NCSC flags credential phishing targeting HMRC

The UK National Cyber Security Centre said on May 21 that people in Britain should watch for credential-harvesting phishing campaigns that impersonate trusted services such as HM Revenue & Customs, banks and NHS platforms. The warning fits a broader NCSC push on phishing, which the agency defines as scam emails, text messages or calls that try to trick people into visiting fake sites, downloading malware or handing over passwords and bank details. (ncsc.gov.uk) The agency’s public guidance says criminals often pose as organisations people already know and trust. As of April 2026, the NCSC said it had received more than 54.5 million scam reports and helped remove 248,000 scams across 440,000 URLs. ### Why are HMRC, banks and NHS services effective lures? HMRC, the NHS and major banks are exactly the kinds of brands the NCSC says scammers prefer to imitate because they carry authority and urgency. The agency’s scam-spotting guidance says criminals often pretend to be “someone official,” including a bank, doctor or government department, and often pressure people to act immediately. NCSC material also shows those brands have been used repeatedly in past impersonation campaigns. A March 2026 NCSC document on government email impersonation scams said takedowns had included messages pretending to come from the NHS, HMRC and Ofgem. (ncsc.gov.uk) ### What does “credential-harvesting” mean in practice? The NCSC says phishing usually aims to push a victim to a website that steals passwords, bank details or other personal information. Its public guidance describes scam emails, texts, websites, adverts and calls as common delivery methods. (ncsc.gov.uk) The agency’s advice says the messages increasingly look convincing. NCSC guidance warns that scams are “getting smarter,” can fool experts, and may use QR codes in emails to direct people to fake sites. (ncsc.gov.uk) ### What signs does the NCSC tell people to look for? The NCSC says people should focus less on spelling mistakes and more on the pressure tactics in the message. Its guidance lists authority, urgency and emotion as recurring signs, including claims of fines, limited response windows or messages designed to provoke panic or curiosity. (ncsc.gov.uk) Banks and other official organisations also will not ask for personal information or banking details by email, according to separate NCSC advice for people affected by data breaches. The agency says recipients should avoid using links or contact details provided in suspicious messages and instead verify through official channels. (ncsc.gov.uk) ### What should someone do if they already clicked or entered details? The NCSC says people who entered passwords should change any accounts using the same password, and use passkeys where available. If banking or card details were shared, the agency says to contact the bank straight away and cancel cards through online banking if possible. (ncsc.gov.uk) Work devices are handled differently. NCSC guidance says anyone who received the message on a work laptop or phone should contact their IT department and explain what happened. (ncsc.gov.uk) ### Where does the reporting process go from here? The NCSC says suspicious emails, text messages, websites, adverts and phone calls can be reported through its phishing reporting system, which the agency uses to investigate and remove scam infrastructure. The reporting pages remain live on the NCSC website, alongside step-by-step advice on what to do after sharing passwords, personal information or banking details. (ncsc.gov.uk 1) (ncsc.gov.uk 2)