Genuine HMRC contact and recognising phishing emails and texts
Find out how to recognise when contact from HMRC is genuine, and how to recognise phishing or bogus emails and text messages.
Phishing is the fraudulent act of emailing a person in order to obtain their personal or financial information such as passwords and credit card or bank account details. These emails often include a link to a bogus website encouraging you to enter your personal details.
How to tell if an email is fraudulent
As well as spelling mistakes and poor grammar, there are a number of things you can look out for to help you recognise a phishing or bogus email.
• Incorrect ‘from’ address
Look out for a sender’s email address that is similar to, but not the same as, HMRC’s email addresses. Fraudsters often have email accounts with HMRC or revenue names in them (such as ‘firstname.lastname@example.org’). These email addresses are used to mislead you.
However be aware, fraudsters can falsify (spoof) the ‘from’ address to look like a legitimate HMRC address (for example ‘@hmrc.gov.uk’). If you’re not 100% sure that the message has come from us, do not open it. If you do open the email and you’re in doubt, do not click on any links or downloads.
• Personal information– Emails from HMRC will never:
·Notify you of a tax rebate
· Offer you a repayment
· Ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference or details of your bank account
· Give a non HMRC personal email address to send a response to ask for financial information such as specific figures or tax computations, unless you’ve given us prior consent and you’ve formally accepted the risks.
· Provide a link to a secure log in page or a form asking for information – we’ll ask you to log on to your online account to check for information instead.
HMRC SMS text messages – SMS text message – activating 2-Step Verification
2-Step Verification is an additional security feature which helps to prevent someone else from accessing a customer’s digital account, even if they have their User ID and password.
When activating 2-Step Verification, HMRC will send an access code via SMS to the customers’ nominated mobile phone number, which the customer will need to complete the set-up. These SMS messages will never ask the customer to provide personal or financial information.
This means that once customers have activated 2-Step Verification, the only way to access the account will be with the Government Gateway User ID, password and access to the phone which has been registered. HMRC is planning ways of increasing the number of users who can benefit from 2-Step Verification.
SMS text message – 2-Step Verification for future log ins
After activating 2-Step Verification, each time the customer logs in, HMRC will send an access code via SMS to the registered mobile phone number, which will be needed to complete the log in process.
These SMS messages will never ask the customer to provide personal or financial information. If a customer no longer has access to the mobile phone registered for 2-Step Verification, they’ll need to ring the Online Services Helpdesk and verify their identity to deactivate it.
The customer can then register their new mobile number for 2-Step Verification when they log in the next time.
Tax credits – SMS text or voice prompts
HMRC is contacting some customers who claim tax credits by SMS and voice message asking them to update or confirm their circumstances if the details they hold (that is, income or working hours) differ from the information shown on their employer records.
Tax credits customers who send in their renewal or a new claim will receive a SMS text message confirming that HMRC has received their claim or renewal and estimated processing times.
These reminder messages will only direct them to the GOV.UK website to renew their claims online.