End of Tax Year Phishing Attacks: Protecting Your Firm When Criminals Strike

The end of the tax year is one of the busiest periods for accountants, finance teams and business owners across the UK. Tax returns, payments and year-end paperwork all converge in the final weeks before the 5th April deadline, and HMRC communications flood inboxes.

Cybercriminals know this too.

Every year, as the tax year draws to a close, phishing campaigns impersonating HMRC surge dramatically. Attackers exploit the urgency and administrative pressure that comes with approaching deadlines. When your inbox is overflowing, and you’re racing against the clock, a convincing fake email can easily slip through.

For firms handling client financial data or managing tax obligations on behalf of others, the stakes are particularly high.

Why the End of the Tax Year Is Perfect for Attackers

Cybercriminals are opportunists. They design phishing campaigns around moments when people are expecting certain communications, and the run-up to the 5th April tax deadline is prime territory.

In those final weeks, businesses are frantically trying to meet Self Assessment deadlines, file company tax returns and settle outstanding payments. The volume of legitimate HMRC communications increases, and so does the opportunity for fraud.

During this period, businesses are more likely to receive legitimate emails about tax payments, refund notifications, document requests, policy updates and compliance deadlines. Attackers mimic these messages because they blend right in with the genuine flood of tax-related correspondence.

According to the UK Government’s Cyber Security Breaches Survey 2025, 85% of UK businesses experienced a phishing attack last year, making it the most common cyber threat facing organisations.

Many fraudulent emails use familiar language designed to create urgency:

• “Your tax refund is ready”
• “Final notice: tax payment due before 5th April”
• “Action required regarding your Self Assessment”
• “Outstanding tax payment notice”

The message pressures you to click a link or download an attachment quickly. The closer you get to the deadline, the more likely people are to act without thinking. Once that happens, the damage begins.

Related Reading: Social Engineering Attacks: Understanding the Psychology Behind It

What HMRC Phishing Emails Actually Look Like

Modern phishing emails are far more sophisticated than the clumsy scams from years ago. Today’s attackers replicate legitimate branding, formatting and tone with alarming accuracy. They include official logos, realistic sender addresses and links that appear genuine at first glance.

HMRC has received an astonishing 296,000 phishing and smishing reports since 2023, with the vast majority being email-based impersonation attempts. These numbers spike noticeably in the weeks leading up to the end of the tax year.

Common HMRC-themed phishing tactics during the tax year-end include:

Fake tax refund notifications: These emails claim you’re owed a refund and must follow a link to “claim” the payment before the tax year ends. The link leads to a fake login page designed to steal credentials or financial information.

Urgent tax payment warnings: Some emails claim a payment has failed or a deadline has been missed, pressuring you to act immediately to avoid penalties. The proximity to the 5th April deadline makes these messages feel particularly urgent.

Last-minute document requests: Attackers claim HMRC requires additional information to process a return before the tax year closes, directing you to provide personal or company details.

Malicious attachments: Phishing emails sometimes include attachments disguised as tax documents, final notices or invoices. Opening these files can install malware or ransomware.

For organisations managing tax affairs for multiple clients during this critical period, a single compromised account can quickly escalate into a much larger problem.

Related Reading: Phishing and Social Engineering: A Guide to Protect Higher Education

Why Professional Services Firms Are Prime Targets at Year-End

Firms handling sensitive financial data are especially attractive targets as the tax year closes.

Accountancy practices, legal firms, financial advisers and outsourced finance teams are under immense pressure during this period. They’re managing multiple client deadlines simultaneously, processing large volumes of financial data and handling urgent payment requests. This creates the perfect environment for phishing attacks to succeed.

These firms hold large volumes of personal financial information, corporate records, client login credentials and payment details. If attackers gain access to one account within a firm during the year-end rush, they may be able to move through systems, access client data or impersonate the firm in further scams.

These attacks are often carefully crafted and targeted because criminals aren’t just looking for one victim. They want access to an entire client network, and the end of the tax year is when defences are most likely to be stretched thin.

In one particularly serious incident, criminals used phishing to fraudulently extract tax repayments worth £47 million from HMRC by targeting around 100,000 taxpayer accounts.

The Real Impact of a Successful Phishing Attack

When people think about phishing, they often imagine a minor inconvenience or a single compromised password. In reality, the consequences can be devastating, particularly when an attack succeeds during the year-end crunch.

A successful phishing attack at the end of the tax year can lead to:

• Financial theft through fraudulent payments disguised as legitimate tax transactions
• Exposure of sensitive client data during your busiest period
• Regulatory reporting obligations that compound your workload
• Reputational damage with clients and partners at a critical time
• Operational disruption caused by malware or ransomware when you can least afford downtime

For firms responsible for protecting client information, the reputational impact alone can be severe. Clients expect their advisers to protect their financial data with the same care they apply to their own systems, even when working under intense deadline pressure.

Related Reading: How to Respond to a Data Breach: Step-by-Step Guide

Practical Steps to Reduce Phishing Risk During the Tax Year-End

While phishing attacks increase as the tax year closes, organisations can take proactive steps to reduce their exposure during this critical period.

Strengthen Staff Awareness Before the Rush

Employees remain your first line of defence, but they’re also under the most pressure as deadlines approach. Regular cyber awareness training helps teams recognise suspicious emails and understand what to do when something feels wrong, even when they’re working at pace.

Simple guidance makes a significant difference:

• HMRC does not request sensitive information via email, even at year-end
• Unexpected attachments should be treated with caution, particularly those claiming to be urgent tax documents
• Urgent financial requests should always be verified independently, regardless of the deadline
• If an email creates panic about missing the 5th April deadline, stop and verify before clicking

Use Multi-Factor Authentication

Even if credentials are compromised during the year-end chaos, multi-factor authentication can prevent attackers from accessing accounts. This simple control significantly reduces the likelihood of successful account takeover when your team is working under pressure.

Implement Strong Email Filtering

Advanced email security tools can detect suspicious messages, block malicious links and prevent phishing emails from reaching users. These systems are particularly valuable during high-risk periods like the end of the tax year when email volumes surge and vigilance naturally drops.

Encourage a Culture of Reporting

Employees should feel comfortable reporting suspicious emails without fear of blame, even during busy periods. Early reporting allows security teams to identify threats quickly and warn others before additional accounts are affected.

Make it clear that taking an extra 30 seconds to report a suspicious email is always preferable to the hours, days or weeks it takes to recover from a successful attack.

Related Reading: 5 Reasons Why Cyber Security Training is Important

Why Proactive Security Matters at Year-End

Phishing attacks aren’t random. They’re carefully timed to exploit moments of increased pressure and predictable behaviour. The end of the tax year is one of the highest-risk periods on the calendar.

Organisations that treat cybersecurity as a continuous process rather than a once-a-year exercise are far better positioned to handle these threats. Security improves when testing, awareness and remediation are ongoing rather than reactive.

If your defences haven’t been reviewed recently, now is a good time to ask: are you confident that your organisation would detect and respond to a phishing attack during your busiest period before it spreads?

The end of the tax year will come around again next year. The question is whether you’ll be better prepared than you are today.

Stay Ahead of Year-End Cyber Threats

The end of the tax year brings enough pressure without the added risk of cybercrime. Understanding how attackers operate during this critical period helps organisations strengthen their defences and protect both their firm and their clients when it matters most.

If you want to better understand how attackers might exploit your organisation’s systems during high-pressure periods, proactive security testing and cyber awareness initiatives can reveal the vulnerabilities that phishing campaigns often target.

When it comes to cybersecurity, the organisations that prepare early are the ones that avoid becoming the next headline.

Related Reading: What is Red Teaming?