Skip to content
Tax season, same playbook: Why HMRC phishing still works
£47 million lost and around 100,000 taxpayers targeted. That was the scale of a single HMRC-related fraud operation disclosed in 2025, driven not by sophisticated exploits, but by phishing.
Tax-themed phishing works because attackers know exactly when to strike. Activity increases between December and April, when tax deadlines dominate attention. In the UK, the Self Assessment deadline at the end of January and the financial year close in April create a window where HMRC communication is expected and often urgent.
This is not just anecdotal. Industry reporting consistently shows measurable spikes in phishing activity during tax periods, with campaigns increasing significantly as deadlines approach.
From a defensive perspective, that predictability is the problem. These campaigns succeed not because they are complex, but because they align with human behaviour. Attackers do not need new techniques. They need credibility at the right moment.
If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.
Threat analysis: A repeatable intrusion chain
Tax phishing campaigns follow a consistent pattern, even as delivery methods evolve.
The initial access point is almost always urgency. Messages reference tax refunds, penalties, or account verification. These themes work because they mirror legitimate HMRC communication during peak filing periods.
The scale is significant. HMRC reported more than 135,000 suspected scam referrals within a 10-month period in 2025, including 29,000 linked to tax refund scams, showing how consistently these lures are used. This is reinforced by broader industry reporting, which shows tax-themed campaigns can reach tens of thousands of messages within a single operation, targeting both individuals and organisations.
Delivery has expanded beyond email. SMS, phone calls, and QR codes are now routinely used to move victims between devices and outside traditional controls. A user may receive an email on a corporate device but complete the interaction on a personal phone, where visibility is limited.
In most cases, the objective is not malware but credentials. Attackers target Government Gateway logins, personal data, and financial information. This reflects a broader shift towards low-friction credential theft, which is often more effective and harder to detect than malware delivery.
Attacker tradecraft: Blending in rather than breaking in
Modern tax phishing works by blending into legitimate environments rather than bypassing them.
Attackers use infrastructure that appears legitimate. Phishing pages are hosted on cloud services, links are shortened, and HTTPS reinforces trust. In some cases, the domain itself is not obviously malicious, with only subtle indicators such as URL paths revealing impersonation. This makes confident blocking difficult before user interaction.
This approach is reflected in domain analysis research, which shows a significant proportion of tax-related lookalike domains are designed to appear legitimate at first glance, often evading basic detection controls.
The scale of infrastructure is also notable. HMRC reported it had taken down nearly 25,000 scam websites and phone numbers within a 10-month period, highlighting how quickly attackers can generate and rotate assets.
QR-based phishing is an increasing concern. HMRC has explicitly warned about emails containing QR codes, reflecting a shift in delivery. Industry and law enforcement reporting shows these “quishing” techniques are specifically designed to bypass secure email gateways by shifting interaction to unmanaged devices. This also enables techniques such as session token theft, which can in some cases bypass multi-factor authentication.
Campaigns also use staged delivery. Malicious content may only be served to real users, while security tools receive benign content. This reduces detection and increases success rates.
The core security problem
The persistence of tax phishing reflects a mismatch between controls and attacker behaviour.
Timing creates trust. During tax season, users expect HMRC communication and are more likely to engage.
This is not a one-off issue. HMRC recorded over 170,000 scam referrals in the 12 months to July 2025, showing that tax phishing is part of a sustained and predictable pattern. This aligns with wider phishing trends, where attackers repeatedly exploit known behavioural triggers rather than relying on new technical exploits.
At the same time, users are under pressure. Finance teams and individuals are making time-sensitive decisions, often with financial consequences. In that context, expecting consistent detection of phishing is unrealistic.
Even strong controls have limits. DMARC can prevent spoofing but not lookalike domains. MFA reduces risk but may be bypassed through token theft, session replay, or inconsistent enforcement. As the NCSC highlights, some phishing attacks will always reach the user, which is why layered defence is essential.
Industry impact
The impact extends beyond individual victims.
The 2025 HMRC fraud case shows how phishing feeds into large-scale financial crime. Stolen credentials were used to access or create accounts and submit fraudulent repayment claims. Limited user interaction with tax accounts delays detection, increasing attacker dwell time.
This reflects a broader trend. Phishing remains one of the most common initial access vectors in cyber incidents, and tax-themed campaigns are increasingly used as an entry point into wider attack chains, including account takeover, identity fraud, and business email compromise.
For organisations, the risk is indirect but real. Stolen credentials may be reused across corporate systems, creating a path into enterprise environments. Finance teams are particularly exposed, increasing the risk of escalation into payment fraud or business email compromise.
Defensive lessons
Defending against tax phishing requires targeted, time-aware controls.
Email authentication remains essential. DMARC, SPF, and DKIM reduce spoofing risk but do not prevent impersonation. Organisations should also monitor link usage and domain patterns more closely during tax periods, particularly where newly registered or lookalike domains are involved.
QR codes and indirect delivery methods should be treated as high risk. These techniques are designed to bypass traditional controls and require specific detection and policy enforcement.
Multi-factor authentication remains important, but implementation matters. Phishing-resistant methods such as hardware-based authentication provide stronger protection against token theft and session-based attacks than SMS or push-based approaches.
Awareness efforts should align with timing. Training delivered outside high-risk periods is less effective than targeted messaging during tax season, when users are most likely to encounter these threats.
Conclusion
Tax phishing succeeds because it relies on predictability.
As long as tax deadlines create urgency and HMRC remains a trusted authority, attackers will continue to exploit that combination. The tactics are evolving, with increased use of multi-channel delivery, staged payloads, and more convincing social engineering, but the underlying model remains consistent.
Looking ahead, the use of AI-generated content is likely to further increase the realism and scale of phishing campaigns, reducing the effectiveness of traditional detection approaches.
For defenders, this is not an unpredictable threat. It is a recurring one.
And recurring threats are the ones organisations should be best prepared to reduce