Phishing scams that often claim recipients are owed a tax refund have plagued HMRC in recent years, and spiked during the first half of 2025.
38,012 phishing complaints were filed this year demonstrating that this type of fraud is not going away and being perpetrated by ever more savvy criminals. Smishing, a play on the traditional phishing scam but via
Smishing, a play on the traditional phishing scam but via SMS instead of email, has had a chilling cost to businesses with artificial intelligence increasing their authenticity and convincing more to click on a scam link. AI analytics can also assess noticeable patterns and behaviours through phishing attempts that persuade customers to give away their personal data held by trusted entities like banks and government agencies. New data gathered by cyber security experts at Bridewell reveals the extent of impersonations of HM Revenue & Customs.
The schemes operate across various platforms and become very lucrative to scammers as only a small proportion of targets need to fall victim.
HMRC received a staggering 296,000 reports since 2023, the majority for emails purporting to be from the revenue service. 13,250 reports to HMRC in the last two years were for SMS.
Luiz Simpson, Head of Red Team at Bridewell said, “Social engineering is an often-overlooked security threat that is used to manipulate people. This manipulation can encompass a broad range of objectives whereby a victim is tricked into doing something that helps the attacker. Often this is encouraging them to click malicious links, but the goal could also be to install malware or trigger fraudulent transactions”.
