Real Tax Refund vs Tax-Refund Phishing
How to tell a genuine tax authority refund notification from a phishing message designed to steal your bank or identity details under the guise of claiming a refund.
Last reviewed: 1 June 2026
Tax refund phishing peaks around self-assessment filing deadlines. Fraudsters send emails and texts that mimic official tax authority communications, directing you to cloned websites where entering your bank details hands over full account access.
Side-by-side comparison
| Real tax refund | Tax-refund phishing | |
|---|---|---|
| How you are notified | Refund applied directly to the bank account on file; written notification may follow by post | Urgent email or SMS saying you must 'claim' the refund online via a link |
| Information requested | Your tax authority already holds your bank account details; it does not ask you to re-enter them to release a refund | Asks you to enter full bank account number, sort code, and card details to 'receive' the refund |
| Sender domain | Official government domain (e.g., hmrc.gov.uk, irs.gov); never a commercial email provider | From a lookalike domain or free email service; sometimes the display name is correct but the address is not |
| Link destination | Any link in official correspondence goes to the government's verified top-level domain | Link goes to a lookalike domain; URL may contain the agency name but on a different TLD or subdomain |
| Urgency | Refunds are processed in routine cycles; no 'act by tonight or lose your refund' | Claims the refund will be cancelled if not claimed within 24–48 hours |
| Personal data shown | May reference your name or national insurance / tax ID but never asks you to re-confirm all data | Asks you to verify name, date of birth, address, and financial details before releasing funds |
Common red flags
- Email or SMS containing a link to 'claim' a tax refund
- Request to enter bank account, card number, or CVV to receive a refund
- Sender address is not a verified government domain
- Urgency claim that the refund expires within hours
- Asks you to confirm personal details including date of birth and national ID
Verification steps
- Log in to your tax authority's official website by typing the URL directly to check your account for any real refund
- Call the official tax authority helpline using the number from their verified website, not from any message you received
- Forward phishing emails to your tax authority's official phishing reporting address
What not to do
- Do not click links in tax refund emails or SMS messages
- Do not enter bank account or card details on a page reached via a link
- Do not call phone numbers provided in an unexpected tax message
A safe response
Delete the message and log in to your tax account directly via the official government website to check for genuine correspondence. If you have already entered details, contact your bank immediately to freeze your account and report to the relevant tax authority.
Frequently asked questions
Will HMRC or the IRS ever send me a link by email?
HMRC states it will never send links asking for personal or financial information by email. The IRS similarly does not initiate contact by email, text, or social media requesting financial details. Any such message should be treated as fraudulent.
How do I report a tax phishing message?
In the UK, forward it to [email protected]. In the US, forward it to [email protected]. Both agencies maintain phishing reporting channels and publish guidance on their official sites.