HMRC Tax Rebate Email Scam: How to Spot and Avoid It in the UK
Scammers are sending fake HMRC emails offering tax rebates to steal your bank details and passwords.
What is this scam?
The HMRC tax rebate email scam tricks UK residents into believing they're owed a tax refund or tax credit. Scammers send official-looking emails claiming HMRC has processed a rebate in your favour—sometimes citing overpayment of tax, unclaimed allowances, or stimulus credits. The email urges immediate action, warning that the refund will be cancelled if you don't verify your details within hours. These emails contain a link leading to a fake HMRC website that looks remarkably similar to the real one. Once you enter your name, address, National Insurance number, date of birth, and bank details on the fake site, criminals have everything needed to steal your identity and access your bank accounts. The scam is highly effective because it exploits people's genuine expectation of tax refunds and uses HMRC's reputation to appear legitimate. Self-employed workers and employees with previous tax issues are especially targeted because they're more likely to believe they might have overpaid.
Warning signs to look for
['- The email arrives suddenly claiming a tax rebate is waiting, with no prior communication from HMRC about an overpayment or refund eligibility.', "- Urgent language like 'Your refund will expire in 24 hours' or 'Confirm details immediately or your claim will be cancelled' is a major red flag—HMRC does not rush customers.", "- The email address is not from a genuine HMRC domain; it might be from gmail.com, outlook.com, or a domain that looks similar to HMRC's but is subtly different, such as hmrc-online.uk or hmrc-returns.com.", "- The link in the email does not match HMRC's real website URL; hover over it (don't click) to see the actual destination, which will often be a completely different domain.", "- The email asks you to 'verify', 'confirm', or 'update' personal information like your National Insurance number, bank account details, or passwords—HMRC never requests this via email.", "- Spelling or grammar mistakes in the email, such as 'HMRC has discoverd' or inconsistent capitalisation, indicate it was written by someone unfamiliar with HMRC's communication standards.", "- The sender's name or signature looks unprofessional or generic, such as 'HMRC Team' or 'Tax Department', rather than a named HMRC officer.", '- The email mentions payment into a personal bank account or cryptocurrency wallet instead of a standard government refund process.']
How this scam works step by step
The scam typically starts when you receive an email claiming HMRC has calculated a tax rebate in your favour. The email includes a link to what appears to be the HMRC website—the design, colours, and logo are copied directly from the real site. The message emphasises urgency, stating the refund will expire or be cancelled if you don't act within hours. When you click the link, you're taken to the fake website where you're asked to 'verify your identity' to claim your rebate. The form requests increasingly sensitive information: name, address, date of birth, National Insurance number, passport details, and finally your full bank account number and sort code. Some versions also ask for your online banking password or security questions. Once you submit this information, the scammers now have enough data to commit identity fraud, apply for credit in your name, or directly drain your bank account. Some versions of the scam escalate further, directing you to call a fake HMRC number where someone poses as a tax officer and requests additional information or even payment by bank transfer to 'process your rebate'. By the time you realise it's fraudulent, the scammers have already used your details.
How to verify if it is genuine
If you receive an email claiming to be from HMRC about a tax rebate, do not click any links. Instead, open a new browser window and go directly to HMRC's official website by typing www.gov.uk/hmrc into the address bar. Once there, log into your HMRC account using your Government Gateway credentials. If a genuine refund is waiting, it will appear in your account dashboard under 'Tax returns' or 'Payments'. HMRC never sends unsolicited emails asking you to click links or verify personal information via email—this is a key difference from the real organisation. You can also verify the sender's email address: genuine HMRC emails come from addresses ending in @hmrc.gov.uk. Be wary of slight variations like @hmrc.gove.uk or @hmrc-online.gov.uk. If you're unsure whether an email is genuine, call HMRC directly using the number on their official website or your most recent tax paperwork. Never use contact details from the email itself. For additional help identifying fake emails, see our guide on /guides/is-this-website-a-scam/.
What to do if you have already interacted
If you clicked a link in the email but did not enter any information, stop immediately and do not return to the website. Clear your browser history to remove any malicious code that might have been installed. If you entered only basic information like your name and postcode, the risk is lower, but you should still take action. If you entered sensitive data—National Insurance number, bank details, passwords, or security answers—treat this as urgent. First, contact your bank immediately using the phone number on the back of your debit or credit card (not a number from the email or scam website). Tell them you may be a victim of identity fraud and ask them to monitor your account for suspicious transactions. Ask if they can place a fraud alert on your account. Second, check your credit file through Experian, Equifax, or CallCredit to ensure no one has applied for credit in your name. Third, contact Action Fraud to report the scam and get a crime reference number, which you'll need if fraud does occur. If your National Insurance number was compromised, inform HMRC directly. Change passwords for all your online banking and email accounts, using complex, unique passwords. Consider registering with the National Fraud Database for added protection.
Reporting this scam in the UK
Report HMRC tax rebate scam emails to the National Cyber Security Centre's Suspicious Email Reporting Service by forwarding the email to report@phishing.gov.uk. Include the full email, including headers if possible, so they can trace its origin and take action against the fake website. Do not reply to the scam email itself. If you've lost money or provided banking details, also report the incident to Action Fraud by calling 0300 123 2040 (free from landlines and mobiles) or visiting www.actionfraud.police.uk online. Provide them with the crime reference number, as you'll need this if you discover fraudulent transactions later. If you received the scam as an SMS rather than email, forward it to 7726 (SPAM). You can also report the fake website's URL to the Internet Crime Complaint Center, but Action Fraud is your primary UK resource. Additionally, contact Citizens Advice's consumer helpline on 0808 223 1133 if you need support navigating fraud recovery or identity theft. Report the scam to your bank and to HMRC itself by logging into your genuine account and reporting suspicious activity. The more people who report these scams, the faster authorities can shut down the fake websites and catch the criminals behind them.
Frequently asked questions
Is HMRC a legitimate UK organisation that sends emails about tax rebates?
Yes, HMRC is the legitimate UK tax authority and does process genuine refunds. However, HMRC rarely initiates contact via unsolicited email about refunds. If you are due a rebate, HMRC will contact you through your online Government Gateway account first, and only send emails if you've opted in. Genuine HMRC emails always come from @hmrc.gov.uk and never ask you to click a link to verify information.
What should I do if I've already sent money or given my bank details to the scammers?
Contact your bank immediately on the number on the back of your card and tell them you may have been defrauded. If money was transferred, they may be able to recall it under the Faster Payments Scheme. Report the fraud to Action Fraud on 0300 123 2040 and get a crime reference number. Monitor your bank statements daily for the next three months and check your credit file through Experian, Equifax, or CallCredit to ensure no one has opened accounts in your name.
How do I know if a website claiming to be HMRC is actually fake?
Check the URL in your address bar—genuine HMRC pages always start with www.gov.uk. Scam websites often use similar-looking URLs like www.hmrc-gov.uk, www.hmrc-online.co.uk, or www.tax-hmrc.uk. Never enter sensitive information unless you've typed the address yourself or arrived through a trusted bookmark. If in doubt, close the browser and call HMRC directly using the number on your tax paperwork.
How do I report an HMRC tax rebate scam email?
Forward the email to the National Cyber Security Centre at report@phishing.gov.uk. They will investigate and work to remove the fake website. Also report it to Action Fraud on 0300 123 2040 (free from UK landlines and mobiles) or online at www.actionfraud.police.uk. If it came as an SMS, forward it to 7726. Reporting helps authorities shut down the scammers and protect other UK residents.