Quick answer

HMRC tax refund scams use urgent emails, SMS and WhatsApp messages claiming you are owed a small specific rebate (often £242 to £642) and asking you to "claim" through a link that goes to a fake Gov.uk Government Gateway login page. The real HMRC never notifies you of a tax rebate by email, text message or WhatsApp, and never asks you to enter banking details, your National Insurance number or your Government Gateway password through a link. Genuine refunds arrive through your Personal Tax Account on Gov.uk, by BACS to a bank account you have previously confirmed inside Government Gateway, or by cheque ("payable order") in the post. Forward suspect HMRC emails to phishing@hmrc.gov.uk and suspect texts to 60599. Report wider phishing attempts to the National Cyber Security Centre at report@phishing.gov.uk and any actual losses to Action Fraud on 0300 123 2040.

Why HMRC is the UK's most impersonated brand

HMRC sits at the centre of every adult's financial life in the United Kingdom. Roughly 33 million people are paid through PAYE, around 12 million file Self Assessment, and several million more interact with the agency for tax credits, VAT, Child Benefit, the High Income Child Benefit Charge or marriage allowance. That breadth makes any HMRC-shaped message statistically plausible to almost every recipient on any given day. It is the same dynamic that makes the IRS the most impersonated US government brand and Centrelink the most impersonated Australian one, applied to a country of 67 million adults all of whom recognise the HMRC name.

HMRC itself publishes regular advisories on this. The official guidance lives at gov.uk/government/organisations/hm-revenue-customs/contact/reporting-suspicious-emails and confirms HMRC will never send notifications of tax rebates or refunds by email, text or voicemail, and will never ask you to disclose personal or payment information by email or text. Despite that, the National Cyber Security Centre Suspicious Email Reporting Service (SERS) has received more than 30 million public reports since launch in April 2020, and HMRC remains the single most reported impersonated organisation across that data set.

The volumes spike in the late spring. The UK tax year ends on 5 April, P60s land between mid-April and the end of May, and Self Assessment refunds are typically processed between April and July. Real refund notifications, real overpayment letters and real PAYE adjustments all reach the public in that window. Scammers schedule their campaigns to ride that wave, so April through July is consistently the peak period for HMRC phishing traffic.

How the HMRC refund phishing attack works

Almost every HMRC refund campaign follows the same four-step funnel.

Step 1: The bait message

An email or SMS arrives, sometimes a WhatsApp message, occasionally an iMessage in green/blue bubbles. Subject lines and opening lines cluster around a small set of patterns, each calibrated to look like routine government correspondence:

  • "HMRC Refund Notification: You are eligible for a tax rebate of £342.78. Click to claim."
  • "GOV.UK: Your Self Assessment refund of £487.31 is ready. Please confirm your details to release payment."
  • "HMRC: Final notice. Your PAYE refund of £242.92 will expire if not claimed within 48 hours."
  • "HM Revenue & Customs: A VAT refund of £1,284.40 has been approved for your business. Click below to receive your funds."
  • "Gov.UK Notice: Tax overpayment detected. Submit your banking details to receive your rebate."

The dollar-and-pence specificity ("£342.78") is the social engineering trick. A round number feels suspicious; a precise odd figure feels like the output of a real calculation. The amount is always small enough to feel plausible (a few hundred pounds) and large enough to feel worth claiming.

Step 2: The fake Gov.uk landing page

Tap the link and you land on a page styled to look identical to a real Gov.uk service. The unmistakable Gov.uk crown logo sits in the top left, the black header bar runs across the full width of the page, the Transport typeface is replicated exactly, and the "GOV.UK" wordmark anchors the design language. Underneath, the page imitates the HMRC Personal Tax Account or the Government Gateway sign-in screen. Some campaigns add a fake "Verified by HMRC" badge or a "Trusted by GCHQ/NCSC" footer to push trust further.

The page asks for, in sequence:

  1. Government Gateway user ID and password.
  2. National Insurance number.
  3. Full name, date of birth and home address.
  4. Bank sort code and account number ("to receive your refund").
  5. In higher-value variants, a debit card number, expiry date and CVV ("to verify the account is in your name").
  6. Sometimes a one-time passcode (OTP), forwarded from a parallel session in which the attacker is actively logging into the real HMRC Government Gateway with the stolen credentials.

Step 3: The credential and identity harvest

Every field the user types is captured by the attacker in real time. Some kits run as adversary-in-the-middle (AiTM) proxies that relay the Government Gateway credentials to the real gov.uk Government Gateway login as the victim types. The attacker triggers the real HMRC two-step verification text to the victim's phone and harvests the code from the fake page. They now control an authenticated HMRC session.

The full package, Government Gateway credentials plus National Insurance number plus bank details plus identity data, is a complete UK identity theft kit. It sells on criminal marketplaces typically within hours.

Step 4: The damage

  • Tax return takeover. The attacker logs into the real HMRC Personal Tax Account and changes the bank details on file, then files an amended return claiming a fictional refund that lands in the attacker's mule account. Recovery from this through HMRC's fraud team takes months.
  • Universal Credit and tax credit redirection. If the victim claims benefits, the attacker redirects payments to a different account via the Department for Work and Pensions or HMRC service portal.
  • Direct bank account drain. Sort code and account number plus name and address are enough to set up Direct Debits, request a card replacement to a new address, or apply for an overdraft.
  • Credit application fraud. The full identity package is used to apply for credit cards, loans, mobile contracts and "buy now, pay later" lines in the victim's name, all of which appear on their credit file weeks later.
  • Follow-on phishing. The victim's profile is added to lists used for "bank fraud team" calls, "Action Fraud refund" callbacks and "NCA investigator" impersonation calls, each of which builds on data captured from the original page.

The active 2026 HMRC scam templates

Phishing teams rotate copy weekly to evade keyword filters, but the templates collapse to a small set. If your inbound message looks like any of these, treat it as a scam by default.

Template 1: "Tax rebate of £342.78"

The classic. A modest, oddly specific amount, an HMRC or Gov.uk header, a single "Claim now" button. The exact amount cycles through £127, £242, £342, £387, £482, £642 and similar values. Real HMRC overpayments are visible in your Personal Tax Account on Gov.uk; if the amount on the message does not match what your account shows after you have logged in directly, the message is fake.

Template 2: "Self Assessment refund pending"

"Your Self Assessment return has been processed. A refund of £487.31 has been approved. Confirm your bank details to release payment." Pitched at the 12 million people who file Self Assessment, with timing around the January and April peaks. Genuine Self Assessment refunds are processed automatically against the bank account already verified in your Government Gateway. HMRC does not need you to "release" anything by entering details into a separate site.

Template 3: "PAYE adjustment overpayment"

"HMRC has reviewed your PAYE records for 2025-2026. A tax overpayment of £242.92 has been identified. To process your refund, please complete the verification form." Targets the 33 million PAYE employees, particularly during the April to July P800 calculation window when HMRC genuinely does issue PAYE adjustment letters. Real P800s arrive by post on Gov.uk letterhead, never by email or text, and direct you to log into your Personal Tax Account to claim the refund.

Template 4: "VAT refund for businesses"

"HMRC: A VAT refund of £1,284.40 has been processed for [Company Name] Ltd. Click to confirm banking details." Aimed at limited companies, sole traders and VAT-registered partnerships. Larger amounts than the consumer variants because business refunds are plausibly larger. Real VAT refunds go through the HMRC business tax account or your accountant's agent services account on Gov.uk, never through a separate "VAT refund portal".

Template 5: "Marriage Allowance refund"

"You may be due a backdated Marriage Allowance refund of up to £1,260. Apply now." This one is also exploited by predatory but legitimate "refund agent" firms that take 40 to 50 per cent of any rebate. The phishing version skips the agent fee and just steals the credentials and bank details outright. Real Marriage Allowance claims are filed for free through Gov.uk in about five minutes.

Template 6: "Final notice / 24 hour deadline"

"Final notice. Your tax rebate of £382.50 will expire and be returned to HM Treasury if not claimed within 48 hours." Adds artificial urgency to push the click before the recipient pauses to verify. Real HMRC refunds do not expire on 48-hour timers driven by an email link. Any deadline language in an HMRC-shaped message is, by itself, a strong signal of phishing.

Lookalike HMRC domains in 2026

Real HMRC services live on the gov.uk domain. The legitimate Personal Tax Account lives at tax.service.gov.uk and www.gov.uk/personal-tax-account. The Government Gateway sign-in is on www.tax.service.gov.uk. No other domain is genuine. Scam destinations in active rotation include the following patterns.

Pattern 1: HMRC keyword on a non-.gov.uk TLD

  • hmrc-refund[.]co.uk
  • hmrc-claim[.]online
  • hmrc-tax-refund[.]com
  • hmrc-rebate[.]uk
  • hmrc-secure[.]net
  • hmrc-verify[.]xyz

The .gov.uk namespace is restricted to verified UK government bodies and is operated by the Cabinet Office. Criminals cannot register a .gov.uk domain. They default to .co.uk, .com, .uk, .online, .xyz, .top and similar consumer TLDs. The TLD itself is the most reliable single signal.

Pattern 2: "gov" or "gov-uk" inside the URL but not as the TLD

  • gov-tax-refund[.]uk
  • gov-uk-hmrc[.]com
  • govuk-refund[.]net
  • hmrc[.]gov-uk[.]online
  • tax-service-gov[.]co

The trick is putting "gov" somewhere in the address but not as the actual TLD. hmrc.gov-uk.online looks like an HMRC subdomain at a glance, but the real registered domain is gov-uk.online, registered privately. Mobile browsers crop long URLs so the relevant part, the actual TLD on the right, is often hidden until the user manually scrolls.

Pattern 3: Free hosting subdomains

  • hmrc-refund[.]vercel[.]app
  • hmrc-claim[.]netlify[.]app
  • gov-uk-tax[.]pages[.]dev
  • hmrc-rebate[.]web[.]app
  • hmrc[.]github[.]io

Vercel, Netlify, Cloudflare Pages, Firebase Hosting and GitHub Pages all provide free HTTPS and instant deployment. Attackers spin up a fresh subdomain, push the cloned Gov.uk template, and start sending texts within an hour. The hosts take phishing pages down within hours of report, but the campaign has already collected its harvest.

Pattern 4: URL shorteners hiding the destination

  • bit.ly/hmrc-refund-claim
  • tinyurl.com/hmrc-tax-rebate
  • t.ly/HMRCrefund
  • rb.gy/hmrc-claim

SMS preview does not unwrap shorteners. The destination is hidden until the click, and the click is the entire attack. Genuine HMRC never sends short links by SMS.

How to verify a genuine HMRC contact

The simplest defence is knowing what genuine HMRC communication actually looks like. Memorise these patterns and any deviation becomes obvious.

  • HMRC never notifies you of a tax refund or rebate by email, text or voicemail. Refunds are visible inside your Personal Tax Account on Gov.uk. Some are paid automatically by BACS to the account already on file. Some require a click inside Government Gateway, after you have logged in directly. None are claimed by following a link in an unsolicited message.
  • HMRC never asks you to disclose your Government Gateway password, your National Insurance number or banking details through a link or by reply. Real authentication happens only at www.tax.service.gov.uk, reached by typing the address or going via www.gov.uk.
  • Genuine HMRC letters arrive by post on Gov.uk letterhead. P800 PAYE tax calculation letters, Simple Assessment letters, tax code change notices and Self Assessment statements all arrive as physical letters. The letter directs you to log into Gov.uk to act on it, but the letter itself comes by Royal Mail.
  • HMRC will sometimes send genuine text messages, but only to confirm specific actions you initiated, never to push refund claims. Examples include two-factor authentication codes when you log into Government Gateway, or read-only confirmations such as "We have received your Self Assessment return". These texts never contain links to "claim" anything.
  • The published list of authentic HMRC texts, calls and emails is on Gov.uk. HMRC maintains a constantly updated reference at gov.uk/government/publications/genuine-hmrc-contact-and-recognising-phishing-emails. If a message you have received is not on that list, it is almost certainly phishing.
  • To verify any specific claim, call HMRC directly using a number from Gov.uk. Self Assessment helpline: 0300 200 3310. PAYE and general enquiries: 0300 200 3300. Never call a number printed inside a suspicious email or text. Look up the number on Gov.uk and dial it yourself.

The 10 second check that catches every variant

  1. Do not tap the link. Treat any HMRC-shaped email, SMS or WhatsApp message as informational only.
  2. Open a fresh browser tab and type gov.uk manually. Do not search "HMRC refund" because paid search ads occasionally include scam landing pages styled as official services.
  3. Log in to your Personal Tax Account via www.gov.uk/personal-tax-account. Any real refund, overpayment or PAYE adjustment is visible there. If your account shows nothing matching the message, the message is fake.
  4. For VAT or business refunds, log in via the HMRC business tax account at www.gov.uk/log-in-register-hmrc-online-services. The same rule applies: if it is real, it is in the account.
  5. Forward the suspect message to HMRC and NCSC. Email to phishing@hmrc.gov.uk. SMS to 60599 (free of charge). Other suspect emails (non-HMRC) to report@phishing.gov.uk at the National Cyber Security Centre.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (HMRC and Gov.uk included, alongside Cyrillic and Punycode homograph variants of the GOV.UK wordmark) + community whitelist/blacklist, all running directly in the extension before the page renders. The hmrc-{keyword}.{tld}, gov-uk-{keyword}.{tld} and free-hosting subdomain patterns match instantly off the brand database, with the .gov.uk TLD whitelisted so genuine HMRC services pass through unaffected.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser and 30+ scam TLDs for known malicious domains. New HMRC lookalike domains are typically reported to PhishTank within hours of campaign launch.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel Gov.uk and HMRC lookalike pages in seconds by recognising the GOV.UK crown logo, the Transport typeface and the Personal Tax Account UI served from any domain other than gov.uk or service.gov.uk.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

If you have already clicked or entered information

The window between credential submission and account misuse can be minutes if the attacker is running an active AiTM session. Act fast and prioritise in this order.

  1. Contact HMRC's security team immediately. If you submitted Government Gateway credentials, call HMRC on 0300 200 3300 (general enquiries) or 0300 200 3310 (Self Assessment) and report that your account may be compromised. Ask them to flag the account, lock outbound changes to bank details and review recent activity. HMRC has a dedicated security team for compromised Government Gateway accounts.
  2. Log in to www.gov.uk/personal-tax-account directly and change your Government Gateway password. Use a long unique password not reused elsewhere. Reset your security questions in the same session.
  3. Turn on or verify HMRC two-step verification inside Government Gateway. Confirm the registered phone number is yours and not an attacker substitute.
  4. Check your HMRC account for tampering. Verify the bank account details listed for refunds. Check that no Self Assessment amendment has been filed. Confirm no agent has been added against your record.
  5. Call your bank's fraud line immediately if you submitted bank or card details. The number is on the back of your debit card. Ask them to set up enhanced monitoring, review pending Direct Debits, and reissue the card. UK banks operate under the Contingent Reimbursement Model code, which provides partial protection for authorised push payment fraud.
  6. Apply for protective registration with Cifas at cifas.org.uk if you submitted your National Insurance number, full name and date of birth. Cifas Protective Registration flags your identity to UK lenders, who then apply extra checks on any credit application made in your name.
  7. Check your credit file with Experian, Equifax and TransUnion. The three UK bureaus offer free statutory credit reports. Look for accounts, searches or addresses you do not recognise. Experian and Equifax both offer paid credit lock and freeze services that block new applications until you unlock them.
  8. Report the loss to Action Fraud. Online at actionfraud.police.uk or by phone on 0300 123 2040. Action Fraud is the UK's national fraud and cybercrime reporting centre, run by the City of London Police. A report creates a crime reference number that your bank and HMRC will reference during any reimbursement process.
  9. Notify the Information Commissioner's Office if personal data has been compromised in a way that may affect others. The ICO maintains data breach reporting guidance at ico.org.uk/for-organisations/report-a-breach/, which is primarily for organisations, though individual victims can find personal data protection guidance at ico.org.uk/your-data-matters/.
  10. Change reused passwords on email, retailers, social media and any service where the Government Gateway password (or a variant of it) is also in use. Phishing crews routinely credential-stuff harvested passwords across major UK services.

How to protect yourself going forward

  • Use the HMRC app as your default touchpoint. The official HMRC app, available on the App Store and Google Play, lets you check tax codes, refunds, National Insurance contributions and Self Assessment status without ever needing to follow an email link. App-first habits make the lookalike domain attack near impossible to land.
  • Sign up for HMRC scam alerts. HMRC publishes an updated list of current scams at gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples. Reviewing it before tax-return season takes five minutes and dramatically reduces susceptibility.
  • Bookmark your Personal Tax Account. Save www.gov.uk/personal-tax-account as a bookmark and always open HMRC through that path rather than a search engine.
  • Enable two-step verification on Government Gateway. It is opt-in for most users but recommended by HMRC. Even when an AiTM proxy is present, 2-step verification raises the cost of compromise significantly and stops the much larger volume of basic credential stuffing.
  • Treat all unsolicited messages as informational only. Refunds, fines, overpayments, NI changes, P800 letters: all are visible inside your Personal Tax Account. The account is the source of truth, never the inbox.
  • Use a browser layer scanner. SafeBrowz and similar tools sit on the browser side so that even if a phishing link bypasses your email or SMS filters, the fake page is flagged before it ever renders.

Reporting HMRC phishing the right way

Each report below takes about a minute and feeds the UK takedown apparatus.

Install SafeBrowz free

Add the browser extension that runs every check in this guide automatically, on every page, before it renders. HMRC and Gov.uk lookalikes are flagged the moment the page tries to load. Free forever, optional Premium at £14.99 per year for unlimited AI content scans.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Upgrade to Premium for AI deep scan of novel HMRC and Gov.uk lookalikes in 100+ languages.

Frequently asked questions

Does HMRC ever email or text about a tax refund?

No. HMRC has confirmed it never notifies customers of a tax rebate or refund, and never asks for personal or payment information, by email, text message or voicemail. Genuine refunds are visible inside your Personal Tax Account on Gov.uk and are usually paid automatically to a bank account already verified inside Government Gateway, or by cheque in the post. Any HMRC-shaped message about a refund that arrives in your email, SMS or WhatsApp is phishing.

What does a genuine HMRC letter look like?

Genuine HMRC letters arrive by Royal Mail on Gov.uk letterhead, with the HMRC logo and a UK government crest. They reference your name and tax reference (UTR or NINO), they cite specific tax years, and they direct you to log into your Personal Tax Account on Gov.uk to act on the contents. They never include QR codes that lead to a sign-in page, they never ask for your Government Gateway password by reply, and they never demand payment by gift card, cryptocurrency or wire transfer. HMRC maintains an authoritative list of genuine letter examples at gov.uk.

How do I report a HMRC phishing email or text?

Forward suspect HMRC emails to phishing@hmrc.gov.uk. Forward suspect HMRC texts to 60599 (free from UK networks). For broader phishing emails not specifically branded as HMRC, forward to report@phishing.gov.uk which is the National Cyber Security Centre Suspicious Email Reporting Service. If you have lost money, also file a report with Action Fraud at actionfraud.police.uk or on 0300 123 2040.

I entered my Government Gateway password and National Insurance number on a fake page. What now?

Call HMRC on 0300 200 3300 (general enquiries) and report the suspected compromise. Log in to www.gov.uk/personal-tax-account directly and change your Government Gateway password, reset security questions and confirm bank details on file have not been altered. Apply for Cifas Protective Registration at cifas.org.uk to flag your identity to UK lenders. Pull your credit reports at Experian, Equifax and TransUnion and look for unfamiliar accounts or searches. Report the incident to Action Fraud at 0300 123 2040. Speed matters: the longer the compromise sits, the more credit, benefits or refund redirection can be filed in your name.

Will HMRC refund me if I sent money to a scammer impersonating them?

HMRC itself does not generally refund losses incurred to scammers, because the loss is to a third party, not to HMRC. However, if the payment went via your bank, you can claim under the Contingent Reimbursement Model code, which UK signatory banks apply to authorised push payment (APP) fraud. The Payment Systems Regulator has mandated reimbursement for most APP fraud cases since 2024 with limited exclusions. Report the loss to Action Fraud at actionfraud.police.uk and to your bank within 24 hours for the best chance of recovery.

Is "GOV.UK Tax Refund" a real service?

No service is called "GOV.UK Tax Refund". Genuine HMRC refunds are managed inside your Personal Tax Account at www.gov.uk/personal-tax-account, or via the HMRC app, or for Self Assessment through www.gov.uk/log-in-file-self-assessment-tax-return. Any standalone "GOV.UK Tax Refund" website, portal or app is not legitimate. The same applies to a long list of variants: "UK Tax Refund Office", "HMRC Refund Centre", "Gov.uk Rebate Service" and similar are all phishing brands, not official services.

Why does the scam SMS look like it comes from HMRC?

SMS sender IDs can be spoofed. A text that appears to come from "HMRC" in the sender field can be sent by anyone using an SMS routing service that does not validate sender authenticity. UK mobile networks have rolled out the SMS SenderID Protection Registry (run by Mobile UK and the National Cyber Security Centre) to block unregistered sender IDs, but it is not yet universal. Even if the sender field reads "HMRC", the content is what matters: if it mentions a refund and links you off-platform, it is fake.

How does SafeBrowz catch an HMRC phishing page I have never seen before?

SafeBrowz runs a 3-layer architecture. Layer 1 matches the URL against a 550+ brand database that includes HMRC and Gov.uk plus 60+ pattern templates (brand-hyphen-keyword, gov-keyword-on-not-gov-uk, free-hosting subdomains, homograph). Layer 2 cross-references PhishTank, Google Safe Browsing, URLhaus and ScamAdviser. Layer 3 (Premium) performs AI content analysis in 100+ languages, recognising the GOV.UK crown logo, the Transport typeface and the Personal Tax Account UI served from any domain other than gov.uk or service.gov.uk, and blocking the page before render. Detection signatures come from threat-intelligence research and our brand database, not from individual user browsing.

Related reading

Bottom line: HMRC tax refund phishing is the United Kingdom's highest-volume phishing campaign because the lure exploits genuine HMRC behaviour (refunds, PAYE adjustments, P800 letters) against the entire UK adult population. The defence is one sentence: HMRC never notifies you of a refund by email, text or voicemail. Every refund is in your Personal Tax Account on Gov.uk. Forward suspect emails to phishing@hmrc.gov.uk, texts to 60599, broader phishing to NCSC at report@phishing.gov.uk, and any actual loss to Action Fraud on 0300 123 2040. Then add a browser-layer scanner like SafeBrowz so the fake Gov.uk page never gets a chance to load.

Get SafeBrowz Premium Check a URL now