Guidance

Genuine HM Revenue and Customs contact and recognising phishing emails

Updated 22 March 2017

1. Current list of digital and other contact issued from HM Revenue and Customs (HMRC)

1.1 VAT Flat Rate Scheme

During March, HMRC will be sending letters and emails to businesses that use the VAT Flat Rate Scheme. These letters tell businesses about the change and advise them to check GOV.UK to see if they’ll be affected. The emails will not request personal or financial information.

1.2 Calls to Self Assessment Online users

From week commencing 13 March 2017, HMRC may telephone self-assessment customers who have requested a repayment through their online Self Assessment account for repayment directly into their bank account.

The calls will be made in cases where HMRC have been unable to validate the request.

HMRC will not request any financial information during the call. HMRC will however ask questions relating to the customer to validate their identity.

1.3 Overseas entities selling e-services into the UK

From October 2016, HMRC will be communicating with businesses based overseas who sell e-services into the UK. The primary method of communicating with these businesses will be via email.

The initial email to them will contain a link to this web page, so that the recipient can see HMRC is carrying out such communications. These emails will not ask for personal or financial information.

1.4 Tax credits calls to self-employed customers

HMRC may telephone new or existing self-employed tax credits customers to ask about their self-employment. Self-employed customers who have been receiving Working Tax Credit for a number of years will have received a letter last year to tell them about the new strengthened test for self-employed people. Customers who have made a recent claim for tax credits and said in their claim that they, or their partner, are self-employed, won’t have received a letter from us about this check but we may contact them by telephone first.

In this call, HMRC will ask what trade, vocation or profession the customer undertakes. They may ask questions about the number of hours the customer works as a self-employed person and what type of activity that includes. After the call, they will send the customer a letter tailored to their circumstances asking them to provide further evidence of their self-employment.

HMRC won’t ask the customer to provide any personal details such as bank account numbers over the phone.

1.5 VAT EU emails

Some customers that use the VAT EU refunds service may receive an email if their claim has failed validation. The email will provide details explaining why the claim has failed. The emails won’t request any personal or financial information.

1.6 Emails to overseas businesses selling goods in the UK through online marketplaces

From September 2016, HMRC will be contacting businesses based outside the UK who sell goods to customers in the UK through online marketplaces.

The main way we will contact these businesses will be by email. The emails will be about their VAT obligations in the UK, and the initial email will explain why we’re contacting them.

The emails will also contain a link to this web page so the recipients can see that HMRC is using email for this purpose.

1.7 Tax-Free Childcare communications

Communications to childcare providers

From the middle of March 2017, reminder letters are being sent to childcare providers inviting them to sign up to Tax-Free Childcare. Childcare providers who have not yet signed up to Tax-Free Childcare following the invitations sent out in September and October 2016 will receive these further letters. The letter provides the online address where childcare providers can sign up, their unique user ID and the details of what they will need to have available to complete this process. The online address that will direct providers to sign up is: https://childcare-support.tax.service.gov.uk/.

The letters will carry the HM Government logo and contains a link to additional information available on GOV.UK, such as ‘Find out more about Tax-Free Childcare for childcare providers’.

Emails will be sent out to childcare providers and local authorities on the 22 March 2017. They will carry the HM Government logo and the new ‘Childcare Choices’ branding. The emails will link to a ‘toolkit’ with promotional materials on ‘Childcare Choices’ hosted by our partnership marketing provider ’23 Red’.

Communications to parents taking part in the childcare service trial

Parents who have registered to take part in the trial of the childcare service will be sent emails and/or letters inviting them to apply for Tax-Free Childcare and/or 30 hours free childcare for 3 and 4 year olds.

These emails will carry the HM Government Logo and provides the online GOV.UK address where parents can apply. They are being sent by HMRC and Kantar UK Public (formally TNS BMRB) who is HMRC’s partner supporting the delivery of the trial.

1.8 Trade statistics import/export data emails

HMRC’s Trade Statistics Unit regularly sends emails to business customers regarding import and export statistical data, and the related services accessed from HMRC’s trade statistics website.

These include business alerts, service updates, deadline reminders, data quality reviews and survey requests. These messages may include links to further information, educational or survey content on the uktradeinfo website.

They won’t request any personal, payment or tax related information.

1.9 Educational emails

HMRC will periodically send emails to customers to support their business life events. The emails will include links to relevant online digital education material used to offer you help in relation to your business and will appear in your address bar as no.reply@advice.hmrc.gov.uk. These emails will never ask you to provide personal or financial information.

1.10 Debt management

Text messages

HMRC is sending text messages to some customers, explaining what you need to do if you’re behind with your payments. These messages will also give details for paying HMRC or a helpline number for you to contact.

HMRC are also sending messages that will give advice about the importance of making payments using the correct information.

The messages won’t request any personal or financial information.

Voice prompts to landline and mobile phones

HMRC is sending voice prompts to some customers, explaining what you need to do if you’re behind with your payments. Customers will receive these as an inbound phone call giving details for paying HMRC or a helpline number for you to contact.

HMRC are also sending messages that will give advice about the importance of making payments using the correct information.

The messages won’t request any personal or financial information.

1.11 VAT emails

1.11.1 VAT Returns - email reminders

HMRC will send an email to customers to remind them when their VAT return is due if they have registered to receive email reminders. The emails are entitled ‘Reminder to file your VAT Return’ and contain links to a further information page and a link to the sign in page on GOV.UK. These emails will never ask you to provide personal or financial information.

1.11.2 VAT registration - email

HMRC will send an email to customers who have registered for VAT using HMRC online services. HMRC will use the email address customers have provided to advise that they need to log into their online tax account in order to view a message in the secure messaging area. These emails will never ask you to provide personal or financial information.

1.11.3 VAT debts - email reminders

HMRC may send an email to customers who are overdue with VAT payments. HMRC will use email addresses that customers have already provided and will recommend that customers pay online to avoid further action. These emails will never ask you to provide personal or financial information. You won’t be able to reply to the emails, which will be sent from no.reply@advice.hmrc.gsi.gov.uk.

1.12 Research communications

HMRC sends letters and emails to potential research participants where their feedback will help to improve the performance of the department and the legislation it regulates.

We have recently sent a letter to potential participants for a new research project looking at customers’ views of proposed changes to Pay As You Earn. The communications request participation in a short telephone survey. The letter was sent from Kantar Public, an independent research agency conducting the project on behalf of HMRC, and does not request any personal, payment or tax related information at this stage.

1.13 Employer email alerts

HMRC sends informational emails several times a year to employers who have registered to receive them. These emails never ask you to provide personal or financial information.

The latest batch of emails issued by HMRC will be sent from 13 March 2017. The emails are titled ‘Important information for employers’. The emails include links which direct recipients to HMRC pages on the GOV.UK website, including advice about online security.

1.14 Statutory notices requesting information

HMRC’s Centre for National Information (CNI) regularly issues statutory notices to the holders of certain types of information, asking them to provide relevant details to HMRC. The holders of the information have a legal obligation to provide the data requested.

The notices requesting information can be sent by post or email.

Notices issued by email will also contain a link to this web page so the recipients can see that HMRC is using email for this purpose.

2. How to tell if an email is fraudulent

As well as spelling mistakes and poor grammar, there are a number of things you can look out for to help you recognise a phishing/bogus email.

2.1 Incorrect ‘from’ address

Look out for a sender’s email address that is similar to, but not the same as, HMRC’s email addresses. Fraudsters often have email accounts with HMRC or revenue names in them (such as ‘refunds@hmrc.org.uk’). These email addresses are used to mislead you.

However be aware, fraudsters can falsify (spoof) the ‘from’ address to look like a legitimate HMRC address (for example ‘@hmrc.gov.uk’).

If you’re not 100% sure that the message has come from us, don’t open it. If you do open the email and you’re in doubt don’t click on any links or downloads.

Examples of phishing and bogus emails.

2.2 Personal information

Emails from HMRC will never:

  • notify you of a tax rebate
  • offer you a repayment
  • ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference or details of your bank account
  • give a non HMRC personal email address to send a response to
  • ask for financial information such as specific figures or tax computations, unless you’ve given us prior consent and you’ve formally accepted the risks
  • have attachments, unless you’ve given prior consent and you’ve formally accepted the risks
  • provide a link to a secure log-in page or a form asking for information - instead we will ask you to log on to your online account to check for information

2.3 Urgent action required

Fraudsters ask for immediate action. Be wary of emails containing phrases like ‘you only have 3 days to reply’ or ‘urgent action required’.

2.4 Bogus websites

Fraudsters often include links to webpages that look like the homepage of the HMRC website. This is to trick you into disclosing personal/confidential information. Just because the page may look genuine, doesn’t mean it is. Bogus webpages often contain links to banks/building societies, or display fields and boxes requesting your personal information such as passwords, credit card or bank account details.

You should be aware that fraudsters sometimes include genuine links to HMRC web pages in their emails, this is to try and make their emails appear genuine.

2.5 Common greeting

Fraudsters often send high volumes of phishing emails in one go so even though they may have your email address, they seldom have your name. Be cautious of emails sent with a generic greeting such as ‘Dear Customer’. Emails from HMRC will:

  • usually use the name you’ve provided to us, other than where you sign-up to HMRC subscription services
  • always include information on how to report phishing emails to HMRC

2.6 Attachments

Be cautious of attachments as these could contain viruses designed to steal your personal information.

3. HMRC Short Message Service (SMS) text messages

3.1 SMS text message - activating 2-Step Verification

2-Step Verification is an additional security feature which helps to prevent someone else from accessing a customer’s digital account, even if they have their user ID and password. When activating 2-Step Verification, HMRC will send an access code via SMS to the customers’ nominated mobile phone number, which the customer will need to complete the set-up. These SMS messages will never ask the customer to provide personal or financial information.

This means that once customers have activated 2-Step Verification, the only way to access the account will be with the Government Gateway user ID, password and access to the phone which has been registered.

HMRC is planning ways of increasing the number of users who can benefit from 2-Step Verification.

3.2 SMS text message - 2-Step Verification for future log-ins

After activating 2-Step Verification, each time the customer logs in, HMRC will send an access code via SMS to the registered mobile phone number, which will be needed to complete the log-in process. These SMS messages will never ask the customer to provide personal or financial information.

If a customer no longer has access to the mobile phone registered for 2-Step Verification, they will need to ring the Online Services Helpdesk and verify their identity to deactivate it. The customer can then register their new mobile number for 2-Step Verification when they log in the next time.

3.3 Tax credits - SMS text or voice prompts

HMRC is contacting some tax credits customers by SMS and voice message asking them to update or confirm their circumstances if the details they hold (that is, income or working hours) differ from the information shown on their employer records.

Tax credits customers who send in their renewal or a new claim will receive an SMS text message confirming that HMRC has received their claim or renewal and estimated processing times. Customers may also receive an SMS text message to remind them to renew their tax credits claim. These reminder messages will only direct them to the GOV.UK website to renew their claims online. These messages won’t request any personal or financial information.

Tax credits customers who report a change in their circumstances using the online service may receive an SMS text message confirming that HMRC has received and processed their change. These messages will not request any personal or financial information.

If you have received a phishing/bogus email related to HMRC, or you’re not sure if it’s genuine, you can read about how to report internet scams and phishing to HMRC.