Share
TAX PHISHING

Got a tax refund text? Real or scam? UK / US / Canada 2026 verification guide

You just got a text. "HMRC: you are due a refund of GBP 287.40.

SafeBrowz Team Security ResearchJune 1, 20269 min read

Fast Facts

If you got a text claiming to be HMRC, IRS, CRA, or ATO offering a tax refund with a link, it is almost certainly a scam. All four tax authorities have publicly stated they do not text taxpayers about refunds, they do not include clickable links to claim money, and they never ask for bank details by SMS. Real refunds are issued automatically to the account on file, or via a letter to your registered address.

The text usually looks like one of these

Scammers reuse the same three or four templates across every country, swapping the agency name and currency. If your message resembles any of the patterns below, treat it as hostile until proven otherwise.

UK (HMRC):

HMRC: You are eligible for a tax refund of GBP 287.40 following your latest assessment. Claim within 24 hours: hmrc-refund-portal.co.uk/claim

US (IRS):

IRS Notice: Your 2025 federal refund of $412.80 is ready for direct deposit. Verify your bank info to release funds: irs-refund-gov.com

Canada (CRA):

CRA: A tax refund of CAD 358.15 has been issued in your name. Confirm your Interac e-Transfer details: cra-refund-secure.ca

Australia (ATO):

ATO: Your tax return has been reviewed. A refund of AUD 521.30 is pending. Update bank details to receive payment: my-ato-refund.com

Notice the pattern. Specific small amount (large enough to motivate, small enough to feel believable), short deadline, and a link that uses the agency name in a hyphenated lookalike domain. None of these are real.

Per-country sender format: what the REAL agency uses

Each tax authority has a published policy for how it contacts taxpayers. Save this table.

Country / Agency Real SMS sender Only legitimate domain
UK - HMRC Never texts about refunds. Sender "HMRC" only for reminders, never with links. gov.uk (e.g. www.gov.uk/government/organisations/hm-revenue-customs)
US - IRS Never initiates contact by SMS, email, or social media. irs.gov (Where's My Refund tool only)
Canada - CRA Does not text refund offers. Will only text reminders if you opted in via My Account. canada.ca (CRA My Account)
Australia - ATO Will never send unsolicited SMS with links. SMS only confirms an action you started in myGov. ato.gov.au and my.gov.au

Memorise the right column. If a text claims to be from any of these agencies and the link does not match the exact official domain on the right, the text is a scam.

Why no tax agency texts about refunds (the universal rule)

The simplest defence is also the most powerful. Across the UK, US, Canada, and Australia, every major tax authority has issued the same public guidance: they do not send unsolicited text messages that include a link to claim a refund. There is no exception, no special circumstance, no "this time it is real."

The reasoning is straightforward. Tax agencies already know your bank details, the ones you used to file your return, or the ones registered for direct deposit. If you are owed money, they pay it to that account automatically. There is no second confirmation step, no portal you need to log into, no bank verification by SMS. If they cannot reach you electronically, you get a paper cheque to your registered address. Never a text with a link.

Every time you see "click here to claim your refund" in a text, you are looking at the same scam template, only the agency name has changed.

The 6 instant red flags in any tax-refund text

  • 1. A clickable link. Real refund processing happens inside your existing tax account. No agency makes you click an SMS link.
  • 2. A specific small amount. Scams use figures between 200 and 600 in local currency, large enough to want, small enough to feel routine.
  • 3. A deadline of 24 or 48 hours. No tax authority will revoke your refund if you do not click an SMS link quickly.
  • 4. Hyphenated lookalike domain. hmrc-refund.co.uk, irs-refund-gov.com, cra-secure-refund.ca, my-ato-refund.com. None of these are real. The real domains never need extra words.
  • 5. Request for bank or card details. Tax agencies already have your direct-deposit details from your filing. They never re-request them by SMS.
  • 6. Sent from a normal mobile number. HMRC, IRS, CRA, and ATO use registered alphanumeric or shortcode sender IDs. A message from a regular +44, +1, or +61 mobile is almost always a scam.

The 30-second verification check (works for all 4 countries)

Three steps. Same logic across every country.

  1. Do not click the link in the text. Not even to "see what it looks like." Phishing pages can load drive-by malware on some Android browsers.
  2. Open a fresh browser tab and type the official URL yourself.
    • UK: www.gov.uk/government/organisations/hm-revenue-customs
    • US: www.irs.gov/refunds (Where's My Refund tool)
    • Canada: www.canada.ca (sign in to CRA My Account)
    • Australia: my.gov.au (linked to ATO)
  3. Sign in to your real tax account and check refund status. If a refund is genuinely owed, it will show up there. If your account shows no pending refund, the text was a scam. Forward it to your country's anti-phishing inbox and delete it.

Where to forward suspicious texts:

  • UK: 7726 (free) and email phishing@hmrc.gov.uk
  • US: Forward to phishing@irs.gov, and report at reportfraud.ftc.gov
  • Canada: Forward to the Canadian Anti-Fraud Centre at antifraudcentre.ca
  • Australia: Forward to ReportEmailFraud@ato.gov.au or report via Scamwatch

If you already clicked the link

Clicking alone is rarely catastrophic, but you should still take a few defensive steps. Most phishing pages need you to type credentials before any damage happens.

  1. Close the page immediately. Do not enter anything, not name, not date of birth, not bank info, not even an email address.
  2. Clear browser data for that site. On Android Chrome, hold the URL bar and tap "Site settings", then "Clear and reset".
  3. Run a quick antivirus scan on your phone if you have one installed. Built-in Google Play Protect on Android, or any reputable iOS security tool.
  4. Check for new browser notification permissions. Phishing pages sometimes ask permission to send push notifications, which then deliver more scam messages. Revoke any you do not recognise.
  5. Watch for follow-up SMS or calls. Scammers who get a click sometimes follow up with a phone call pretending to be the agency. Do not answer numbers you do not recognise.

If you already entered bank details

This is the dangerous one. Move fast. The order matters.

  1. Call your bank's fraud line right now. Use the number on the back of your card, not anything from the suspect page. Tell them you entered card details on a phishing site. They will freeze the card and watch for fraudulent attempts.
  2. Replace the card. Even if no fraud has happened yet, the details are in attacker hands. Cancel the card. Most banks will overnight a replacement.
  3. Change any password you may have typed. If the phishing page asked for your tax-account password or your online-banking password, change that password from a known-clean device.
  4. Turn on transaction alerts. Most banks let you receive an SMS or push notification for every transaction. Switch this on. You will catch fraud within seconds.
  5. File a report with the agency and police. UK Action Fraud (actionfraud.police.uk), US IdentityTheft.gov, Canadian Anti-Fraud Centre, ScamWatch Australia. A formal report helps your bank reverse fraudulent charges.
  6. Check your credit file. Scammers who get one round of bank details often try to open new credit in your name. Run a free credit check at the appropriate national bureau (Experian/Equifax UK, the three US bureaus, Equifax/TransUnion Canada, Equifax/Illion Australia).

Do not wait a day to see if anything happens. The first 30 minutes are when most damage is done. Call the bank first, panic later.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (HMRC, IRS, CRA, ATO, plus other tax authorities across France, Germany, India, Brazil) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches hyphenated lookalikes like hmrc-refund-portal.co.uk, irs-refund-gov.com, cra-secure-refund.ca, my-ato-refund.com the moment the tab opens.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and 30+ high-abuse TLD lists for known malicious tax-refund domains.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike domains the moment they go live, often hours before they appear on any blocklist. $14.99 per year, one key covers 3 devices.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Page scan results are anonymously retained for detection-engine training. Per-user URL history is never stored.

Block tax-refund SMS scams before you click

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge. The instant a tax-refund SMS link opens in your browser, SafeBrowz checks it against 550+ brand signatures (HMRC, IRS, CRA, ATO, and every other major tax authority), 60+ URL scam patterns, and Google Safe Browsing in parallel. If the page is a known impersonation, you get a full-screen block before any credentials can be entered. Premium adds AI content analysis in 100+ languages for new lookalikes that have never been seen before. Free forever, no account required.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Frequently asked questions

Can HMRC, IRS, CRA, or ATO ever text me about my refund?

None of the four agencies send unsolicited refund SMS with clickable links. HMRC may text payment reminders, the CRA may text users who explicitly opted in via My Account, and the ATO may confirm an action you already started inside myGov. None of these texts include a link to "claim" or "verify bank details" for a refund. If a text does, it is a scam.

The text came from a normal mobile number. Could it still be real?

No. Tax authorities use registered alphanumeric sender IDs (shows as "HMRC" or "ATO" instead of a phone number) or government-shortcode numbers. A regular +44, +1, +1-CAN, or +61 mobile is a strong signal of a scam.

The link in the text uses HTTPS and a padlock. Is that not safe?

HTTPS only means the connection is encrypted, not that the site is legitimate. Most phishing pages have free Let's Encrypt certificates now, so a padlock proves nothing. Always check the actual domain name, not the colour of the padlock icon.

I clicked the link and entered my name and address but not any bank details. Am I at risk?

Lower risk than entering bank info, but not zero. Scammers can combine name + address with data from other breaches to attempt identity theft. Sign up for credit monitoring with your national bureau, watch for unexpected mail or credit applications, and report the incident to your national anti-fraud authority.

Why are these scams so common right now?

Tax-refund SMS scams spike around filing season in every country, January through April in the US and UK, February through May in Canada, July through October in Australia. Scammers reuse the same templates because the conversion rate is high. People are genuinely expecting a refund, and a small specific amount feels plausible.

Will SafeBrowz block the SMS itself?

No. SafeBrowz is a browser extension, it cannot block SMS messages directly. What it does is intercept the moment you tap or click a link from the message and open it in your browser. The bad domain gets blocked before the phishing page can render. Combine SafeBrowz with your phone's built-in spam filter (Apple iMessage filters or Google Messages spam protection) for full coverage.

What is the single most important thing to remember?

If you did not request a refund, you are not getting one by SMS. If you are owed money, it goes straight to the bank account already on file with the tax agency, no click required.

Article last updated June 1, 2026.

Related reading