Tax season should be predictable for finance teams. Unfortunately, it is just as predictable for cyber criminals.
Every year, as deadlines approach and HMRC communications increase, phishing campaigns surge. This is not accidental. Attackers exploit timing, trust and urgency to drive action, and they do it with remarkable consistency. The result is a persistent and costly threat to both individuals and organisations across the UK.
Why tax season is a prime target
Phishing campaigns linked to HMRC follow a clear calendar pattern. Activity ramps up between December and April, aligning with Self Assessment deadlines and the end of the tax year. During this period, people are expecting emails, messages and reminders about tax obligations, which makes malicious communication far more believable .
This predictability gives attackers an advantage. They do not need sophisticated exploits. They simply need to appear legitimate at the right moment.
The scale of the problem
Recent data shows that HMRC themed phishing is not just a nuisance. It leads to real financial loss and widespread impact.
- Over 135,000 suspected scam reports were recorded in a ten month period
- Around 29,000 of those involved fake tax refund claims
- Nearly 25,000 fake websites and phone numbers were shut down in the same timeframe
In one major case, phishing enabled fraudsters to target around 100,000 taxpayers and resulted in approximately £47 million in fraudulent repayments. This highlights a critical point. Phishing is not always about immediate gain. It is often the first step in a much larger fraud chain .
How HMRC phishing attacks work
Despite evolving tactics, the core attack chain remains consistent.
1. The lure
Attackers use familiar themes such as tax refunds, penalties, account updates or urgent compliance requests. These messages are designed to create pressure and prompt immediate action.
2. Multi channel delivery
Phishing no longer relies on email alone. Campaigns now use SMS, phone calls and increasingly QR codes. This allows attackers to move victims away from corporate devices and bypass traditional security controls.
3. Credential harvesting
Most attacks aim to capture login details or personal information rather than deploy malware. Government Gateway credentials are a common target, enabling account takeover and fraudulent claims.
4. Post compromise activity
Once access is gained, attackers may submit fraudulent repayments, reuse credentials across services or launch further attacks from compromised accounts.
Evolving attacker techniques
While the playbook is familiar, delivery methods continue to adapt.
- QR code phishing is rising, shifting users from managed devices to personal mobiles
- Legitimate services such as file hosting platforms are used to mask malicious content
- Redirection chains help attackers evade detection tools
- Generic infrastructure makes phishing harder to identify at a glance
These techniques reduce the effectiveness of traditional email filtering and increase reliance on user judgement, which is exactly where attackers want to be.
Why these attacks still succeed
The persistence of HMRC phishing is not due to a lack of awareness. It is due to human behaviour under pressure.
- Timing creates trust: people expect HMRC communication during tax season
- Urgency drives action: deadlines reduce careful decision making
- Security controls are bypassed: mobile devices and QR codes evade traditional protections
- Detection is delayed: many users rarely check their HMRC accounts, allowing fraud to go unnoticed
Even organisations with strong cyber security foundations can be exposed if controls are not adapted to seasonal risk.
What UK organisations should do differently
Tax season should trigger a shift in defensive posture. This is not the time for generic awareness campaigns. It is the time for targeted, practical controls.
Strengthen email authentication and filtering
Implement DMARC, SPF and DKIM to reduce spoofing. Combine this with advanced email security to detect impersonation attempts.
Treat QR codes and attachments as high risk
Educate users and enforce controls around QR code scanning and document handling, especially during peak tax periods.
Enable rapid reporting and response
Make it easy for users to report suspicious messages. Fast reporting improves containment and supports wider takedown efforts.
Monitor for account compromise signals
Look for indicators such as unexpected login alerts, password resets or unusual account activity linked to tax systems.
Focus on identity protection
Strengthen authentication controls and monitor for credential misuse. Phishing is often just the entry point to a broader identity based attack.
Final thoughts
HMRC phishing works because it aligns perfectly with predictable human behaviour. It is timely, believable and increasingly sophisticated in how it bypasses controls.
For organisations, the lesson is clear. Treat tax season as a known threat window. Adjust your defences accordingly and focus on disrupting the attacker’s path from initial contact to compromise.
The playbook may be the same each year, but your response does not have to be.
If you want to strengthen your organisation’s resilience ahead of the next tax season, speak to Zenzero’s security experts today.