AI-Hyper-Personalised HMRC Tax Phishing Scam
Criminals use AI tools to craft HMRC phishing emails or texts that include the recipient's correct name, National Insurance number, employer, and recent filing details, making the message far harder to dismiss than traditional mass-phishing.
Part of: AI Hyper-Personalised Phishing Scams
Last reviewed: 8 June 2026
Most people have learned to distrust generic Dear Taxpayer HMRC emails. Attackers have responded by using AI to merge data-breach records with HMRC's known communication style, producing messages that open with your full name, reference your correct employer, cite the right tax year, and even match the approximate amount you might owe or be owed in a given period.
The result is an email or text that feels indistinguishable from a genuine HMRC communication to the untrained eye. The message might announce an unexpected self-assessment overpayment, a penalty notice for a late return, or an urgent request to verify identity before a deadline — all rendered in correct HMRC formatting with accurate footer text.
HMRC's actual digital services are accessed at gov.uk/hmrc. All tax and refund management occurs after a verified Government Gateway login. HMRC does not send personalised refund links by email or SMS, and it does not ask for bank details to be entered via a link in a message.
How this scam works on the HMRC brand
An email arrives from an address spoofed to resemble [email protected], using the recipient's full name in the subject line and body. It states that a refund of a specific, realistic amount is pending or that an amendment to a recent return requires urgent attention.
A button or link leads to a lookalike Government Gateway portal. The victim enters their Government Gateway user ID and password, then is asked for National Insurance number and bank details to process the refund. Each piece of information is harvested in real time.
AI personalisation extends beyond the initial message: some campaigns use chatbot-style follow-up SMS messages that answer basic questions about the refund, making the deception interactive and harder to break out of.
Common red flags
- Email or text references your real name, NI number, or employer — this data may come from a breach, not the real HMRC
- Message contains a direct link to a refund portal rather than directing you to sign in at gov.uk
- Sender domain is not exactly @hmrc.gov.uk or the message arrives as an SMS with a link
- Urgency framing such as refund expires in 72 hours or penalty applied if not verified by Friday
- The linked site asks for bank sort code and account number to receive a refund
- Government Gateway login page URL does not begin with https://www.gov.uk/
- Message asks you to confirm personal details for security before showing the refund amount
How to protect yourself
- Never click links in messages claiming to be from HMRC; always go to gov.uk/hmrc directly
- Log in to your Government Gateway account independently to check for any genuine notifications
- HMRC sends refunds via cheque or direct to a bank account already on file — it does not ask for new bank details by email
- Treat any email that knows your personal details as potentially built from breach data, not a sign of legitimacy
- Enable two-step verification on your Government Gateway account
- Use a password manager so Government Gateway credentials are unique and not reused elsewhere
- Report the message before deleting it so HMRC can warn others
How to report it
- Forward suspicious emails to [email protected]
- Forward smishing texts to 7726
- Report to Action Fraud at actionfraud.police.uk or 0300 123 2040
- If Government Gateway credentials were entered, change your password immediately and contact HMRC Identity Theft Helpline at 0300 200 3300
- Report to the ICO if you believe your personal data was misused at ico.org.uk
Frequently asked questions
HMRC's email had my correct NI number. Does that mean it is real?
Not necessarily. National Insurance numbers appear in many data breaches and are traded on dark-web marketplaces. Scammers use AI tools to combine breach data with convincing HMRC templates. Always verify by logging in at gov.uk/hmrc independently, never via a link in the message.
How does HMRC actually communicate refunds?
HMRC notifies you through your Personal Tax Account at gov.uk, by post, or via the HMRC app. Refunds go to a bank account you have registered with HMRC in advance. HMRC will never ask you to provide new bank details by email or text link to receive a refund.
Can AI really impersonate HMRC well enough to fool careful readers?
Yes. AI tools trained on public HMRC communications, combined with personalised breach data, can produce emails that match HMRC's tone, formatting, and specific details with high accuracy. The safest habit is always to access HMRC services directly at gov.uk, regardless of how convincing a message appears.