How to verify whether an email claiming to be from a UK government service is genuine — with the real gov.uk domain rules and the three dominant 2026 scam variants.
Last reviewed: 13 May 2026 · ScamSupport research
Paste your suspicious gov.uk email here
Free fake-gov.uk checker — runs entirely in your browser. Nothing leaves your device. Returns a verdict in under 5 seconds.
The real gov.uk domain rules — the single test that defeats most scams
Every genuine UK government service operates on a tightly controlled set of domains. Knowing these by heart is the most reliable defence against fake-gov.uk emails:
Service domains are always *.service.gov.uk — e.g. tax.service.gov.uk (HMRC), vehicle-tax.service.gov.uk (DVLA), apply-renew-passport.service.gov.uk (HMPO).
The main portal is www.gov.uk with department sections at paths like www.gov.uk/government/organisations/hm-revenue-customs.
Email senders from HMRC use addresses ending in @hmrc.gov.uk, @notifications.service.gov.uk, or department-specific subdomains under gov.uk. DVLA uses @dvla.gov.uk. The passport office uses @passport.gov.uk or @homeoffice.gov.uk.
Anything NOT under gov.uk is not a UK government service.gov-uk-refund.com, govuk-secure[dot]net, uk-gov-refund-portal.org and hmrc-refunds.com are all typosquats. There are no exceptions.
Check the sender domain in any suspicious email before reading the body. The sender address is always visible (in Gmail: tap the “to” arrow; in Outlook: hover or click the sender name). If the address doesn’t end in gov.uk, the email is not from the UK government, full stop.
Three gov.uk fake-email variants currently in circulation
Variant 1 — HMRC tax refund
From: “HMRC Refunds” <refund-hmrc@govuk-portal[dot]com> (note: hyphenated lookalike, NOT gov.uk)
Subject: “You have an outstanding tax refund of £547.82 — action required”
Body: A polished-looking message with the HMRC crown logo informs you that you’re owed a refund following your latest tax assessment. You’re asked to click through to a “refund portal” to confirm bank details. The page collects name, address, date of birth, National Insurance number, and full debit-card details (which are not needed for any refund).
Red flags:
HMRC never notifies you about a tax refund by email. Real refunds appear in your Personal Tax Account on gov.uk and as a payment to your bank account already on file. There is no “click-to-claim” refund email from HMRC.
The sender domain is not gov.uk. Look at the email address rather than the display name. Any address not ending in gov.uk is fake.
HMRC never asks for card details for a refund. The whole point of a refund is they send money to you. Asking for a card is the diagnostic pattern of the scam.
Personal details + full card details = identity-theft kit. Even if no money is taken immediately, the data harvested enables follow-on fraud (credit applications, account takeovers, CIFAS-grade identity compromise).
Body: Your driving licence will be suspended unless you update your address / payment details / photo. There’s a small fee (£14.50 / £28 / £55) to process the update.
Red flags:
DVLA does not threaten 24-hour suspension via email. Real DVLA correspondence about licence updates arrives by post or via your DVLA online account at www.gov.uk/dvla. Suspension processes follow a multi-week formal procedure with right-of-reply.
Real DVLA update fees are fixed and listed publicly. A licence update is £14 (no fee for many cases); a fictional £28 or £55 fee is a scam indicator.
The payment page is on a non-gov.uk domain. Real DVLA payments are always processed via vehicle-tax.service.gov.uk or www.gov.uk/dvla. A “DVLA payment portal” on any other domain is fake.
Asking for card details for a small fee is the credential-harvesting purpose. The small fee is plausibility cover — the data harvest is what funds the criminal operation.
Subject: “Your passport renewal application requires verification” or “Your passport will expire in 30 days — renew now”
Body: A claim that your passport renewal application has been received but requires identity verification, or that your passport is approaching expiry and you can renew via a “fast-track portal”. The fee is inflated above the genuine HMPO fee.
Red flags:
Real passport renewals are always at apply-renew-passport.service.gov.uk. Any other domain is not the passport office.
HMPO doesn’t email customers proactively about renewal. You decide when to renew. Real notifications are sent only after you initiate an application.
Genuine HMPO fees (2025): £88.50 standard online adult passport, £100 paper application. “Fast-track” service is £166.50 for one-week, £207.50 for one-day premium. Email scams typically demand fees outside these published ranges.
HMPO does not ask for biometric or identity details by email. All identity verification happens through the official application portal or through in-person visits, not via email links.
The 4 verification rules that defeat any fake gov.uk email
Read the sender domain. Display names are trivial to fake. The actual email address (after the “@”) is harder to fake without registering a similar domain. Real UK government emails always end in .gov.uk. If the address doesn’t end in gov.uk, stop reading.
Don’t click links in the email. Type the relevant gov.uk address into your browser: www.gov.uk/personal-tax-account for HMRC; www.gov.uk/dvla for DVLA; www.gov.uk/apply-renew-passport for passport office. If there’s a real notification waiting for you, you’ll see it there.
Government departments do not ask for full card details to process refunds. Refunds are sent to bank accounts already on file in your tax account or via cheque to your registered address. A “refund” page asking for full card details is the scam.
If unsure, phone the department on the number on gov.uk. HMRC: 0300 200 3300. DVLA: 0300 790 6801. HMPO: 0300 222 0000. Use these numbers (from gov.uk, not from the email), and ask whether the communication you received is genuine. Real departments will tell you immediately.
If you’ve already clicked a fake gov.uk link
If you only landed on the page but didn’t enter any details: close the tab, clear browser history for that domain, and run a malware scan on your device. Some phishing pages also drop browser exploits.
If you entered card details: call your bank fraud line immediately and request a card cancellation + replacement. Use the number on the back of your card, not anything provided in the email. Reference the PSR Mandatory Reimbursement Scheme if any unauthorised transactions appear.
If you entered personal details (DOB, NI number, address, ID document numbers): register for CIFAS Protective Registration. £25 for 2 years — protects your credit file against identity-based fraud by flagging your record to all 600+ CIFAS member organisations.
Report the email to report@phishing.gov.uk. This is the National Cyber Security Centre’s Suspicious Email Reporting Service (SERS). Forward the email as-is. NCSC takes down over 100,000 scam URLs each month using these reports.