Fake HMRC Tax-Refund Phishing Scam
Scammers send emails and texts impersonating HMRC, telling recipients they are owed a tax rebate and must click a link to claim it. HMRC never sends unsolicited refund links by email or text; genuine refunds are applied to your account or sent by post after you or your employer triggers a recalculation.
Part of: Fake Tax Refund Scams
Last reviewed: 7 June 2026
HMRC tax-refund phishing is perennially one of the UK's most widespread online scams. Each year, and especially around self-assessment deadlines and tax year-end in April, criminals send millions of messages carrying HMRC's branding and promises of a government rebate.
The lure is compelling: the message states that the recipient has overpaid tax and a refund of a specific sum is waiting. All they need to do is click a link and provide bank details to receive it. Once bank details are entered, the criminals either drain the account directly or sell the credentials.
The key fact that demolishes this scam: HMRC does not send unsolicited emails or texts asking you to click a link to claim a tax refund. If you are genuinely owed a rebate, HMRC will write to you by post or credit it automatically through PAYE — with no action required on your part beyond logging in to confirm details if asked.
How this scam works on the HMRC brand
The phishing email typically has a subject line like 'Tax Refund Notification — Reference XXXX' and features HMRC's logo, a government gateway design, and an official-looking reference number. The body states a specific refund amount (commonly between £150 and £600) and provides a button labelled 'Claim Your Refund' that leads to a spoofed gov.uk page.
The fake page collects name, National Insurance number, bank account and sort code, and sometimes debit card details, then shows a 'processing' screen while harvesting the data. Some versions also request ID document photos, enabling identity fraud beyond simple bank theft.
Text variants are shorter — 'HMRC: You are due a tax refund of £XXX. Claim here: [link]' — but lead to the same credential-harvesting sites. HMRC flags that it does not initiate refunds via SMS text message links.
Common red flags
- Unsolicited email or text claiming you are owed a tax refund and asking you to click a link
- Email address is not from the @hmrc.gov.uk domain
- Link goes to a site other than gov.uk
- Page asks for bank account and sort code or debit card details
- Refund amount is oddly specific (e.g. '£248.37') with no explanation of how it was calculated
- No prior written communication from HMRC about a rebate
- Urgency framing: 'refund expires in 14 days if not claimed'
How to protect yourself
- Never click a refund link in an unsolicited HMRC email or text
- Log in to your Personal Tax Account directly at gov.uk/personal-tax-account to see your real tax position
- Contact HMRC on 0300 200 3300 if you genuinely believe you are owed a rebate
- Forward suspicious emails to [email protected] before deleting them
- Forward suspicious texts to 60599
- If you entered bank details, contact your bank's fraud team immediately
How to report it
- Forward the phishing email to [email protected]
- Forward smishing texts to 60599
- Report phishing sites to the NCSC at report.ncsc.gov.uk
- Report the scam to Action Fraud at actionfraud.police.uk or 0300 123 2040
- If bank details were provided, call your bank's 24-hour fraud line straight away
Frequently asked questions
Does HMRC send tax-refund notifications by email?
HMRC may send email notifications telling you that a letter is waiting in your Personal Tax Account, but it does not send unsolicited emails asking you to click a link to provide bank details and claim a refund.
How does a real HMRC refund work?
If you have overpaid tax through PAYE, HMRC typically adjusts your code or sends a P800 letter by post, which may direct you to claim online via your Personal Tax Account. For self-assessment filers, refunds are processed when you submit your return and go to the bank details you registered.
What if the email looks exactly like a genuine HMRC message?
Criminals are skilled at replicating government branding. The safest rule is never to act on a financial request in any email — go directly to gov.uk and log in to your Personal Tax Account to verify.