courteous, and never urgent in the way scammers demand. The chart visualizes a clear correlation: as the language in a message becomes more urgent or threatening, the mathematical likelihood of it being a fraud approaches 100%.
Immediate Incident Response
Do not reply, click links, or open attachments. Follow this exact sequence:
Pause & Verify
Log into your HMRC account directly via GOV.UK. Never use the link in the message. Check for genuine correspondence.
Forward Evidence
Texts: Forward to 60599.
Emails: Forward to phishing@hmrc.gov.uk.
Delete Message
Remove it from your inbox immediately to prevent accidental engagement later.
Damage Control & Prevention Habits
β If You Already Clicked
- Change your HMRC online account password immediately and enable multi-factor authentication.
- Contact your bank/building society to block accounts if financial details were shared.
- Report the incident to the national Report Fraud service (reportfraud.police.uk) or Police Scotland on 101.
π‘οΈ Proactive Protection
- β Always type "GOV.UK" directly into your browser.
- β Register for paperless communications to see legitimate messages in your portal first.
- β Enable transaction alerts on all business and personal bank accounts.
- β Treat any unexpected request for VAT or corporation tax details with extreme caution.
Common scam tactics targeting UK taxpayers and businesses in 2026
Scammers adapt quickly to the tax calendar and current HMRC initiatives. Typical patterns include:
- Refund bait: A text or email claims you are owed a Self Assessment or VAT refund but must βverifyβ your bank details via a link.
- Urgent debt demands: Messages threaten penalties, bailiffs or account suspension unless you pay immediately or supply card details.
- Fake account alerts: Emails purporting to come from HMRC warn of suspicious activity in your online account and direct you to a cloned login page.
- Agent and director targeting: Freelance accountants, tax agents and company directors receive sophisticated emails about Making Tax Digital compliance or VAT registration errors, often including realistic-looking reference numbers lifted from public data.
- Landlord and rental scams: Messages about βunpaid tax on rental incomeβ or fake Capital Gains Tax liabilities tied to property disposals.
- Creative industries or R&D relief phishing: With the April 2026 changes to creative tax relief claims, fraudsters send early βclaim processingβ emails asking for extra verification.
Β
These messages often spoof official-looking sender names, use urgent language (βact within 24 hoursβ) and include shortened or slightly misspelled URLs that lead to credential-harvesting sites. The financial loss can be immediate if bank details are supplied; the longer-term risk is identity fraud used for future Self Assessment or corporation tax filings.
What to do the moment you receive a suspicious message
Do not reply, click links or open attachments. Instead follow this exact sequence:
- Pause and verify independently. Log into your HMRC personal tax account or Business Tax Account via the official GOV.UK website (never through any link in the message). Check for any genuine correspondence there. If nothing appears, the contact is almost certainly fake.
- Forward the evidence without delay:
- Text message: Forward the entire message to 60599 (standard network rate applies). This routes it directly to HMRCβs security team.
- Email: Forward the unedited email (including headers if possible) to phishing@hmrc.gov.uk.
- Social media or messaging app: Take a screenshot and email it to branddefence@hmrc.gov.uk.
- Phone call: Use the dedicated online form at the HMRC suspicious phone call reporting service.
Β
Reporting helps HMRC and the National Cyber Security Centre (NCSC) track and disrupt campaigns. HMRC may share your contact details with other agencies solely to shut down the scam.
- Delete the message once forwarded. Do not store it in your inbox where it might be accidentally opened later.
Β
If you have already clicked, replied or supplied information
Act immediately:
- Change your HMRC online account password and enable or update multi-factor authentication.
- Contact your bank or building society to alert them to possible fraud and request a temporary block on your accounts if necessary.
- Monitor your credit file via a statutory credit reference agency.
- Report the incident as a crime through the national Report Fraud service (reportfraud.police.uk) or, in Scotland, via Police Scotland 101. If money has already left your account, your bankβs fraud team can often initiate a recall under the Contingent Reimbursement Model.
Β
HMRC itself will never ask you to move money to βsafeβ accounts or authorise refunds via third-party links. Any such request confirms a scam.
Practical habits that protect taxpayers, landlords and business owners
Prevention is more effective than cure. Adopt these routines:
- Always type βGOV.UKβ directly into your browser rather than following links.
- Register for paperless communications where possible so you see legitimate messages in your HMRC account first.
- Review the official HMRC βcheck genuine contactβ pages regularly β they list every current legitimate email and text type.
- For businesses and agents, treat any unexpected request for VAT or corporation tax details with extreme caution; genuine follow-ups are almost always preceded by a letter.
- Use unique, strong passwords for your HMRC account and consider a password manager.
- Enable transaction alerts on all business and personal bank accounts.
Β
Landlords and self-employed individuals dealing with multiple income streams should be particularly wary around January to April each year, when Self Assessment deadlines create a surge in refund-related phishing. Directors using company tax accounts face additional risks around corporation tax payments and Making Tax Digital compliance windows.
Key Takeaways
HMRC publishes precise lists of the emails and texts it actually sends β anything outside those lists that asks for personal or financial details is a scam. Forward suspicious texts to 60599 and emails to phishing@hmrc.gov.uk immediately. Never click links or supply information in response to unsolicited contact. Verify everything by logging into your official HMRC account directly through GOV.UK. If you have already engaged with a suspected scam, secure your accounts and report the matter to your bank and Report Fraud without delay.
Staying safe does not require technical expertise. It requires recognising that HMRCβs genuine communication style is predictable, courteous and never urgent in the way scammers demand. Apply that single principle and the vast majority of HMRC phishing attempts become harmless noise rather than costly mistakes.
Β
FAQs
Q1: What should I do if I clicked on a link in a suspected HMRC phishing email but didnβt enter any details?
A1: Well, itβs worth noting that simply clicking the link doesnβt automatically hand over your information, but it does expose you to potential malware or a fake login page. In my experience with clients whoβve done exactly this, the first step is to close the browser tab immediately, then run a full antivirus scan on your device. Next, log directly into your genuine HMRC account via GOV.UK β not through any bookmark or search result β and change your password while enabling or refreshing multi-factor authentication. If you use the same password elsewhere, update those too. I once helped a PAYE employee in Manchester who clicked a fake refund link; spotting it early meant no financial loss, just a quick security tidy-up.
Q2: Can HMRC ever legitimately phone me about an urgent tax matter, or are all calls scams?
A2: In my experience advising business owners and directors, genuine HMRC phone contact is rare and almost always follows prior written correspondence or a query youβve raised yourself. They wonβt cold-call demanding immediate payment or threatening arrest. That said, if youβve been expecting a callback about a specific Self Assessment query or VAT issue, it could be real β but always hang up and ring back using the official number listed on GOV.UK. A client of mine, a freelance consultant in Leeds, received what looked like a legitimate follow-up call; verifying independently saved her from a very convincing scam that mimicked her earlier helpline interaction.
Q3: Iβve received a text claiming Iβm due a tax refund β how can I confirm itβs not a phishing attempt without forwarding it straight away?
A3: Itβs a common mix-up, but HMRC simply doesnβt send unsolicited texts about refunds or ask you to verify details this way. The safest check is to ignore the message entirely and log into your personal tax account directly through GOV.UK to see if any genuine refund notice appears there. Consider a shop owner I advised in Birmingham who ignored a similar text and discovered the real overpayment was already sitting in her account waiting to be claimed via the proper online route β no text required.
Q4: What actually happens behind the scenes when I forward a suspicious text to 60599?
A4: Forwarding helps HMRC and the National Cyber Security Centre build a picture of active campaigns so they can block the numbers and warn others. In practice, you wonβt usually receive a personal reply, but your report contributes to shutting down the operation faster. Iβve seen this work particularly well for self-employed clients whose details appeared in targeted batches β one Glasgow freelancerβs report helped flag a wave of VAT-related texts that were hitting dozens of sole traders the same week.
Q5: Do self-employed people and freelancers face unique HMRC scam risks that PAYE employees donβt?
A5: Absolutely β scammers know self-employed individuals often juggle irregular income and deadlines, so they tailor messages around late Self Assessment filings or fake VAT adjustments. In my experience, freelancers are more likely to receive sophisticated emails referencing specific gig platform earnings or creative industry relief claims. A web designer client in Bristol nearly fell for one that mentioned her exact turnover figure lifted from public data; the key difference is that PAYE workers tend to get simpler refund bait, while the self-employed see more compliance-themed pressure.
Q6: I provided my National Insurance number to what turned out to be a scam caller pretending to be HMRC β what are the realistic next steps?
A6: Donβt panic, but act quickly. The NI number alone isnβt enough for most immediate fraud, yet it can be used to build a more convincing future attack. Contact HMRCβs fraud team via their official helpline (sourced directly from GOV.UK), update your online account security, and monitor your credit file for any unusual activity. Iβve guided several directors through this exact situation; in one case a company owner in Cardiff limited the damage by alerting his accountant early, preventing the scammers from attempting a corporation tax filing in his name.
Q7: Are there particular scams aimed at landlords receiving rental income, and how do they differ from standard ones?
A7: Landlords often see messages claiming unpaid tax on rental income or fabricated Capital Gains Tax bills tied to recent property sales. These feel more personalised because scammers scrape Land Registry data. The pitfall many miss is that genuine HMRC contact about property income almost always arrives by post first. One landlord client in Edinburgh received a text referencing his exact postcode and tenancy; verifying via his business tax account revealed nothing, and reporting it stopped the campaign targeting his street.
Q8: What if a phishing email includes a reference number that matches something on my actual tax return β does that make it genuine?
A8: Not necessarily. Sophisticated scammers scrape or guess reference numbers from public or breached data. Always treat any unexpected request for further details as suspicious, regardless of how official the number looks. In my practice Iβve seen this trip up high-earning contractors who assumed the reference proved legitimacy; the fix is the same β check your HMRC account independently rather than replying.
Q9: How should company directors protect their HMRC business tax account from targeted phishing?
A9: Directorsβ accounts are high-value targets because they link to corporation tax and payroll. Use separate email addresses for business correspondence, enable extra security layers, and ensure only authorised agents can view the account. I advised a small manufacturing director in the Midlands who set up dual approval for any changes; when a scam email arrived pretending to be from his accountant, the extra layer flagged it immediately.
Q10: I replied to a scam email with basic contact details before realising β am I at greater risk than someone who did nothing?
A10: Replying confirms your number or email is active, which can lead to follow-up calls or more tailored attacks, but itβs not irreversible. Block the sender, report it, and watch for secondary contact. One PAYE client in Liverpool did this and then received a follow-up call; because sheβd already secured her accounts, the scammers got nowhere when they tried the next stage.
Q11: Can genuine HMRC texts or emails ever come from a non-government phone number or personal-looking email address?
A11: No. Legitimate contact uses official channels only β texts show as βHM Revenue and Customsβ and emails end in @hmrc.gov.uk. Anything else, even if it looks professional, is fake. This trips up many first-time self-employed clients who assume flexibility in communication methods.
Q12: I think I logged into a fake HMRC site after following a text link β how do I check for damage?
A12: Immediately change your real HMRC password from the official site, review recent account activity for unfamiliar logins, and contact your bank if any payment details were saved. Run a malware check too. Iβve walked several gig economy workers through this; one delivery driver in Newcastle discovered the fake site had captured his login attempt but, acting within hours, prevented any further access.
Q13: Do Scottish or Welsh taxpayers need to watch for different HMRC scam tactics because of devolved tax rates?
A13: The core scams remain the same UK-wide, but Scottish taxpayers sometimes see extra confusion around Scottish Income Tax bands mixed into refund messages, while Welsh clients get similar with the Welsh rate. The scam relies on that extra layer of complexity to sound plausible. Always verify through your personal tax account regardless of nation.
Q14: Are Making Tax Digital users more likely to receive convincing phishing attempts, and what should they look for?
A14: Yes, because scammers reference MTD deadlines or software compatibility. Look out for emails claiming your accounting software needs βurgent HMRC verification.β Genuine updates appear in your Business Tax Account first. A contractor client using MTD for VAT spotted this pattern early and avoided handing over login credentials.
Q15: What extra precautions should gig economy workers take around platform earnings reports?
A15: Platforms share data with HMRC, so scammers send fake βearnings reconciliationβ texts. Never provide bank details in response. Treat any message about Uber, Deliveroo or similar earnings as suspect unless it matches something already in your HMRC account. Iβve seen this become more common with the growth of side hustles post-2025.
Disclaimer
The information provided in this article is forΒ general guidance onlyΒ and is not intended to constitute professional advice, tax advice, financial advice, legal advice, or any other form of regulated guidance. Although every effort has been made to ensure accuracy at the time of publication,Β Fair View Accounting Services, including its director, employees, contractors, writers, and content-creation team,Β accepts no responsibility for any loss, damage, penalty, or consequenceΒ arising from reliance on the information contained herein.
UK tax legislation changes frequently, and HMRC interpretations, thresholds, and rules may vary depending on the individual circumstances of each taxpayer. Nothing in this article should be considered a substitute for obtainingΒ formal, personalised adviceΒ from a qualified accountant or tax professional. Readers should not take actionβor refrain from taking actionβbased solely on the content published on this website.
Fair View Accounting Services doesΒ notΒ guarantee the completeness, accuracy, or ongoing validity of the information provided and assumes no liability for omissions or errors, whether typographical, factual, or technical. By using this content, the reader acknowledges thatΒ all responsibility for decisions remains solely with the user.