Is This HMRC Tax Refund Text Real? A UK Check

HMRC scams are one of the highest-volume fraud categories in the UK. In a recent twelve-month window, HMRC recorded 71,832 reports linked to fraudulent tax-rebate claims — up 16.7% year on year — and over 135,500 HMRC-related scams in total across all categories. Most of these are SMS and email-driven, designed to harvest personal and banking details by promising a refund or threatening an unpaid-tax arrest.

The scripts work because the timing is good. Self Assessment deadlines in late January, the start of a new tax year in April, and the period immediately after a refund is genuinely owed (for example, after submitting a P50 or a marriage allowance claim) are when scammers send the heaviest volumes. A message that arrives the same week you actually filed your return feels plausible — even though HMRC’s actual policy is unambiguous: tax-rebate notifications come by letter through the post, never by text or email.

The cost when one of these works is two-fold. The immediate loss is whatever the fraudster takes once they have your card or bank details. The slower loss is the identity-fraud follow-on: a successful HMRC phish typically harvests your full name, date of birth, address, National Insurance number, and bank details — enough to open accounts in your name, apply for credit, or take over your existing accounts at the bank itself.

Almost every HMRC scam matches one of these patterns. Once you have seen them, they become quite easy to recognise:

1. “You are entitled to a tax refund of £xxx. Click here to claim.” By far the most common script. The amount is usually large enough to be attention-grabbing (£250–£800 typically) but not so large you assume it must be a mistake. The link goes to a page that looks like gov.uk but is a near-identical copy harvesting your details.
2. “You have unpaid tax. A warrant has been issued. Press 1 to speak to an HMRC officer.” The fear version. Automated phone call or SMS. HMRC does not issue arrest warrants by phone — that’s not how the magistrates’ court system works in the UK, full stop.
3. “Confirm your bank details to receive your rebate” (after a real refund is owed). The hardest version to spot because the timing is right. If you have just filed Self Assessment and are owed a refund, the message arrives the same week. The genuine refund will appear in your bank account from HMRC’s system without any further action on your part.
4. “HMRC Customer Service: your account is suspended.” Asks you to log in to “reactivate”. The login page captures your Government Gateway credentials. The fraudster then uses those to log in genuinely and request refunds in your name, sometimes for years.
5. Marriage Allowance or P50 claim scams. Telephone or email approach offering to “help” you claim a refund you may genuinely be entitled to, for a fee or in exchange for documents. Both claims are free and straightforward to make yourself through gov.uk.
6. WhatsApp or social-media DM impersonating HMRC. HMRC does not use WhatsApp, Facebook Messenger, Instagram, or any other social platform for individual taxpayer communication. Any DM claiming to be HMRC is a scam by definition.

The single best check — in fact, the only check you need — is to ignore the message entirely and look in two official places:

1. Log in to your HMRC Personal Tax Account directly. Type the URL yourself or use a bookmark you trust. If HMRC genuinely owes you a refund, it will show in your tax account. If they need anything from you, it will appear there as a message or to-do. If your account is silent, the SMS or email is a fraud, regardless of how convincing it looks.
2. Cross-check against HMRC’s published examples. HMRC maintains a regularly-updated page at gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples with screenshots of currently-circulating scams. There is also a guide specifically for SMS at gov.uk/guidance/check-if-a-text-message-youve-received-from-hmrc-is-genuine. If the message you received matches anything on either page, it is a fraud.

If you want HMRC to know about the scam attempt (which helps them block sender numbers and domains for the next victim), forward it: SMS to 60599, emails to phishing@hmrc.gov.uk, and phone-call attempts via the report-a-phone-call form on gov.uk. Action Fraud (0300 123 2040) is the right place to report if you have lost money or sent details.

HMRC’s communication style is consistent and quite limited, which is what makes scam messages stand out once you know the rules:

HMRC does:

• Send letters through the post for tax demands, refunds, and most enquiries.
• Update your Personal Tax Account with messages and to-dos.
• Send text-message reminders for Self Assessment deadlines — but only from short codes HMRC publishes, with no links to click.
• Phone you back if you raised the original enquiry. Cold calls offering refunds are not HMRC.

HMRC does not:

• Notify tax refunds by text or email. Refunds appear in your bank account from HMRC’s system, or by cheque.
• Ask for bank or card details by text or email.
• Use WhatsApp, Facebook Messenger, Instagram, or any social platform.
• Threaten arrest by phone or SMS. UK enforcement does not work that way.
• Ask you to click a link to “verify” or “reactivate” your account.

If a message you have received does any of the things in the second list, it is a scam regardless of how official the branding looks, how urgent the tone feels, or how convincing the spoofed sender ID is. Sender ID on SMS is trivial to spoof; gov.uk-looking branding takes a few minutes to copy. Neither is evidence of authenticity.

What to do depends on how far you got into the form. Clicking the link by itself is usually harmless — the damage comes from entering details on the page it opens.

If you clicked but didn’t enter anything:

• Close the page. Don’t enter anything on it now “to see what happens”.
• Forward the original message to 60599 (SMS) or phishing@hmrc.gov.uk (email) so HMRC can take down the sender.
• You can probably stop there.

If you entered card or bank details:

• Call your bank’s fraud line in the next hour. Reissue cards, place a marker on the account.
• Report to Action Fraud on 0300 123 2040 with the message and the page you submitted on. Keep the crime reference number for any disputes.
• Watch your bank account daily for at least two weeks for unfamiliar transactions, however small.

If you entered Government Gateway credentials:

• Change your Government Gateway password immediately at gov.uk/log-in-register-hmrc-online-services.
• Phone HMRC’s online services helpdesk on 0300 200 3600 to flag the compromise — they can place a security marker on your record.
• Check your Personal Tax Account weekly for at least three months. Compromised Gateway credentials are commonly used to file fraudulent Self Assessment returns claiming refunds, which can appear weeks or months later.
• Consider CIFAS Protective Registration (£30 for two years) given the value of compromised HMRC credentials to identity fraudsters.