Tax-related scams are surging across the UK. Criminals impersonate HMRC through emails, text messages, phone calls and even social media to steal money and personal data from individuals and businesses. In the 2024/25 financial year, HMRC received over 930,000 reports of suspicious contact, and estimated fraud losses exceeded £1.4 billion. Understanding how these scams work is your first line of defence.

930K+
Scam reports received by HMRC (2024/25)
£1.4B
Estimated annual fraud losses
79%
Of scams start via email or text

Types of HMRC Scams

Scammers use a variety of channels to reach potential victims. Here are the most common methods currently in circulation:

1. Phishing Emails

The most widespread form of HMRC scam. Fraudulent emails claim you are owed a tax refund, that your account has been "locked," or that you face immediate legal action. They contain links to convincing fake HMRC websites designed to harvest your login credentials, National Insurance number and bank details. These emails often use official-looking HMRC logos and formatting to appear legitimate.

2. Fake Refund Text Messages (Smishing)

SMS messages claiming "You are owed a tax refund of £348.50" with a link to claim it. These texts often spoof HMRC's real number so they appear in the same message thread as genuine HMRC texts. Clicking the link leads to a cloned Government Gateway page that captures your credentials and financial information.

3. Bogus Phone Calls (Vishing)

Automated or live callers posing as HMRC officers threaten arrest, court proceedings, or deportation for unpaid taxes. They demand immediate payment via bank transfer, gift cards, or cryptocurrency. Some use "number spoofing" technology to make their caller ID display genuine HMRC numbers. These calls can be highly pressurised and intimidating.

4. Social Media Scams

Fake HMRC accounts on Facebook, Instagram, X (Twitter) and WhatsApp offer "exclusive" tax refunds or threaten penalties. Scammers also use social media to advertise fraudulent tax agents who promise inflated refunds in exchange for personal details and a cut of any refund received.

Types of HMRC Scams Reported (2024/25)
Phishing emails
42%
Fake SMS / texts
37%
Bogus phone calls
14%
Social media scams
5%
Other (post, etc.)
2%

Fraud Losses Are Rising Year on Year

The financial impact of HMRC-related fraud has been climbing steadily. Losses increased sharply during and after the pandemic as more people moved to online services, creating new opportunities for cybercriminals.

Estimated HMRC-Related Fraud Losses by Year (£ millions)
2020/21
£710M
2021/22
£860M
2022/23
£1,050M
2023/24
£1,230M
2024/25
£1,400M

Who Is Most at Risk?

While anyone can be targeted, certain groups are disproportionately affected by HMRC scams. Self-employed individuals and small business owners are prime targets because they interact more frequently with HMRC and may be less certain about what constitutes legitimate contact.

Most Targeted Demographics (% of reported victims)
Self-employed
34%
Over 55s
26%
Small business owners
19%
New taxpayers (18-25)
13%
Non-native English speakers
8%

How to Spot a Genuine vs Fake HMRC Contact

Knowing what HMRC will and will not do is essential. Use these rules to tell the difference:

HMRC Will Never:

Send emails, text messages, or social media messages asking you to click a link to claim a tax refund. They will never ask for your PIN, password, or bank details by email or text. They will never threaten you with arrest or deportation over the phone. They will never demand immediate payment via gift cards, vouchers, or cryptocurrency.

HMRC May Legitimately:

Send you letters by post about your tax affairs. Call you about an ongoing enquiry (but they will never demand immediate payment on the call). Send text messages with general information or reminders (but never with links to enter personal details). Contact you through the HMRC app or your Personal Tax Account on GOV.UK.

Red Flag What It Looks Like What to Do
Urgency / threats "Pay now or face arrest within 24 hours" Hang up immediately. HMRC never threatens arrest by phone.
Refund bait "You are owed £348.50 — click here to claim" Do not click. Check your real HMRC account on GOV.UK.
Unusual payment methods "Pay via iTunes gift card or Bitcoin" Ignore completely. HMRC only accepts standard payment methods.
Suspicious sender Email from "hmrc-refunds@gmail.com" Forward to phishing@hmrc.gov.uk and delete.
Requests for personal data "Confirm your NI number and bank sort code" Never share personal details via email, text or inbound calls.

What to Do If You Have Been Scammed

If you suspect you have already fallen victim to a scam, act quickly. The sooner you respond, the better your chances of recovering lost funds and protecting your identity.

  1. Contact your bank immediately — call the fraud department using the number on the back of your card. They may be able to freeze or reverse transactions.
  2. Report to Action Fraud — call 0300 123 2040 or visit actionfraud.police.uk. This is the UK's national fraud reporting centre.
  3. Report to HMRC — forward suspicious emails to phishing@hmrc.gov.uk and texts to 60599. Report phone scams to HMRC on 0300 200 3300.
  4. Change your passwords — immediately update your Government Gateway, email, and banking passwords. Enable two-factor authentication wherever possible.
  5. Check your credit report — use Experian, Equifax, or TransUnion to monitor for unauthorised credit applications in your name.
  6. Register with CIFAS — the UK's fraud prevention service can place a protective marker on your file to flag your identity to lenders.

Time Is Critical After a Scam

Banks typically have a 24–48 hour window to attempt fund recovery for authorised push payment fraud. The longer you wait, the less likely it is that stolen money can be traced and returned. If you have shared your Government Gateway credentials, contact HMRC immediately on 0300 200 3600 to secure your account.

How to Report HMRC Fraud

HMRC makes it straightforward to report suspicious contact. Here are the key channels:

  • Phishing emails: Forward to phishing@hmrc.gov.uk — do not click any links in the email
  • Suspicious texts: Forward the full message to 60599
  • Bogus phone calls: Report to HMRC on 0300 200 3300
  • Tax fraud / evasion tip-offs: Use the HMRC fraud hotline on 0800 788 887 or report online at GOV.UK
  • Identity theft: Report to Action Fraud on 0300 123 2040

HMRC's Track Record on Scam Takedowns

In 2024/25, HMRC successfully requested the removal of over 29,000 malicious web pages and blocked more than 500 million phishing emails from reaching UK taxpayers. They work closely with telecoms providers to block scam phone numbers and with social media platforms to remove fake accounts. Despite these efforts, new scams emerge daily — personal vigilance remains essential.

Protecting Your Business Data

For small businesses and sole traders, an HMRC scam can compromise not just personal finances but also client data, VAT records and payroll information. Follow these steps to harden your defences:

  1. Use strong, unique passwords — your Government Gateway, business email and accounting software should each have different, complex passwords. Use a password manager.
  2. Enable two-factor authentication (2FA) — activate 2FA on Government Gateway, your email, banking and any cloud accounting software.
  3. Train your team — ensure all staff who handle tax or financial data can recognise phishing attempts. Run simulated phishing tests.
  4. Keep software updated — outdated browsers, email clients and operating systems are more vulnerable to exploits.
  5. Use HMRC-recognised software only — for Making Tax Digital submissions, use only HMRC-approved software to avoid data interception by rogue applications.
  6. Back up your records — maintain encrypted backups of all tax records. Ransomware attacks can lock you out of critical filing data.

Identity Theft: The Hidden Cost of Scams

Stolen personal data is often used to file fraudulent tax returns in your name, claim refunds to which you are not entitled, or register fake businesses. Victims may not discover the fraud until they receive unexpected tax bills or penalty notices from HMRC. On average, it takes 6–12 months to fully resolve an identity theft case with HMRC, during which time your legitimate tax affairs can be severely disrupted.

29K+
Malicious web pages removed (2024/25)
500M+
Phishing emails blocked by HMRC
6–12 mo
Average identity theft resolution time

Stay Safe: Quick Reference Checklist

  • Never click links in unexpected emails or texts claiming to be from HMRC
  • Always log in to your HMRC account directly via GOV.UK to check for messages
  • If a phone caller pressures you for immediate payment, hang up — it is not HMRC
  • Forward suspicious emails to phishing@hmrc.gov.uk before deleting
  • Use two-factor authentication on all tax-related accounts
  • Check your credit report at least quarterly for unusual activity
  • Keep HMRC's genuine contact numbers saved in your phone so you can verify callers
  • Use HMRC-recognised MTD software for all digital tax submissions

File Your Tax Return Safely and Securely

DIY Tax Return is HMRC-recognised software with bank-grade encryption and two-factor authentication. File with confidence and avoid the scammers.

Start Free Trial

← Back to all articles