Is This Email from HMRC Real? How to Check

An email from HMRC just landed in your inbox. It says you're owed a tax refund. Or that you have an outstanding payment. Or that there's a problem with your Self Assessment.

Your heart's racing a bit. That's exactly what the scammers want — because HMRC scam emails are one of the most common phishing attacks in the UK, and they spike massively between January and April during tax season.

Let's figure out if your email is genuine.

The big thing most people don't know about HMRC emails

Here's something crucial: HMRC will never email you out of the blue to tell you about a tax refund. Full stop.

If you're owed money, HMRC sends you a cheque in the post or pays it directly into your bank account via your Government Gateway settings. They don't email you a link to "claim your refund."

So if you've received an email saying "You are entitled to a tax refund of £268.35" — it's a scam. Every time. No matter how real it looks.

Legitimate HMRC email addresses

HMRC does send some emails, mainly notifications about your Self Assessment, reminders about deadlines, and confirmations after you've filed. These come from:

Legitimate HMRC addresses:

• @tax.service.gov.uk
• @hmrc.gov.uk
• @notifications.service.gov.uk
• @mail.tax.service.gov.uk

Common fake addresses:

• @hmrc-tax-refund.com ❌
• @hmrc.org.uk ❌
• @hmrc-gov.co.uk ❌
• @refund.hmrc.com ❌
• @hmrc-online.co.uk ❌
• @tax-refund.gov.uk ❌
• @hmrc.gov.uk.claim-refund.com ❌
• @hmrcgovuk.com ❌

Key thing: The legitimate domain is gov.uk. If the domain doesn't end in exactly .gov.uk, it's not from the government. The address [email protected] is real. The address [email protected] is not — the real domain there is refund-claim.com.

The most common HMRC scam emails

1. "You are due a tax refund" By far the most common. Claims you've overpaid tax and are owed a refund (usually a specific amount like £247.58 to seem believable). Includes a link to "claim" your refund by entering your bank details. This is always fake. HMRC never notifies you of refunds by email.

2. "You have an outstanding payment" Claims you owe HMRC money and must pay immediately to avoid penalties. Often threatens legal action or mentions debt collectors. Creates panic so you'll click the payment link without thinking. Real HMRC debt communications come by post and include your UTR (Unique Taxpayer Reference).

3. "Self Assessment deadline — act now" Timed around January 31st. Claims your Self Assessment is overdue and you face penalties. Links to a fake Government Gateway login page to steal your credentials. Real deadline reminders from HMRC link to gov.uk/self-assessment-tax-returns.

4. "Verify your Government Gateway account" Claims there's been suspicious activity on your Government Gateway account and asks you to verify your identity. The real Government Gateway will never ask you to verify your identity via an email link.

5. "COVID/energy support grant available" Piggybacks on current events. Claims you're eligible for a government payment and need to provide bank details to receive it. HMRC and government departments never ask for bank details via email for grants or support payments.

What HMRC will NEVER do

HMRC is very clear about this. They will never:

• ❌ Email you about a tax refund and ask you to click a link
• ❌ Ask for your bank details, PIN, or passwords by email
• ❌ Ask for your credit/debit card details by email
• ❌ Threaten you with arrest via email (this is a big one — scammers love threatening arrest)
• ❌ Ask you to make an urgent payment via email link
• ❌ Send you an email demanding you pay using gift cards, iTunes vouchers, or cryptocurrency
• ❌ Ask you to download software or open attachments
• ❌ Use threatening or aggressive language

If your email does any of these things, it's fake. No question.

What HMRC actually sends by email

HMRC does use email, but for limited purposes:

• ✅ Self Assessment reminders (file by 31 January)
• ✅ Confirmation that you've submitted your tax return
• ✅ Notification that you have a new message in your Government Gateway inbox
• ✅ PAYE coding notices (but never with payment links)

The key pattern: real HMRC emails tell you to log in to your Government Gateway account to see details. They don't include the details in the email itself, and they don't ask you to enter personal information via email.

Your quick verification steps

✅ 1. Check the sender address. Does it end in .gov.uk? If not, it's fake.

✅ 2. Is it about a refund? If the email says you're owed money and provides a link to claim it — it's a scam. Always.

✅ 3. Does it ask for bank/card details? HMRC will never ask for this by email. Scam.

✅ 4. Does it threaten you? Arrest, legal action, account closure — HMRC doesn't operate like this via email.

✅ 5. Check your Government Gateway account directly. Go to gov.uk/personal-tax-account, sign in, and check your messages. If HMRC genuinely needs something from you, it'll be there.

How to report HMRC phishing emails

If you've received a suspicious email claiming to be from HMRC, forward it to:

📧 [email protected]

Then delete the email. Don't click any links, don't download any attachments.

If you've already clicked a link and entered information, change your Government Gateway password immediately and contact your bank if you provided any financial details.

You can also report tax scams to HMRC at gov.uk/report-suspicious-emails-websites-phishing.