Home » Blog » Beware bogus HMRC emails

Beware bogus HMRC emails

Once upon a time the penalty for impersonating a Revenue officer was transportation to an overseas penal colony.  But even this would not have stopped the latest generation of HMRC impersonators who can send out waves of bogus emails phishing for our personal and financial details from the anonymous safety of anywhere on the globe. The costs and risks to the fraudster are very low, and he may need just a few ‘phish to bite’ to make a very handsome profit.

HMRC have published a whole section of security advice on their web-site which covers on-line security and  how to spot bogus communications.

There are two main risks:

  1. Direct attempts to steal personal information from you, including bank and credit card details, by fooling you into divulging them;
  2. And indirect attempts to steal information from the HMRC on-line system by tricking you into revealing your log-in details. If you don’t use the on-line system, maybe because you have an accountant who submits your tax returns for you, you don’t have to worry about this one.

There are 6 pages of advice on the HMRC website about how to protect yourself. Here (in their words) are the highlights:

  • Password and login details. Keep your password and login details secure, and ensure they are changed regularly. Do not write them down or tell anyone what they are, including HMRC staff or your accountant or tax adviser.
  • Unsolicited emails. Be suspicious of unsolicited emails, even if they look like they’re from a trusted source. HMRC will never send notifications of a tax rebate by email, or ask you to disclose personal or payment information by email.
  • Anti-virus software. Make sure your computer has anti-virus and anti-spyware software, and that it is continually updated to check the contents of the files on your computer against the information it holds about known viruses.
  • Personal firewall and secure wireless network. Make sure any computer which connects to the internet has appropriate firewall protection to block any unauthorised connections being made. If you’re using a wireless network, ensure it is secure.
  • Update your web browser. Use the most up to date version of your preferred web browser, this could reduce your chance of falling victim to online phishing scams, by displaying messages to alert you.
  • Keep your operating system up to date. Make sure you download and install updates regularly.
  • Sensitive information. Never enter sensitive information such as account details, PINs or passwords via a website link within an email.
  • Secure websites. Ensure websites are secure – look for the prefix ‘https’ and a locked padlock or unbroken key symbol. Check the authenticity of a secure website by double clicking on the symbol.
  • Attachments and emails. Beware of attachments and emails – even if they appear innocent, they could contain a virus designed to steal your personal information.
  • Bogus websites. Type the full address of secure websites into your browser, rather than searching for it – this helps avoid being misdirected to a bogus site.
  • Websites charging for services. Please be aware that some websites offer services which HMRC will provide free of charge. These include premium rate connection charges to HMRC Helplines. Please use the ‘Contact us’ link if you need to speak to HMRC. This link can also be found at the top of all HMRC web pages.
  • Incorrect ‘From’ address. Look out for a sender’s email address that is similar to, but not the same as, HMRC’s email addresses. Fraudsters often have email accounts with HMRC or revenue names in them (such as ‘refunds@hmrc.org.uk’). These email addresses are used to mislead you. However be aware, fraudsters can falsify (spoof) the ‘from’ address to look like a legitimate HMRC address (for example ‘@hmrc.gov.uk’).
  • Personal information. HMRC will never ask you to provide confidential or personal information such as passwords, credit card or bank account details by email.
  • Urgent action required. Fraudsters want you to act immediately. Be wary of emails containing phrases like ‘you only have three days to reply’ or ‘urgent action required’.
  • Bogus websites. Fraudsters often include inks to webpages that look like the homepage of the HMRC website. This is to trick you into disclosing personal/confidential information. Just because the page may look genuine, does not mean it is. Bogus webpages often contain links to banks/building societies, or display fields and boxes requesting your personal information such as passwords, credit card or bank account details. You should be aware that fraudsters sometimes include genuine links to HMRC webpages in their emails, this is to try and make their emails appear genuine.
  • Common greeting. Fraudsters often send high volumes of phishing emails in one go so even though they may have your email address, they don’t often have your name. Be cautious of emails sent with a generic greeting such as ‘Dear Customer’.
  • Look out for. Spelling mistakes and poor grammar.


If you receive any communication that you think might be bogus it’s worth taking a look at the HMRC page of phishing examples which has a list of fake email addresses, emails, letters, text messages and bogus callers, as well as some examples.

And if you are an escort there is one other piece of advice worth adding. You probably have separate work and personal email addresses, so it’s worth checking to see which address has been used on any emails you are suspicious of. If you have given an email address to HMRC it is likely to be a personal one, but it is your work address which is exposed to the world and more likely to be targeted by fraudsters.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.