Beta This part of GOV.UK is being rebuilt – find out what this means

HMRC internal manual

Shared Workspace Business Manual

HM Revenue & Customs
, see all updates

Information Security: Phishing

Phishing is a criminal scam using a collection of techniques that trick people into divulging sensitive and confidential information. Phishers attempt to fraudulently obtainin formation, such as user names and passwords, by pretending to represent official and trustworthy organisations via electronic communications. Phishers then use this information to access systems fraudulently.

Phishing is typically carried out by email or instant messaging, and often directs users to click on to a bogus website to obtain personal details, although phone contact too is used.

Avoiding Phishing and Shared Workspace

The successful operation of Shared Workspace relies on the generation of emails that ask members to log-in to HMRC Online Services with links to new items in a Room. Members need to be sure that these emails have come from the right source.

Phishing emails are designed to look identical to genuine emails. There may be nothing to alert members to the fact that they are being sent to a dummy web site.

By setting up the dummy site the person sending the email hopes that they can trick people into giving away log-in information which can be used for gaining unauthorised access to the service.

Measures that Customer Members can employ to avoid being deceived by a phishing attack are,


  • always log in to the service from the HMRC website before selecting the link
  • check where the link goes. In HTML emails, the text may claim to take you to one site, but it will actually take you to another. The best way to avoid this is to hover the mouse pointer over the link for a few seconds. A box will appear showing where the link really goes. It should always start with and must not contain the “@” symbol anywhere within the link
  • if not already logged into the service, you will be directed to the following address to log-in If you are taken to any other address do not log in, instead contact the Online Services helpdesk (see below) for further advice

If you suspect you have received a ‘Phishing’ email do not attempt to log in to Shared Workspace using the link. Please contact the Online Services Helpdesk (see below) to report the incident as follows:

telephone 0300 200 3600
minicom 0300 200 3603
overseas +44 16 1930 8445


If you are concerned that you may have disclosed any personal or security details,please contact the Online Services Helpdesk.

Please note carefully

Before clicking on a link received in an email you should first visit the HMRC website to log on to HMRC Online Services. You should never enter your log in details directly from email links - always go to the HMRC website to enter your personal information. This will protect your log in and password details.

Please note that HMRC does not send emails directly to customers other than as acknowledgement of email recieved  and never sends or asks for sensitive information such as this.