Fake Tax Refund OTP Verification Scam

This scam weaponises the OTP (one-time password) infrastructure that banks use to authorise transactions. The framing — that you are receiving money rather than sending it — is the key deception: it removes the victim's natural caution about sharing authorisation codes.

The scam is reported across many countries, often timed to peak during or just after the tax-filing season when refunds are genuinely expected. It is particularly effective in countries where tax refunds are commonplace and citizens regularly receive automated communications from revenue authorities.

Initial contact is made by phone or SMS. The caller uses official-sounding language and may cite a refund amount, a reference number, and details about the tax year. The victim is asked to confirm their registered bank account number or to provide an alternate account for the refund. Immediately afterwards, the bank sends a genuine OTP to the victim's phone — triggered by the scammer who has used the account details to initiate a real outbound payment or to register a new payee.

The scammer then tells the victim to read back the OTP to confirm their bank account for the refund. In reality, reading the OTP authorises the fraudulent transaction. The money leaves the victim's account moments later.

The refund frame works because receiving money feels passive and benign. People are conditioned to provide OTPs as a security step for legitimate transactions, so when a plausible-sounding official asks for one in a refund context, the association with danger is suppressed.

The speed of the scam compounds the problem: from the moment the OTP arrives on the victim's phone to the moment the transaction is completed is often under thirty seconds, leaving no time for reflection. The victim may not realise what happened until they check their balance.

The victim receives a call or message claiming to be from the national tax authority, informing them that a tax refund is ready to be processed. To release the funds, the caller asks the victim to confirm their bank account and then requests the OTP that just arrived on the victim's phone. The victim, believing they are helping to receive a payment rather than authorise one, reads out the OTP. The scammer uses it to complete a fraudulent outbound transfer from the victim's account, often within seconds.

This is the Income Tax Department. We have a refund of [amount] pending for the [year] assessment. To credit your account, please confirm your bank details and the OTP that will arrive shortly.

HMRC: You are entitled to a tax rebate of [amount]. To process this, please call [number] with your National Insurance number and the verification code sent to your phone.

Your GST refund of [amount] is ready. Our system requires a one-time verification. Please share the code sent to your registered mobile to confirm your bank account.

The IRS is attempting to deposit a [amount] refund but requires account verification. Share the code sent to your phone to complete the transfer.

You have an unclaimed stimulus credit of [amount]. To avoid forfeiture, verify your account with the code that just arrived on your registered number.

Tax refunds do not require you to share an OTP with any caller. If you receive an OTP you did not request, this means someone has your bank account information and is attempting to authorise a transaction. Do not share the code with anyone.

Verify any refund claim by logging into your account on the official tax authority website (e.g., hmrc.gov.uk, irs.gov, incometax.gov.in) or by calling the official helpline. If a genuine refund exists, it will be visible in your official tax account.