top of page

Membership is FREE so join today to receive your welcome pack and access to all of our cyber security advice and resources.

Want to improve your cyber resilience?

HMRC Phishing Scam Alert: What Businesses Need to Know to Stay Safe

  • emmamoss58
  • Apr 28
  • 3 min read
HMRC Building Name


A recent alert issued by the National Fraud Intelligence Bureau (NFIB) has highlighted a concerning phishing scam targeting UK businesses under the guise of official HMRC correspondence. First identified in February 2025, the phishing campaign was designed to trick recipients into disclosing highly sensitive personal and financial information.


While reports have since declined, this scam serves as a stark reminder that cyber criminals continue to impersonate trusted institutions to deceive businesses. For SMEs and company directors, the cost of falling victim to such attacks can be significant—ranging from financial losses to reputational damage and data breaches.


What Did the HMRC Phishing Scam Involve?

The fraudulent emails in this campaign used company-specific details to appear legitimate. The subject line included the business name, creating the illusion of a targeted, official communication. The message claimed the recipient’s organisation needed to complete VAT compliance checks, linking to a fake HMRC login page that closely resembled the real portal.


Once there, users were instructed to:


  • Log in with their credentials

  • Confirm the company director's personal contact details

  • Upload photo identification

  • Record a video for facial and voice recognition

  • Submit a month’s worth of company bank statements


This type of social engineering attack exploits urgency and authority to coerce victims into handing over sensitive information. It not only puts business finances at risk but also opens the door to identity theft, account compromise, and future fraud attempts.


What Should You Do If You Receive an Email from HMRC?

HMRC does contact businesses via email in some cases—but they will never ask for sensitive personal data, passwords, or verification via video or document uploads through unsolicited emails.


Here’s how to handle a suspicious HMRC email:


  • Do not click on any links or download attachments.

  • Do not reply with personal or business information.

  • Contact HMRC directly via their official channels if you're unsure whether the message is genuine. Use trusted contact pages like the VAT: General Enquiries.

  • Forward suspicious emails to: phishing@hmrc.gov.uk


If you’ve already clicked a link or submitted information, report it immediately to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040.


Why Phishing Attacks Remain a Persistent Threat

Phishing emails are becoming increasingly sophisticated. By mimicking the tone, design, and context of genuine emails, scammers are finding new ways to bypass both technical defences and human vigilance. And while no system is foolproof, SMEs can take important steps to reduce their risk.


The National Cyber Security Centre (NCSC) offers practical resources for business owners, including:


  • Phishing guidance for organisations: Phishing: guidance for organisations

  • Small Business Guide: Clear, actionable steps tailored to SMEs to build resilience and prevent attacks.

  • Easy to understand infographics: A visual guide to help your staff recognise phishing tactics.


To report suspicious emails that don't appear to be from HMRC, you can also forward them to report@phishing.gov.uk.


Protecting Your Business from Phishing Scams

Here are some proactive steps every SME should take:


1. Train Your Team

Regular cyber awareness training is crucial. Teach staff how to recognise phishing emails, spot fake websites, and report suspicious messages.


2. Implement Email Filtering and Threat Detection

Modern email filters can block many phishing attempts before they reach your inbox. Review your email security setup to ensure it’s up to date.


3. Enable Multi-Factor Authentication (MFA)

If a scammer does get hold of login credentials, MFA adds an essential extra layer of protection across your business systems.


4. Protect Company Data

Ensure sensitive documents are only accessible to authorised individuals and that systems are regularly backed up in a secure location.


5. Report and Review

Encourage a culture of reporting. Every suspicious message reported helps prevent further attacks—both within your business and across the wider community.


The HMRC phishing scam serves as a timely warning: cyber criminals are targeting UK businesses with increasing precision and sophistication. By staying informed, remaining cautious, and embedding cyber security best practices into everyday operations, SMEs can significantly reduce their risk.



Stay alert. Stay secure. And don’t let fraudsters take advantage of your trust.



 
 
bottom of page