What do you do when the institution meant to collect your taxes becomes the very brand most impersonated by criminals? For hundreds of thousands of UK taxpayers the answer in the last 10 months has been: report, worry and double‑check — because HM Revenue & Customs has received 135,500 reports of suspected scams in that period, including 4,800 reports tied to self‑assessment filings, a surge that underlines a growing, shifting fraud landscape.
Background matters. HMRC, the National Cyber Security Centre (NCSC) and law enforcement agencies such as Action Fraud have long warned the public about impostor messages promising refunds, demanding payment or threatening enforcement. Those campaigns exploit urgency, confusion around tax rules and the seasonal spikes that come with filing windows. In the recent reporting window, the sheer number of contacts to HMRC about suspected fraud — more than 135,000 — shows both the persistence of the threat and improved public willingness to flag suspicious activity.
The current picture is paradoxical. On one hand, monitoring groups and security professionals have observed a marked fall in the volume of HMRC‑branded phishing emails in some parts of 2025, suggesting that better email filtering, stronger sender authentication (SPF, DKIM, DMARC) and coordinated takedowns are having effect. On the other hand, the totals reported to HMRC — including nearly 4,800 reports connected to self‑assessment — show that scams remain widespread and that attackers are adapting rapidly.
Why this matters goes beyond headlines. Tax‑themed scams erode trust in essential public services, create financial harm for victims, and strain the resources of agencies trying to prevent fraud while still delivering routine services. The emergence of more convincing playbooks — smishing (SMS phishing), voice phishing, targeted spear‑phishing, and the use of generative AI to craft personalised lures — raises the success rate of scams even if overall email volumes fall. That shift can make detection harder and victims less likely to recognise they have been targeted.
Technologists see the story as a layered defence problem. Improved email authentication and upstream filtering reduce mass, low‑sophistication campaigns, but they are not a panacea. Security teams advise:
- Strengthen email authentication (SPF, DKIM, DMARC) and reputation systems to limit spoofing.
- Deploy behavioural and content‑analysis tools that detect social‑engineering signals rather than only known indicators.
- Adopt rapid takedown and information‑sharing processes so small providers and public bodies can benefit from collective intelligence.
Policymakers face tradeoffs. Raising baseline security standards and imposing faster removal obligations on platforms can reduce visible scams, but heavy‑handed rules risk over‑burdening legitimate communications or slowing innovation. Cross‑border legal complexity is a persistent barrier: infrastructure and payment flows used by fraudsters often span jurisdictions, meaning takedowns in one country do not always stop campaigns originating elsewhere. The consensus among authorities is that metrics for success must include reported volumes, verified victim losses and the dismantling of criminal infrastructure — not just a decline in one category of reported email.
From the user standpoint, the guidance is straightforward and consistent: be sceptical, verify, and report. HMRC and allied bodies recommend never clicking unsolicited links in messages claiming to be from HMRC, checking sender addresses for anomalies, and using official web channels or phone numbers that you have independently verified. Reporting suspected messages to HMRC, the NCSC and Action Fraud helps authorities identify trends and act more quickly.
Adversaries, meanwhile, are pragmatic and opportunistic. When defenders harden one vector, attackers pivot. The decline in HMRC‑branded emails appears to have prompted a move toward SMS, voice calls, social‑media approaches and personalised campaigns that abuse data aggregated from breaches or public sources. Generative AI is an accelerant: it can make lures more grammatically fluent, personalise content at scale and produce voice or video deepfakes that raise the bar for what the average person can detect as fraudulent.
The practical implications are clear and immediate:
- Individuals should treat unexpected messages claiming refunds or threatening enforcement with high suspicion and use official HMRC channels for verification.
- Organisations must assume phishing will succeed sometimes and design systems with compartmentalisation, fast incident response and user education to limit impact.
- Policymakers should prioritise cross‑border cooperation, realistic liability frameworks for platforms, and sustained funding for public awareness campaigns and technical defences.
There are encouraging signs. Better filtering, public awareness and co‑ordinated takedowns have likely reduced some forms of HMRC‑branded email phishing activity. But the 135,500 reports — and the almost 4,800 tied to self‑assessment — are a reminder that defenders have not won, they have only changed the terms of engagement. The lull in one channel can quickly become opportunity in another.
So where does accountability rest? It is shared. Technology firms must keep improving detection and removal; public agencies must communicate clearly and make reporting simple; users must retain healthy scepticism; and international partners must close legal gaps that let criminal infrastructure flourish. Absent that collective, persistent effort, the next wave of scams will be less visible, more personal and, therefore, more damaging.
If the past 10 months teach us anything, it is that vigilance is not a one‑off campaign but an ongoing posture — because the real cost of complacency is not just lost money, it is the slow corrosion of public trust in institutions we depend on to run an open society. How long will we treat that trust as expendable when the stakes are this high? For more details, see the original report at https://www.infosecurity-magazine.com/news/hmrc-warns-of-over-135000-scam/




