Passport Office Scam UK

Spot the three dominant passport-office scam patterns in 2026 — fake renewal-fee phishing, fake biometric-verification updates, and third-party ‘assistant’ services charging for free gov.uk processes.

Last reviewed: 13 May 2026 · ScamSupport research

The real HMPO domain and fee rules — the test that defeats most passport scams

Knowing two facts about HM Passport Office (HMPO) defeats nearly every passport scam:

  1. HMPO renewals are always processed via www.gov.uk/apply-renew-passport. The application portal itself sits at apply-renew-passport.service.gov.uk. Anything not under gov.uk — for example passport-uk-secure.com, uk-passport-renewal[dot]net, passportoffice-portal[dot]co.uk — is not the passport office.
  2. HMPO fees (2025) are published. Adult passport online: £88.50. Adult paper: £100. Child online: £57.50. One-week premium fast-track: £166.50. One-day Premium: £207.50. Replacement of lost/stolen passport: same as above. Any other amount is wrong. Inflated fees or invented “rush charges” are a scam indicator on their own.

HMPO does not proactively email customers about renewals. You decide when to renew. Real notifications are sent only after you initiate an application, and even then most communication is by post or via the application portal.

Three passport-office scam variants currently in circulation

Variant 1 — Fake renewal ‘expedited’ fee

From: “HM Passport Office” <noreply@uk-passport-renewal-portal[dot]com> (not gov.uk)

Subject: “Your passport application has been received — expedite processing for £46.99”

Body: A polished message with the HMPO crown logo claims an application has been received and offers expedited processing for a one-off fee. The link routes to a slick payment page that collects full card details and asks the recipient to “confirm identity” with date of birth, address and existing passport number.

Red flags:

  • Fake “expedite” fee. Real HMPO services are fixed-price as published above. There is no £46.99 expedite-processing fee. The fast-track services exist but cost £166.50 / £207.50 and are selected at application time, not retro-added by email.
  • The domain is not gov.uk. Look at the email address rather than the display name. Real HMPO emails come from @homeoffice.gov.uk, @passport.gov.uk or @notifications.service.gov.uk.
  • HMPO never adds fees retroactively to an in-progress application via email. Any fee adjustment happens inside the application portal at gov.uk.
  • The page collects passport number alongside card details. This is the identity-theft payload — passport number plus full PII (DOB, address) enables impersonation against banks and credit applications.

Variant 2 — Fake biometric verification update

From: “HMPO Biometric Services” <biometric-update@hmpo-secure[dot]com>

Subject: “Your biometric details require an update — valid passports may be invalidated”

Body: A message claims that to comply with new biometric standards, the recipient must update their biometric details via a verification portal. The link asks for full identity information, an uploaded photo, and a “biometric verification fee”.

Red flags:

  • HMPO does not update biometrics by email. The biometric data on a UK passport is captured during the application photo + chip-printing process. There is no “biometric refresh” service. Anyone claiming there is one is running the scam.
  • UK passports are not invalidated by missing “biometric updates”. They’re valid until their printed expiry date. Threats of invalidation are urgency hooks.
  • The photo upload + ID details are an identity-theft kit. Once collected, the photo can be used in synthetic-ID fraud, the passport details for account-opening fraud.
  • The domain is not gov.uk. Always verify via gov.uk directly.

Variant 3 — Third-party ‘passport assistant’ charging for free gov.uk service

How it presents: Sponsored search results, Facebook ads, or emails offer a “UK passport renewal service” that charges £75–£180 over and above the genuine HMPO fee. The site looks professional and may use crown logos and gov.uk-style design language. The service does nothing the applicant couldn’t do themselves directly at gov.uk.

Red flags:

  • This is technically legal but misleading. These services are sometimes prosecuted under consumer-protection law for misleading branding (impersonating gov.uk look-and-feel) and for charging for processes that are free or fixed-fee on gov.uk.
  • The Advertising Standards Authority (ASA) has ruled against multiple passport-assistant operators for misleading consumers into believing they were paying HMPO directly.
  • The result is identical to gov.uk. These services submit the same application to HMPO with the same supporting documents. The “extra fee” pays for nothing of substance.
  • Always go to www.gov.uk/apply-renew-passport directly. Type the URL into your browser. If a search result claims to be HMPO but the domain isn’t gov.uk, it’s a third-party reseller, not the passport office.

How to verify any passport-office communication is genuine

  1. Real HMPO domains: www.gov.uk/apply-renew-passport and apply-renew-passport.service.gov.uk. Anything else is not the passport office.
  2. Real HMPO email senders end in gov.uk — usually @homeoffice.gov.uk, @passport.gov.uk or @notifications.service.gov.uk.
  3. Real HMPO fees are published on gov.uk and unchanging. Adult online £88.50; child online £57.50; fast-track £166.50; premium £207.50. Replacement-of-lost-passport is the same as a new application. Anything else is a scam.
  4. If unsure, phone HMPO on 0300 222 0000 (the number listed at gov.uk/contact-the-passport-office). Real HMPO will confirm whether any communication is genuine.
  5. Use the FCA-equivalent test: type gov.uk into your browser yourself. If there’s a real notification, you’ll see it in your application status. If not, the email is fake.

If you’ve already clicked a fake HMPO link

  1. Card details entered: call your bank’s fraud line on the number on the back of your card. Cancel and replace the card. Reference any unauthorised transactions under the PSR Mandatory Reimbursement Scheme.
  2. Personal + passport details entered: register for CIFAS Protective Registration immediately. The combination of passport number, DOB, address and ID document scan is one of the highest-value identity-theft data sets — CIFAS flags your record across 600+ member organisations.
  3. If you uploaded a passport photo or document scan: consider this a high-priority data breach. Your photo + passport details can be used in synthetic-ID applications. CIFAS registration is the most effective single mitigation.
  4. Report the email to report@phishing.gov.uk (NCSC Suspicious Email Reporting Service). NCSC takes down over 100,000 scam URLs each month using these reports.
  5. If money was taken: follow the Recover playbook — UK bank transfer → PSR Claim Wizard; card → Chargeback Generator; Report Fraud at reportfraud.police.uk.
  6. For misleading third-party “passport assistant” charges: credit-card purchases £100–£30,000 may qualify for Section 75 reversal on misrepresentation grounds. Use the Chargeback & Section 75 Generator to draft the claim.

Related scam guides

Use the Scam Message Scanner →