Keeping your HMRC login details safe
Find out how to protect your details, how to report fraud and what HMRC does to help keep you safe online.
How to protect your login details
You must not share your HMRC login details with anyone, including your tax agent if you have one. You should treat them with the same amount of care as your bank details.
Giving sensitive, personal information to other people, even without realising, puts you at risk. Someone using your login details could steal from you and HMRC.
Criminals promoting fraud on social media
Criminals use social media to try and find people to trick or persuade people into sharing their personal or login details.
They use these details to apply for fraudulent tax repayments from HMRC. They hide their own identity, which means the person whose details they’ve used will owe money to HMRC.
Their social media posts often advertise that they are ‘risk free’. They may also send direct messages to you through social media.
If you do share your details, you will be at risk of having to pay back the full tax debt created by the fraudsters in your name. Your bank account may be frozen, and fraudsters may post or sell your personal details online for anyone to use.
Reporting fraud to HMRC
You should report tax fraud or avoidance to HMRC if you see social media adverts or posts promoting tax fraud requesting:
- HMRC login details
- National Insurance numbers
- other personal information
Find out how to report tax fraud or avoidance to HMRC.
There’s a different way to report suspicious HMRC emails, text messages and phone calls.
If you have been a victim of identity theft, or have suffered financial loss because of a scam, you should contact Action Fraud to report this. Find out more on the Action Fraud website.
If you have recently transferred funds to a third party, and believe that you have been scammed, contact your bank immediately.
In an emergency, call 999.
How HMRC keeps you safe online
Secure connection
The HMRC website is delivered over an encrypted connection. This encrypts the data you send to HMRC and the data HMRC sends to you using the internet.
If someone was able to externally view your connection to HMRC, they would be unable to interpret the data sent.
Common internet browsers will:
- show this as a padlock in the address bar
- warn you if you are not using an encrypted connection on a website that expects you to enter data
Secure sign in
HMRC online services are only available to customers who register their details. Every time you log in, you must enter your User ID and password before you can access your services.
You should use a unique password for every online service. Longer passwords are best. You can find top tips for staying secure online on the National Cyber Security Centre’s website.
We monitor all HMRC accounts for suspicious sign-in attempts and may ask you to change your password if we think there’s a risk someone else has discovered it. Multi-factor authentication will help ensure your data stays safe. We’ll ask you to reset your password after you have successfully signed in.
If you think your other online accounts could be at risk, check National Cyber Security Centre website for advice on how to keep your emails secure.
Multi-factor authentication
Most HMRC accounts are extra protected by multi-factor authentication. This is a secondary step required after correctly providing your User ID and password, requiring a single-use code to be entered to complete the sign-in.
This protects your account even if someone has discovered your User ID and password.
If you login to your account often, do not forget to use the Remember Me feature, which saves you from completing another multi-factor authentication challenge for 7 days.
If you use text messages or voice calls for multi-factor authentication, and you receive login codes from HMRC when you are not trying to log in, it may mean someone has your login details. If this happens, it would be sensible to change your password.
Identity Verification
When you create a new account, or want to use services that present more sensitive data, HMRC will ask you some questions to verify it’s really you.
This is to stop someone who is pretending to be you from accessing your confidential tax information.
Most customers should only have to go through this process once, but it is also used for security processes. For example, if you have forgotten your login details.
Automatic logout
After 15 minutes of inactivity you will be automatically logged out. This protects your information if you leave your device unattended. You should still always aim to select ‘sign out’ from HMRC services when leaving the HMRC website.
Last login date and time
As an extra security measure, you can check the time and date you last logged in using your Government Gateway account. This information can be found in the Government Gateway settings, within the My Details page on your tax account welcome screen.
If you believe the last login was not you, it is important that you report the matter to our online services helpdesk immediately.
Where to report
You should make a report immediately to the HMRC online services helpdesk if you have a reason to believe your account has been accessed or altered without your authorisation.
If you have been a victim of another type of scam, you can find out how to report these and read examples of HMRC related phishing emails, suspicious phone calls and texts.
Support
If you have been emotionally impacted by an online scam there is help available.
You can contact the Samaritans by telephone on 116 123 or find out how to access NHS mental health services on the NHS Mental health services website.
If you’re being harassed online, you should contact the police on their national non-emergency telephone number by dialling 101. In an emergency, always dial 999.
If you have been a victim of an online scam, you can contact Victim Support by telephone on 08 08 16 89 111 or read about scams on the Citizens Advice website.
Updates to this page
Published 28 October 2022Last updated 30 June 2023 + show all updates
-
We have updated the section 'Secure sign in' with more guidance on password security.
-
Added translation