HMRC Scam Email Checker

How to spot fake HMRC tax-refund and penalty emails — the verification rule that defeats almost every HMRC impersonation.

Last reviewed: 9 May 2026 · ScamSupport research

The Five HMRC Scam Patterns Doing the Rounds in 2026

HMRC is the most-impersonated UK brand in scam communications. Action Fraud (now Report Fraud) logged hundreds of thousands of HMRC-impersonation reports across 2024 and 2025, and the volume continues to climb. The patterns are stable; the variations are cosmetic. If you can recognise these five, you can dismiss almost every fake HMRC message you ever receive.

1. The tax-refund email

Subject: "You have a tax refund of £347.62 pending". Body claims HMRC has reviewed your tax position and identified an overpayment; click the link to claim. The link goes to a lookalike HMRC page asking for your bank details, date of birth, address, and National Insurance number. The real HMRC issues refunds through your tax account or by post; it does not email links to claim refunds.

2. The penalty / fine demand

Subject: "Final notice: outstanding tax liability". Threatens a fine, court action, or bailiff visit if a payment isn't made within 24 hours. Includes a link or asks for payment via an unusual method (gift cards, cryptocurrency, or a bank transfer to a personal account). HMRC will never threaten you over email or text and will never demand payment in vouchers or crypto.

3. The voicemail / robocall

An automated voicemail or call claims to be from HMRC, says a warrant has been issued for your arrest over a tax matter, and tells you to press 1 to speak to an officer. Pressing 1 connects you to a fraudster who walks you through making a payment. HMRC does not leave threatening voicemails about arrest warrants. If a voicemail says it does, it is fraudulent.

4. The VAT-overpayment SMS

An SMS claims your business has overpaid VAT and links to a "refund verification" page. The page asks for the business bank-account details so HMRC can "process the refund". The fraudsters then use those details for direct-debit fraud against the business or for further account takeover. HMRC's VAT communications go to the registered business address by post, not by SMS.

5. The "we tried to deliver a tax document" SMS

Mimics a courier-delivery scam template. Claims HMRC tried to deliver a P800 tax-calculation letter, asks you to "schedule redelivery" via a link, and harvests credentials on the lookalike page. HMRC does not use courier services for tax-calculation letters and would not contact you by SMS for delivery purposes.

The HMRC Verification Rule

The single rule that defeats every HMRC scam is this: HMRC's default communication channel is post. Tax refunds, penalty notices, P800 tax calculations, and reminders all arrive on paper. Some legitimate HMRC SMS and email do exist (notifications about your online tax account, deadline reminders if you have signed up for them), but they never contain a payment link, a refund-claim link, or a request for your banking details. They direct you to log in to your HMRC online account at gov.uk to act.

If a message claims to be from HMRC, type gov.uk/sign-in-tax-account into your browser yourself and check whether anything is showing in your account. If nothing matches the email or text, the message is fraudulent. This single check — under sixty seconds — defeats the entire HMRC-impersonation category.

What to Do if You Receive an HMRC Scam Message

  1. Do not click any link. Do not call any number in the message. Do not reply.
  2. Forward suspicious emails to phishing@hmrc.gov.uk — HMRC's Phishing Team monitors the inbox and feeds it into NCSC takedown operations.
  3. Forward suspicious SMS to 60599 — HMRC's dedicated SMS reporting shortcode. Free across all UK mobile networks.
  4. Report fraud calls online via gov.uk/report-suspicious-emails-websites-phone-calls.
  5. Block the sender in your email client or phone. Report the sender as phishing/spam to your provider.
  6. Delete the message after you have forwarded it.

If You Have Already Clicked or Submitted Information

  1. Stop immediately. Don't enter any further details on the linked page even if it looks halfway through a form.
  2. Call your bank's fraud line using the number on the back of your card. If you submitted any banking details, ask them to flag the account, change card numbers if needed, and review recent transactions.
  3. Change your HMRC online-account password by going to gov.uk and signing in. Enable multi-factor authentication if you haven't already.
  4. Change passwords on any other account that uses the same password — and use a password manager going forward so you never have a re-used password again.
  5. Report the incident to Report Fraud (the UK's national fraud reporting service that replaced Action Fraud in December 2025). You will receive a case reference number to track the investigation.
  6. Consider Cifas Protective Registration (£25 for two years) if you submitted enough personal information that a scammer could attempt identity fraud against you. The Cifas flag forces lenders to verify your identity before extending new credit in your name.
  7. Monitor your bank statements and credit file for the next three months. Most identity fraud appears within that window.

Why HMRC Scams Are So Effective

Two structural reasons. First, almost every UK adult has some kind of relationship with HMRC — PAYE, self-assessment, VAT for business owners, child benefit, or pension — so the cover story always has plausible relevance. Second, the emotional triggers HMRC scams pull on are unusually strong: a refund offers free money, a penalty demand triggers fear of legal action, and the perceived authority of HM Revenue & Customs makes recipients more likely to comply quickly without verifying. The defence is procedural: refuse to act on any HMRC contact that arrives via email, SMS or unexpected phone call; verify everything by logging in to your HMRC account directly.

Paste a suspicious message to scan

The Scam Message Scanner runs entirely in your browser. Your message is never sent to SignalTools or anywhere else. Paste the suspicious email or SMS below, including any sender details and links, then tap Scan message.

Scanner methodology validated across 351 cases spanning 7 UK scam categories — macro precision 98.5%, recall 98.5%, F1 98.5%. Methodology brief. Output is informational only: always verify the sender independently before clicking links, sharing details, or making payments.

Additional Resources

Protect Your Data with VPN

Use NordVPN to encrypt your connection when accessing sensitive accounts online, protecting your data from interception.

Affiliate disclosure: as a NordVPN partner, ScamSupport may earn a commission if you sign up via this link — this doesn't change our recommendation or the price you pay. Full affiliate policy →

Get NordVPN Protection

Related scam guides

Use the Scam Message Scanner →