HMRC-Branded Tax Identity Theft Phishing Scam
Fraudsters impersonate HMRC to harvest National Insurance numbers, UTR codes, and personal details needed to file fraudulent tax returns, claim fraudulent refunds, or take over existing HMRC online accounts.
Part of: Tax Identity Theft
Last reviewed: 8 June 2026
HMRC is a perennially impersonated brand because tax correspondence is inherently authoritative and many people have genuine financial dealings with the authority. Identity thieves use HMRC's name to make credential-harvesting pages feel legitimate — a fake 'HMRC Verify Your Identity' page that captures National Insurance number, date of birth, and UTR (Unique Taxpayer Reference) provides everything needed to access or impersonate someone's tax record.
With a victim's NI number and UTR, scammers can log in to the Government Gateway using reset flows, change bank details to redirect legitimate refunds, or file Self Assessment returns in the victim's name to claim inflated refunds paid to a mule account.
HMRC does request identity verification online through the Government Gateway, but this always begins at gov.uk/hmrc and uses a secure process that does not require the taxpayer to supply sensitive details in response to an unsolicited email or text message.
How this scam works on the HMRC brand
A phishing email titled 'HMRC Identity Verification Required' claims a taxpayer's account has been flagged and must be verified within five days or will be suspended, with a penalty for non-compliance. The link leads to a convincing copy of the Government Gateway login page.
Some campaigns send a text message claiming HMRC has detected a suspicious Self Assessment login and requires the recipient to confirm their NI number to secure the account. The fake site captures NI number, UTR, date of birth, and a password.
Armed with this information, fraudsters use HMRC's own 'recover credentials' flow to take over the taxpayer's Government Gateway account, redirect any outstanding refund to a new bank account, and in some cases submit fraudulent expenses claims or employment records.
Common red flags
- Unsolicited HMRC email or text asking you to verify your NI number or UTR via a link
- Link goes to a domain other than gov.uk
- Threat of account suspension or penalty if verification is not completed within hours
- Request for both NI number and UTR together — HMRC does not collect both in a single unsolicited form
- Email sender address is not @hmrc.gov.uk
- Page asks for your Government Gateway password in addition to personal details
- You have not recently initiated any HMRC online process requiring verification
How to protect yourself
- Go directly to gov.uk/hmrc and log in to your Government Gateway account to check for any genuine notices
- Never enter your NI number or UTR in response to an unsolicited email or text
- Enable two-factor authentication on your Government Gateway account
- Check your registered bank account for refunds has not been changed under your account settings
- Report the phishing message to [email protected]
- Forward smishing texts to 7726
- If you believe your Government Gateway account has been accessed, call HMRC on 0300 200 3300
How to report it
- Report phishing emails to [email protected]
- Forward smishing texts to 7726
- Report to Action Fraud at actionfraud.police.uk or call 0300 123 2040
- Report to the NCSC at [email protected]
- If tax fraud has been committed in your name, contact HMRC directly on 0300 200 3300
Frequently asked questions
What can a scammer do with my HMRC NI number and UTR?
With your NI number and UTR, a fraudster can attempt to recover or reset your Government Gateway credentials, change your registered bank account to redirect refunds, submit fraudulent Self Assessment returns, or use the data in combination with other personal details to commit wider identity fraud.
How does HMRC actually verify identity online?
HMRC identity verification happens through the Government Gateway at gov.uk, using processes you initiate yourself. HMRC does not send unsolicited emails or texts asking you to verify your identity via an external link.
I think my Government Gateway account has been compromised. What do I do?
Call HMRC on 0300 200 3300 immediately. Change your Government Gateway password, enable two-factor authentication, and check that your registered email and bank details have not been altered. Report to Action Fraud at actionfraud.police.uk.