Found something phishy in your inbox from ‘HMRC’?

4 minutes to read

Recently, we’ve heard reports from Key Portfolio employees who have received suspicious emails and phone calls, allegedly from HMRC, asking them to reveal sensitive information.

This sort of sneaky behaviour is commonly known as ‘phishing’. It’s the dishonest practice of attempting to swindle people into revealing personal information, like passwords and debit card details.

If you’ve never heard of this before, then beware. By the end of this article, you’ll be able to identify different HMRC phishing scams, and know what to do if you are contacted by a fraudster.

How do these scams begin?

Fake communications from HMRC will often claim that either you owe money to HMRC, or they owe money to you. They’re designed to rush you into action without really thinking it through. Here are some examples that Key Portfolio workers have reported in recent months:

  • They answer the phone to hear an automated phone message that starts: “This is Her Majesty’s Revenue & Customs. We have been trying to reach you to let you know we are filing a law suit against you.” The message then offers a list of options, such as: “To speak to your case officer, press one”.
  • They receive a phone call or email telling them that they’re due a tax refund.

HMRC phishing email

A popular phishing email

These scams are often more prevalent at certain times of the year, for example the end of the tax year.

How to spot a phishing attempt

If you receive one of the attempts we’ve described above, you’ll now spot it straight away. However, fraudsters are constantly thinking of new methods to try and steal your valuable information. It’s best to stay vigilant and always treat any request for personal details with a degree of suspicion.

Here are some tell-tale signs to look out for:

  • As a general rule, any phone call or email from ‘HMRC’ should set alarm bells ringing. HMRC will mainly communicate with you by post and will never notify you of a tax rebate by email. Their website contains a list of genuine emails that they send.
  • Fraudsters are unlikely to know your real name. In emails, they’ll often address you by your email address or a generic term like ‘customer’ or ‘taxpayer’.
  • Emails will often contain odd grammatical errors or spelling mistakes as an attempt to get around spam filters and into your inbox.
  • There’s no need to create a ‘Gateway Account’ to receive a tax rebate, so be very wary if you’re asked to do so.

For more details, read HMRC’s own advice on how to tell if an email is fraudulent.

What to do with a phishing email

If you’ve identified a phishing email, follow these steps:


  • Do not click on any links contained in the email. Even ‘Unsubscribe’ links in these emails can be malicious.
  • Don’t reply to the email (although this may be tempting!), as this alerts the fraudsters that your email address is ‘live’.



What to do if there’s a scammer on the phone

If it’s an automated message, hang up straight away. Don’t press any buttons, as this can lead to more calls.

But what if there’s a real person on the line claiming to be from HMRC and you suspect they could be a fraudster? Try to avoid getting involved in a conversation. They’re very skilled at convincing people that they’re genuine and they may even have found information about you, for example from your social media accounts or from hacking into your email account that they will use to earn your trust.

We would advise you to simply hang up the phone immediately.

If you don’t feel comfortable doing this, try asking them to send you the details in writing to the address they have on file for you. This request is likely to be declined. You could also ask if you can call them back on a number you will source yourself. Again, this probably won’t go down well.

As soon as you have any suspicions at all, please disconnect the call.

Remember that their goal is to obtain your details. If you do find yourself caught up in conversation, put a stop to it as soon as you’re asked to provide any personal information. Tell them you’re not able to give this information out over the telephone and will call them back using the number on the HMRC website, then hang up.

What to do if you fall victim

If you believe you have given your personal or financial details to a fraudster, there are steps you can take to limit any potential damages. Act quickly:

  • Report it to your bank or credit card issuer
  • Report it to HMRC
  • Change any passwords that have been compromised

There are a number of websites, including Action Fraud and Take Five – Stop Fraud, that offer more information on HMRC phishing scams.