/ Money

Tax return deadline: watch out for ‘smishing’ attempts

With the deadline for self-assessments tax returns this Friday, ‘smishing’ scammers are looking to take advantage. Have you been sent a dodgy SMS text message?

Have you done your tax return yet? Whether or not you have (I can smugly report that mine is done and filed), you might well have had a text claiming to be from HMRC announcing that you’re due a refund.

The bad news is that it’s not from HMRC, and if you are due a refund, first, congratulations, and second, you’ll have heard about that by post – not via a text message. 

How to spot the biggest HMRC tax scam tactics

We’re all familiar with emails that arrive in our inboxes claiming to offer tax refunds, imploring us to ‘verify’ our account details and announcing that a Nigerian prince would like to park hundreds of millions of dollars in our bank accounts and give us a cut of the loot for our trouble.

‘Popular season’ for scam attempts

This time of year is a popular one for fraudsters as they attempt to trick us into handing over our log-in details.

Indeed, we warned about phishing emails claiming to be from HMRC three years ago.  

However, the scammers have added another string to their bows: SMS phishing messages, known as ‘smishing’, and we’ve noticed a bit of a flurry of them recently as scammers hope to capitalise on the fact that many of us are thinking about doing our tax return and that we’d all love a tax refund.

How can you spot one? The same principles apply to SMS messages as to emails – look at the URL they want you to tap through to. Here are two examples:

In the first, the URL is hmrc.co.uk-pending-payment.online. At first glance, that looks legit: it’s got ‘hmrc.co.uk’ in it. But it’s fake.

First, HMRC’s actual website is:


Second, that URL in the image has nothing to do with HMRC. The key is to look at the end of the URL – in this case, the domain is uk-pending-payment.online

Subdomains explained

In both these examples, the scammers have used a subdomain. This is a way of organising websites to help people navigate to the right place, and you can create as many subdomains as you like on a domain you own.

For example, conversation.which.co.uk is a subdomain of which.co.uk.

What these fraudsters have done is create hmrc.co as a subdomain of uk-pending-payment.online.

On our second example, the full URL is:


The actual domain is app08.net, and the subdomain is refund.hmrc.gov. In this case they’re also trying to send you to a specific page on the site they set up. That’s the bit after the slash: back.html.

We’re pleased to see that both of these sites have now been taken down.

Reporting smishing texts

Suspicious texts like these should be reported to HMRC on 60599. You can also report phishing emails to it directly using phishing@hmrc.gov.uk

What’s confusing, though, is that HMRC does send out legitimate texts urging you to get on with doing your tax return.

The scammers rely on people having had these texts and going on to assume that the scam ones are also real. This is what a genuine HMRC text looks like:

As you can see, there’s no URL and, because they’ve all come from the same SMS provider, they appear as a thread in your SMS app.

HMRC also has a guide on its website to how to recognise genuine emails and texts from them.

So how good are you at recognising a phishing email or smishing text?

Test yourself with Google’s online phishing test (it’s safe to put in the details they ask for, by the way) and let us know in the comments how you got on. (I got them all correct, for the record!) 


I completed my tax return earlier this month. Probably through coincidence (at least I sincerely hope so) had a recorded telephone message, which began by telling me I need to act quickly to avoid legal action and asked for my national insurance number. At this time I was in the process of hanging up, but I suspect this was a scam call connected to HMRC.

Do Not Bother Me says:
1 February 2020


An interesting choice of domain! Made to look like a real google.com sub-domain.

If legitimate companies do this, it is no wonder we fall for the scammers.

Nice one closing down the dodgy domains. When will we hear that the crooks have been prosecuted?

The site might seem dodgy, but in this instance it is actually a legitimate site. The “WithGoogle” domain is a Google domain that enables non-profits and others to experiment using the suite of Google tools to build different projects. Here’s a few projects that are showcased: https://experiments.withgoogle.com/

Strong point on how legit companies don’t necessarily engender trust by doing this though, not least since this isn’t very well known.

I have had phone calls from people saying they are from HMRC saying that I need to pay £3700 now or there will an arrest warrant sent to me. They actually give a name of a police Constable who will call me. I know I don’t owe any money so I known it’s a scam. I hang up. Then the phone goes again and they say they are from New Addington police station. They say they are coming around arrest me. I hang up. They phone another 3 times and I keep hanging up. When they call a UK phone number appears on my phone. I checked the phone number and it actually is New Addington police stations number. The police station closed about a year ago..
I had about 4 different people calling me all of Indian accent which makes me think this is from call centres abroad.
Please be careful as they are trying all the tricks in the book.

Bill Black says:
10 June 2020

My road tax was due to be renewed at the end of May. I received a reminder from DVLA and on 19th May I googled road tax and ended up on a website I later discovered was actually vehicleinformation.uk. It seems it is at the top of the google search for road tax!

When I entered my car registration number it came up with a lot of factual information about my car which led me to believe it was a genuine government website. I put in my credit card details in order to pay £150 road tax. It was only in early June, after I had a query from an organisation I work with, that I found my tax had not been paid and was overdue. I was driving illegally.

On checking I found that my credit card had made a payment to vehicleinformation.uk of .50 pence on the 19th May and a further transaction of £5.95 the following day marked recurring payment.
I found out that vehicleinformation.uk is a reminder service re when your road tax or mot is due. You pay £5.95 a month for the privilege of being reminded even although DVLA will send you reminders anyway. Maybe the lack of a road tax discs these days makes it easier to forget when to renew your tax?

I subsequently paid my road tax on the proper government website and went into the account section of vehicleinformation.uk and closed the account I had unwittingly opened. I also sent them an email asking them to refund my £6.49 but without any great expectation of getting it. If I had not been informed by the organisation I work with I would be driving around just now with an untaxed vehicle and £5.95 being paid out every month for a “service” I don’t need.

So a warning to check you have actually paid your road tax and check your bank statement for vehicleinformation.uk