Security advice

Making your online experience as secure as possible

Electronic communication and transactions are a key part of HM Revenue & Customs (HMRC) business. However, the advantages that online transactions provide can also give rise to the risk of fraud - individuals claiming to be someone they are not, and obtaining information they are not entitled to.

HMRC, in common with all providers of online services, is committed to your security - but you need to be alert.

HMRC continuously monitors systems and customer records to guard against fraudulent activity. The methods fraudsters use to obtain the information they want is constantly changing, so HMRC provides regular updates on the type of scams it is aware of. The main risk involves stealing identities or online access details.

Please do everything you can to ensure that the identifiers and passwords you use when accessing HMRC systems are kept secure and updated regularly. You should not divulge your online User ID and password to anyone. Any suspicious activity should be reported to HMRC immediately.

Contact the Online Services Helpdesk


How to protect yourself online

Login details

Keep your login details secure. Do not write them down or tell anyone what they are, including HMRC staff or your accountant or tax adviser.


Use strong passwords. Remember to make them unique so they cannot be easily guessed by someone else. They should always contain a mix of letters and numbers. Try to avoid using common phrases or anything obvious like your name or date of birth. Change your password regularly; we suggest that you do this at least once every three months.

Unsolicited emails

Be suspicious of unsolicited emails, even if they look like they're from a trusted source.

HMRC will never send notifications of a tax rebate, or ask you to disclose personal or payment information by email. If you have any doubt that an email you receive from HMRC is genuine, please do not follow any links, disclose any personal details or respond to it. Please forward it to HMRC at then delete it.

HMRC is unable to investigate paper copies of phishing emails/websites. In order for us to take any action, you will need to forward the original phishing email

Anti-virus software

Make sure your computer has anti-virus and anti-spyware software, and that it is continually updated allowing it to check the contents of the files on your computer against the information it holds about known viruses.

Personal firewall and secure wireless network

Make sure any computer which connects to the internet has appropriate firewall protection to block any unauthorised connections being made. If you're using a wireless network, ensure it is secure.

Find out more about secure wireless networks (Opens new window)

Update your web browser

Use the most up to date version of your preferred web browser, this could reduce your chance of falling victim to online phishing scams, by displaying messages to alert you.

Keep your operating system up to date

Make sure you download and install updates regularly.

Mobile Devices

If you are using mobile devices to communicate with HMRC make sure that you use anti-virus software relevant to that device. Security for mobile devices is just as important as for your home computer.

Social Networking

Please be careful about the detail you provide when social networking. Never disclose personal information.

Sensitive information

Never enter sensitive information such as account details, PINs or passwords via a website link within an email.

Secure websites

Ensure websites are secure - look for the prefix 'https' and a locked padlock or unbroken key symbol. Check the authenticity of a secure website by double clicking on the symbol.

Contact the website owner on a known or independently verified phone number. HMRC provide regular updates on scams they are aware of (see the link below).

Examples of phishing emails

Please do everything you can to ensure that the identifiers and passwords you use when accessing HMRC systems are kept secure and updated regularly.

Attachments and emails

Beware of attachments and emails - even if they appear innocent, they could contain a virus designed to steal your personal information.

Bogus websites

Type the full address of secure websites into your browser, rather than searching for it - this helps avoid being misdirected to a bogus site.

Websites charging for services

Some websites offer services which HMRC will provide free of charge. These include third party companies who offer to file a tax return on your behalf in exchange for a fee, and premium rate connection charges to HMRC telephone helplines.

When searching for government services, for example to file a Self Assessment Tax Return Online, it is often the case that third party companies who charge for providing a service appear in the search results as well as the official website for the relevant government agency. Some companies also pay an advertising fee to appear at the top of the search results.

To avoid confusion when searching the internet for government related services, it is advisable to visit (Opens new window) if you do not know the direct path to the website. is the best place to find information about government services and any searches made will only provide links to official government department's information and websites.

It is advisable to carefully read third party websites and look out for disclaimers and details of fees and charges which may be listed for using their services.

Misleading ‘copycat’ websites

The Government has been working with industry experts to tackle the issue of ‘copycat’ websites. Some websites can look like they’re part of an official government service or that they provide more help than they actually do.

This might mean you pay for services that you could get cheaper or for free if you used the official government service. For example, this includes HMRC online services for Self Assessment.

Agents who advertise as registered or authorised agents of HMRC


More useful links

Read security information for agents