Skip to content
HMRC Scam Alert With The Word Scam Written In Red Across Hmrc Logo

Further to our article on How to Spot Fake HMRC letters, whilst the number of HMRC scams has somewhat declined over the last 12 months, there is still a huge amount going on.

One way to help stop being scammed is to keep your HMRC login details safe.

How to keep your HMRC login details safe

HMRC scam calls

If you are contacted by anyone declaring to be from HMRC don’t ever disclose your login details such as your username or password. HMRC will never ask for your password. Tell the caller you are busy and you will phone back. Then visit the HMRC website and get the relevant contact details from there. Do not call any number given to you over the phone as this could be a scam number.

HMRC scam texts and emails

If you receive a text or email asking you to click a link to access your account – DON’T! The link provided could direct you to a fraudulent web page. The page may look exactly like the official HMRC site but it will be run by fraudsters who will then have access to all your information once you provide login details or personal information.

If you receive a text or email, always go to the genuine HMRC site and search for the section you have been requested to provide details about.

Check you visit HMRC via a secure connection

When you visit the HMRC website, always double check the site is secure by looking for the padlock at the beginning of the URL as per the screenshot below. The padlock indicates any information being sent between the website and you is encrypted.

padlock on site showing how to avoid HMRC scam

Use Multi-Factor authentication

Multi-factor authentication (MFA) is where you will be requested to provide a second verification after you have entered your password. HMRC use an access code for MFA which you can receive via text message, voice call or through an app. To set this up you need to log in to your existing account and go to Manage Profile – Security Preferences – Add. Here you can select your choice.

Protect your passwords

Change your password regularly. It is recommended to change your password at least every 3 months. When using a password don’t use something that can be easily guessed such as Password123 or a combination of your name and date of birth.

Don’t use the same password for all your online accounts. If someone guesses your password they will then have access to any other accounts you have online.

Use a password that is easy for you to remember but difficult for anyone else to guess. Use a combination of at least 12 numbers, letters and symbols if possible.

If you have difficulty coming up with a password, think of a favourite line in a poem, a favourite meal and drink or a line from a book.

And if you have difficulty remembering passwords, use an online password manager such as LastPass. A password manager will create encrypted passwords for sites you use and store them securely. You then only have to remember one master password to access all your others.

Report HMRC scams

If you believe you have been the victim of HMRC fraud, it is important to report it immediately. You can do this via their online services helpdesk.


These tips don’t only apply to HMRC. Use them to keep your details safe for any other organisations you use online access for such as bank accounts.

Remember, if you willingly give out your login information or personal details that give fraudsters access to your account, you will still be liable for any debts created by the fraudsters. And your personal information is more than likely to be used in other scams.

You have been warned!

Back To Top