Don't be caught out by phishing emails

Don't be caught out by phishing emails

Phishing is the fraudulent act of emailing a person in order to obtain personal or financial information. HMRC has issued guidance to help recognise fraudulent emails.

HMRC are increasingly using online services to allow taxpayers and their agents to access their tax information. However more online services means a higher risk of phishing and bogus emails.

These emails often ask for personal information such as date of birth, bank details or passwords. Once the information has been provided money could be stolen from the victim's bank account and it may lead to identity theft. With a Self Assessment tax payment date coming soon on 31 January 2016, this may be the time to be wary of online fraudsters.

HMRC have confirmed that they will never send notifications of a tax rebate by email and will also never ask people to disclose personal or payment information by email. In addition HMRC have responded to these attacks by issuing guidance on how to tell if an email is fraudulent.

How to tell if an email is fraudulent

Often the fraudster will create an email address which looks similar to HMRC's email address for example ''. More examples of false email addresses can be found in a list provided by HMRC - click here

Another risk area is a link to a bogus website in an email or text. The page may look genuine but it often contains links, display fields or boxes which ask for bank or credit card details and passwords. HMRC have warned that some phishers also add links to genuine HMRC websites to try and make the emails appear genuine.

Fraudsters often send high volumes of phishing emails in one go and they may therefore start the email with generic greetings for example 'Dear Customer' rather than a name. Lastly caution should be taken with any attachments on the email as these may contain viruses which are designed to steal personal information from the recipient's computer.

Reporting phishing emails

HMRC have advised that any suspicious emails should be sent to Where personal information has mistakenly been supplied in a reply to an email or text the details of what has been disclosed eg name, address, but not the actual details, should be sent to