Cyber security: How can you tell if an HMRC email is fraudulent

HMRC Phishing.001

How do you know if an HMRC email is fraudulent?

The Government has published guidance on how to recognise genuine HMRC emails from phishing emails.

Phishing emails are designed to introduce viruses, malware or ransomware on your system either by attaching a file that the user opens which allows this to be activated or through providing a link to a website that has the same purpose.

Having Anti-virus and anti-malware updated regularly on your systems helps to provide some protection against this, but being aware of their existence and training your staff how to recognise them is really important, staff are normally the weakest point of your cyber security.

Accountants and finance professionals regularly receive HMRC emails, so updating yourself with their guidance will help you recognise a genuine email.

Their Guidance offers advice on spotting if an HMRC email is fraudulent:

“How to tell if an email is fraudulent

As well as spelling mistakes and poor grammar, there are a number of things you can look out for to help you recognise a phishing/bogus email.

…Incorrect ‘From’ address

Look out for a sender’s email address that is similar to, but not the same as, HMRC’s email addresses. Fraudsters often have email accounts with HMRC or revenue names in them (such as ‘[email protected]’). These email addresses are used to mislead you.

However be aware, fraudsters can falsify (spoof) the ‘from’ address to look like a legitimate HMRC address (for example ‘’).

If you’re not 100% sure that the message has come from us don’t open it. If you do open the email and you’re in doubt don’t click on any links or downloads”

They also provide examples of phishing emails and bogus contacts at 

The guidance also covers what information HMRC will never ask you for, emails that require ‘urgent’ action and bogus website.

You can also protect your systems by implementing user access rights which will only allows sufficient access to automatically install some of these types of malware or viruses.

Implementing a series of basic essential controls will help to safeguard your business from falling foul of cyber crime, and generally it will be a combination of controls which will provide your business with the greatest protection.

The Government backed Cyber Essentials scheme is a good starting point to protect you against 80% of the most common threats.

See more from the Government at: Genuine HMRC contact and recognising phishing emails and text messages

> Start now!
Need Cyber Essentials Certification in a hurry?