Fake HMRC Tax App Malware Scam
Scammers distribute fake lookalike HMRC apps outside the official app stores, claiming to offer tax rebate tracking or self-assessment help. Once installed, these apps steal Government Gateway credentials, banking logins, and SMS two-factor codes.
Part of: Fake App Downloads
Last reviewed: 8 June 2026
The official HMRC app allows taxpayers to manage their tax affairs, view their tax code, and claim certain reliefs on their smartphone. Fraudsters create near-identical fake apps and distribute them via phishing emails, SMS links, and social media advertisements, targeting people who search for HMRC tools around self-assessment deadlines or after receiving a tax-related prompt.
These fake apps are often promoted with language like Download the new HMRC Tax Rebate Tracker or Update required: HMRC Self-Assessment App. Once installed, they request extensive permissions and capture the Government Gateway credentials the user enters, which are then used to take over the real account and redirect any outstanding tax refunds.
The legitimate HMRC app is listed on the Apple App Store and Google Play under the developer HM Revenue and Customs. HMRC does not send links by SMS or email directing you to download the app from any other source.
How this scam works on the HMRC brand
A phishing SMS or targeted social-media advert around January (self-assessment deadline month) or April (new tax year) promotes a free HMRC tool. The download link leads to a convincing web page mimicking gov.uk/hmrc with an App Store-style download button that actually delivers an APK or a malicious iOS profile.
After installation, the app presents a Government Gateway login screen. Once the user enters credentials, the app sends them to a remote server and simultaneously forwards the user to the real HMRC app, masking the theft. Ongoing access to the device allows the attacker to intercept verification SMS messages and monitor banking app activity.
Some variants do not steal credentials immediately but instead overlay a legitimate banking app with a fake login screen — a technique known as overlay attack — capturing banking details when the victim next opens their bank app.
Common red flags
- SMS or social media advert promotes a downloadable HMRC app with a link outside the official app stores
- The promoted app claims to offer a tax rebate calculator or self-assessment helper with unusually broad permissions
- Download requires enabling unknown sources on Android
- The app developer name on the store page is not HM Revenue and Customs
- App asks for more permissions than a tax tool needs, such as SMS access or accessibility services
- You did not search for an HMRC app but received a targeted advert or unsolicited SMS about one
- App has very few reviews or a very recent publication date
How to protect yourself
- Search the Apple App Store or Google Play for HMRC and confirm the developer is HM Revenue and Customs before installing
- Never install an HMRC app from a link in an SMS, email, or social media advert
- If you installed a suspicious app, remove it immediately, change your Government Gateway password, and enable two-step verification
- Review app permissions before accepting and deny any that are unnecessary for a tax tool
- Check your Government Gateway account for any profile changes or pending refund redirections
- Contact HMRC on 0300 200 3300 if you believe your account has been compromised
- Report the fraudulent advert or link to the platform where you saw it
How to report it
- Forward suspicious emails or texts to [email protected]
- Report the fraudulent app listing to the App Store or Google Play
- Report to Action Fraud at actionfraud.police.uk or 0300 123 2040
- Forward smishing messages to 7726
- Report to the ASA at asa.org.uk if the scam was delivered via a paid advert
Frequently asked questions
What is the real HMRC app and where can I download it?
The official HMRC app is available on the Apple App Store and Google Play. Search for HMRC and look for the developer listed as HM Revenue and Customs. It is free and does not require side-loading or any download link sent by message.
Why would a fake tax app want SMS access?
SMS access allows the app to intercept two-factor authentication codes sent by banks and other services. With those codes, an attacker can bypass security checks and access your financial accounts without your knowledge.
Can I recover my Government Gateway account if credentials were stolen?
Yes. Go to gov.uk/log-in-register-hmrc-online-services and select forgotten password to reset access. Contact HMRC at 0300 200 3300 if you cannot regain access or if a refund has been redirected.