UK tax refund phishing slows in 2025 but scams persist
A welcome dip in emails impersonating HM Revenue & Customs in the first half of 2025 has raised hopes that one of Britain’s most persistent online cons might be losing steam. Reports from monitoring organisations show a marked fall in the volume of HMRC-branded phishing emails, yet security experts caution that this is more of a reprieve than a defeat. Criminals are agile and inventive: when one vector tightens, they shift to another.
Why HM Revenue & Customs phishing dropped — and why the picture is complex
Multiple factors probably combined to reduce the number of HM Revenue & Customs email scams observed in early 2025. Email providers and internet-service operators have steadily improved automated filtering and reputation systems, catching more malicious campaigns before they reach inboxes. Broader deployment of sender authentication standards such as SPF, DKIM and DMARC has made it harder for attackers to spoof credible senders convincingly. Coordinated takedowns and swifter reporting processes have disrupted established hosting and payment infrastructure used by fraudsters. Meanwhile, public education drives by HMRC, the National Cyber Security Centre (NCSC) and law-enforcement channels like Action Fraud have kept many people alert to tell-tale signs of phishing.
However, headline declines in one category of reported emails do not capture the full threat. Less visible trends suggest adaptation rather than retreat. Cybercriminals have been moving resources into SMS-based “smishing,” voice phishing using increasingly convincing scripts and deepfakes, targeted spear-phishing that leverages personal data, and scams on social media and messaging platforms. Attackers also experiment with generative AI to tailor messages to individuals, increasing the likelihood of successful fraud despite lower overall volume.
What the decline does — and does not — tell us
Metrics counting reported HMRC-branded email campaigns are useful, but they are only one lens on a shifting landscape. A drop in reports might reflect genuine reductions; it might mean better upstream filtering that prevents campaigns from reaching users; or it might indicate under-reporting, if people are falling victim to subtler, more convincing scams and not notifying authorities. Law enforcement and policymakers stress that the fight against fraud must be judged by a range of indicators: volumes, victim reports, financial losses, and the movement of criminal infrastructure.
Practical guidance for the public
For individuals, the core message remains unchanged: scepticism and verification save money and stress. HM Revenue & Customs and the NCSC publish clear guidance on how HMRC contacts taxpayers, what information it will never request by email or text, and how to report suspicious messages. Key practices include:
– Treat unexpected messages with caution — especially those claiming refunds or threatening enforcement.
– Check sender addresses carefully; official correspondence will not come from generic or misspelled domains.
– Avoid clicking unsolicited links. Type the organisation’s address into your browser instead.
– Use unique, strong passwords and enable multi-factor authentication where available.
– Keep operating systems and apps up to date to reduce exposure to known vulnerabilities.
– Report suspicious communications to HMRC, the NCSC and Action Fraud to support coordinated takedowns.
Advice for organisations and defenders
Security teams should adopt layered defences. Strengthen email authentication (SPF, DKIM, DMARC), deploy advanced threat-detection tools, and run realistic user-awareness exercises to reduce the success rate of social-engineering attacks. Rapid reporting and takedown processes are critical; information-sharing forums coordinated by the NCSC can help smaller organisations and public-sector bodies punch above their weight by pooling intelligence and best practice.
Regulatory and policy challenges
Regulators face a delicate balancing act: raising security standards without imposing disproportionate burdens on legitimate communications or stifling digital innovation. Policymakers in Westminster and European forums are debating liability rules, minimum security requirements for platforms, and obligations to remove fraudulent material promptly. Cross-border cooperation is essential, because cybercrime infrastructure frequently spans multiple jurisdictions, complicating enforcement.
Look ahead: vigilance, consolidation and cooperation
The fall in HMRC-branded email phishing is a positive development, but it should be treated as a strategic opportunity — a pause to consolidate gains rather than a reason for complacency. Sustained progress will require continued investment in technology, persistent public education, stronger industry collaboration on takedowns and authentication, and robust law enforcement action where possible.
If defenders rest on their laurels, scammers will exploit other channels or refine their techniques. How long this lull in HM Revenue & Customs email scams lasts depends on whether improvements in detection, policy and user behaviour are maintained and expanded. Until then, individuals and organisations should remain vigilant: the next trick is often only a click, a text or a phone call away.




