
Tax-Season Phishing: Refund Lures and HMRC Impersonation
Like clockwork, every spring brings a surge of tax-themed scams. As deadlines loom and refunds are on people’s minds, criminals impersonate HMRC with fake rebates, urgent demands and threats of penalties, aimed at individuals and busy finance teams alike. The lures are seasonal, but the goal is the same all year round: your login details, your card details and your money.
The short version: a tax-season scam arrives as a text or email offering a refund or warning of an overdue bill, uses a deadline to rush you, and sends you to a look-alike HMRC page that harvests your login and bank details. Genuine tax authorities never ask for payment or bank details via a message link, and that single rule defeats most of these attacks.
Why tax season is a scammer’s favourite
The timing does the heavy lifting. Real deadlines create genuine anxiety, real money is moving in both directions, and almost everyone has a relationship with the tax authority, so a message that mentions it feels plausible. Add the authority of an official-looking sender and a ticking clock, and even careful people can be rushed into a mistake. Verizon’s 2025 Data Breach Investigations Report keeps underlining the reason it works: around 60% of breaches involve a person being tricked or slipping up.
How a tax-refund scam plays out
- The bait. A text or email offers a refund “you are owed”, or warns of an overdue bill.
- The pressure. A deadline, penalty or threat of legal action pushes you to click without pausing.
- The fake portal. A convincing HMRC look-alike asks you to “verify” with your login and bank details.
- The theft. Those credentials and card details go straight to the attacker.

Beyond the classic refund email
The tax lure now spans channels. Scam texts (smishing) point to look-alike domains that impersonate the real HMRC site; fake “accountant” or payroll emails target finance staff directly; and QR codes in letters or emails route victims to fraudulent portals on their phones. The common thread is a plausible pretext and a link that leads somewhere it should not.
What genuine tax authorities never do
- Ask for your bank or card details to “process a refund” via an email or text link.
- Demand immediate payment by unusual methods, or threaten arrest, by message.
- Rush you with a countdown to claim money you are supposedly owed.
How to stay safe
Reach HMRC the official way
Only ever access tax accounts by typing GOV.UK into the browser or using a saved bookmark, never a link in a message. If a refund or bill is real, it will be there when you log in directly.
Protect your finance team
Treat any emailed change to bank or payment details as suspect, and verify it through a known contact before acting. Payroll and accounts payable are prime targets in the run-up to deadlines.
Train and make reporting easy
Seasonal threats are a perfect moment for a timely reminder. Run realistic simulations using tax-themed lures, and give staff a one-click way to report suspicious tax emails so the campaign is spotted early.
The bottom line
Tax-season phishing succeeds by borrowing the calendar’s built-in urgency. The defence is refreshingly simple to teach: never act on a tax message’s link, reach HMRC only through GOV.UK, and double-check any request to move money or change bank details. A moment’s pause in spring saves a great deal of trouble later.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
