Beat the Scam Scam checks, alerts, and consumer protection guides
Home / Guides / Government Impersonation / HMRC Self Assessment Scam UK: How to Spot and Avoid It
Government Impersonation

HMRC Self Assessment Scam UK: How to Spot and Avoid It

Scammers are impersonating HMRC to steal your money and personal information. Here's how to tell the difference between a real tax demand and a fake one.

· · 7 min read

HMRC self assessment scamfake HMRC emailHMRC tax scam UKHMRC phishing scamself assessment fraud
Key rule: verify through an official route you opened yourself, not the link, number, app, or payment details supplied by the suspicious message.
On this page
  1. What is this scam?
  2. Warning signs to look for
  3. How this scam works step by step
  4. How to verify if it is genuine
  5. What to do if you have already interacted
  6. Reporting this scam in the UK

What is this scam?

The HMRC self-assessment scam involves criminals sending fake emails, text messages, or letters that appear to come from Her Majesty's Revenue and Customs. The messages claim you have an outstanding tax bill, owe a refund, or need to urgently verify your self-assessment details online. Scammers create a false sense of urgency—threatening penalties, account suspension, or legal action—to pressure you into clicking a link or providing personal information. The fake messages often mimic HMRC's branding, language, and formatting to look authentic. Some versions claim you are entitled to a tax rebate and ask you to confirm your details to receive it.

Others state that your self-assessment return has been rejected and you must resubmit it immediately. The goal is either to steal your login credentials, bank details, National Insurance number, or other sensitive information, or to trick you into sending money directly to the scammer's account.

Warning signs to look for

  • The email or text asks you to click a link to 'verify', 'confirm', or 'update' your details urgently—HMRC rarely asks you to do this via email or SMS.
  • The message threatens immediate action, penalties, or legal consequences if you don't respond within hours or days.
  • The sender's email address does not match HMRC's official domain (gov.uk); look for slight misspellings or suspicious domains.
  • The message contains spelling, grammar, or formatting errors, or uses generic greetings like 'Dear Customer' instead of your name.
  • You are asked to provide sensitive information such as your National Insurance number, bank details, or password via email, text, or a web form.
  • The link in the message goes to a website that looks like HMRC's but has a slightly different URL or poor-quality design.
  • The message offers a tax refund or rebate you were not expecting, or claims you have overpaid tax without explanation.
  • You receive the message out of the blue and have not initiated any contact with HMRC.

How this scam works step by step

The scam typically begins with a mass email or text message sent to thousands of people. The message claims there is a problem with your self-assessment tax return or that you are owed a refund. It creates urgency by stating that your account will be suspended, a penalty will be applied, or legal action will follow if you do not act immediately. The scammer includes a link that appears to lead to HMRC's official website but actually directs you to a fake login page or form controlled by the criminal.

When you click the link and enter your details—such as your National Insurance number, date of birth, address, or online banking credentials—the scammer captures this information. Some versions of the scam ask you to confirm your bank details to receive a supposed refund, which the scammer then uses to steal money from your account or commit identity fraud. In other cases, the scammer uses your credentials to access your real HMRC account, change your address, or file a false tax return.

The entire process can happen within minutes, and you may not realise you have been compromised until weeks or months later.

How to verify if it is genuine

If you receive a message claiming to be from HMRC, do not click any links or reply to the message. Instead, go directly to HMRC's official website by typing 'gov.uk' into your browser—never use a link from the email or text. Log into your HMRC online account using your own credentials to check if there are any genuine messages or outstanding issues. Genuine HMRC contact will appear in your online account inbox, not in your email or SMS.

You can also call HMRC directly using the number on your tax bill, letter, or the official HMRC website—never use a number provided in the suspicious message. HMRC will never ask you to confirm sensitive information via email, text, or by clicking a link. If you are unsure whether a message is real, contact Citizens Advice or the NCSC Suspicious Email Reporting Service before taking any action. Remember that HMRC has your details already; they will not ask you to 'verify' or 'confirm' them in response to an unsolicited message.

What to do if you have already interacted

If you have clicked a link or visited a fake website, change your HMRC password immediately using a secure device. Go to the official HMRC website and update your password to something strong and unique. If you entered your National Insurance number, date of birth, or address, monitor your credit file for signs of identity fraud—you can check this for free via Clearscore, Experian, or Equifax. If you provided your bank details or online banking credentials, contact your bank immediately on the number on the back of your card or the official website.

Ask your bank to monitor your account for suspicious activity and consider placing a fraud alert on your account. If money has been taken from your account, report it to your bank and Action Fraud without delay. Check your HMRC account regularly for any unauthorised changes to your address, tax code, or return information. If you have sent money directly to the scammer, contact your bank immediately—they may be able to recover the funds if the transfer is recent. Report the scam to Action Fraud and the NCSC to help protect others.

Reporting this scam in the UK

Report the scam to Action Fraud by calling 0300 123 2040 or visiting their website. Provide as much detail as possible, including the email address, phone number, or sender details, the content of the message, and any links or websites involved. Forward the suspicious email to the NCSC Suspicious Email Reporting Service at report@phishing.gov.uk—simply forward the entire message without editing it. If you received a text message, forward it to 7726 (spells 'SPAM') to report it to your mobile network. Report the fake website to the NCSC if you have the URL.

Contact Citizens Advice on 0808 223 1133 if you need support or advice on next steps. If you have lost money or had your identity compromised, also report this to your bank and consider registering with the National Fraud Database. Keep copies of all messages, screenshots, and correspondence for your records and for the authorities. The more reports received, the faster action can be taken to shut down fake websites and catch the criminals behind the scam.

Frequently asked questions

Is HMRC a legitimate organisation, or is all HMRC contact a scam?

HMRC is a real UK government department that manages tax and benefits. However, scammers frequently impersonate HMRC because people trust government organisations and respond quickly to tax-related messages. Genuine HMRC contact will appear in your online account, on official letters, or via phone calls to numbers you find yourself on the HMRC website—never via unsolicited emails or texts asking you to click links or provide information.

What should I do if I have already sent money to the scammer?

Contact your bank immediately on the number on the back of your card or the official website and explain that you have been scammed. Your bank may be able to recall or freeze the payment if it was sent recently. Report the scam to Action Fraud on 0300 123 2040 and provide all details of the transaction. If the money was sent via a money transfer service, contact that service urgently as well. Do not send any further money, and do not respond to any follow-up messages from the scammer.

Can scammers actually access my real HMRC account if I give them my login details?

Yes. If you provide your HMRC username and password to a scammer, they can log into your real account, change your address, file a false tax return, or claim a fraudulent refund in your name. This is why it is critical to change your HMRC password immediately if you have entered your credentials into a fake website. Use a strong, unique password and enable two-factor authentication on your HMRC account if available.

How do I report an HMRC self-assessment scam?

Report the scam to Action Fraud by calling 0300 123 2040 or visiting their website. Forward suspicious emails to the NCSC Suspicious Email Reporting Service at report@phishing.gov.uk, and forward text messages to 7726. If you have lost money or suspect identity fraud, also report it to your bank and contact Citizens Advice on 0808 223 1133 for support.

Think you’ve spotted a scam? Use the AI scam checker for an instant analysis, or report it to Action Fraud.

Reporting routes in this guide are checked against our verified canon of official UK sources — Action Fraud, the National Cyber Security Centre, and Citizens Advice — by an automated accuracy gate before publication. Updated 2026-06-23. Read about how Beat the Scam writes guides.