Phishing via Fake Income Tax Notice — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Phishing via Fake Income Tax Notice Scam Targeting Indians

Phishing scams disguised as official Income Tax Department notices are on the rise in India, duping taxpayers into leaking personal and financial data.

What Is the Phishing via Fake Income Tax Notice?

This scam involves cybercriminals impersonating the Income Tax Department of India, sending fake notices via email, SMS, or WhatsApp that appear genuine. These messages claim urgent action is needed – such as unpaid tax dues, pending KYC updates, or alleged compliance failures. The goal is to trick individuals into clicking malicious links or sharing sensitive information like PAN, Aadhaar, bank account numbers, or OTPs.

Typically, these scammers prey on salaried individuals, self-employed professionals, and even small business owners during peak tax filing season in India. They gather their targets' data from public databases, leaked information, or through social engineering. The scam has become widespread, with CERT-In and the Indian government's I4C (Indian Cyber Crime Coordination Centre) reporting a steady increase in such frauds every tax season.

Both the Reserve Bank of India (RBI) and CERT-In have issued advisories warning taxpayers to be vigilant as cybercriminals exploit the high-trust affiliation citizens have with government entities, including the Income Tax Department.

How This Scam Works — Step by Step

1. Initial Contact: The victim receives a message on email, SMS, or WhatsApp, allegedly from the Income Tax Department. The message uses official logos, formal language, and a fake sender ID like “ITDept_India” or similar.

2. Urgent Notice: The message claims there is a tax payment pending, or KYC details need urgent update to avoid penalties or legal action. It may mention an amount in INR, referencing tax refunds or dues.

3. Malicious Link or Attachment: The message contains a clickable link or PDF attachment, supposedly leading to the Income Tax portal to “view the notice” or “upload documents.”

4. Phishing Website: Clicking the link redirects the victim to a fake website that looks strikingly like the official income tax e-filing site. Here, the victim is asked to enter PAN, Aadhaar number, bank account details, and OTPs sent via SMS.

5. Data Capture & Exploitation: Once entered, scammers immediately harvest this data to carry out fraud—such as opening new UPI accounts, making unauthorized bank transfers, or conducting SIM swaps.

6. Financial Loss: Victims may notice sudden debits from their bank accounts or unauthorized UPI transactions. Sometimes, the scammer files fake income tax returns to claim refunds fraudulently.

Real Warning Signs to Watch For

• Official Income Tax Department communications never demand immediate payment or KYC updates via SMS or WhatsApp links.
• URLs that don’t start with the official income tax domain (https://www.incometax.gov.in); beware of misspelled or strange-looking links.
• Messages that pressure you to act within hours or threaten arrest and heavy fines.
• Requests for sensitive information such as OTPs, PAN, Aadhaar, or bank details through links or calls.
• Attachments or links with suspicious file types like .exe, .zip, or poorly formatted PDFs.
• Communication from unverified sender IDs or phone numbers not matching official government contacts.
• Poor grammar or spelling mistakes in the message’s body — official notices maintain professional language.

What Happens to Victims

Victims often face direct financial losses due to instant UPI debits or fraudulent bank transactions. Since many Indians link their Aadhaar and PAN for various services, misuse can lead to identity theft. Criminals might perform SIM swaps to access OTPs, locking victims out of their mobile and bank verification systems.

Emotionally, the shock and stress from sudden loss of money or personal data breach can cause anxiety and distrust towards official communications. Victims waste precious time and resources trying to reverse fraudulent transactions, sometimes without success since RBI guidelines allow only limited window for UPI reversals. This scam also affects the victim’s creditworthiness, as fraudsters might take loans or file fake returns in their name.

What RBI and CERT-In Say

The RBI regularly alerts users against phishing scams related to banking and tax payments, emphasizing not to share OTPs or passwords with anyone. Its helpline for cyber fraud is reachable at +91-800-11-39882.

CERT-In has issued multiple advisories asking citizens to verify official government communications on authenticated channels and report suspicious messages to the 24x7 Indian Cyber Crime Helpline at 1930.

The Indian Cyber Crime Coordination Centre (I4C) encourages public vigilance and prompt reporting of cyber fraud via cybercrime.gov.in. The government stresses that Income Tax Department notices will never ask for sensitive details over unsecured digital channels.

How to Protect Yourself

1. Verify Links and Sender IDs: Always check the URL carefully before clicking. The official income tax portal ends with .gov.in. Do not trust suspicious sender names or phone numbers.

2. Never Share OTP or Passwords: The Income Tax Department or banks will never ask for your OTP, password, or PIN over SMS, email, or calls.

3. Use Official Channels Only: Access income tax services by typing the web address yourself or using trusted apps—not from links received in messages.

4. Enable Two-Factor Authentication on Digital Payments: Use RBI-approved 2FA on UPI and banking apps to reduce unauthorized access risk.

5. Keep Your Aadhaar and PAN Details Private: Do not share these numbers casually over phone or online, especially if unsolicited requests come in.

6. Install Security Software and Keep Devices Updated: Protect your smartphones and computers with anti-virus and security patches to detect malicious links.

7. Educate Family Members and Elderly: Inform those around you about these scams, as attackers often target vulnerable people unfamiliar with phishing tactics.

What to Do If You've Been Targeted

1. Immediately Block or Freeze Your Bank Account and UPI: Contact your bank’s customer service to temporarily suspend transactions.

2. Change Passwords and Enable 2FA: For all banking, email, and tax-related portals.

3. Report to Cyber Crime Helpline: Call 1930 or file a complaint at cybercrime.gov.in with all details and evidence.

4. Inform Your Mobile Operator: If you suspect SIM swap fraud, report to your telecom provider immediately.

5. File a Complaint with IT Department: If you receive suspicious emails purportedly from them, forward them to the Income Tax Department’s official fraud email.

6. Monitor Your Credit Reports: Check for any unauthorized loans or financial activity.

7. Alert BharatSecure.app: Verify suspicious messages or links on BharatSecure.app before interacting with them.

Frequently Asked Questions

Q1: Can the Income Tax Department ever contact me by WhatsApp or SMS?
No. The Income Tax Department primarily communicates via registered email and official letters. They do not send tax notices or payment demands via WhatsApp or SMS containing clickable links.

Q2: What if I clicked on a fake income tax link but didn’t share any data?
If you haven’t entered any personal details, you are likely safe. Still, run a malware scan on your device and change passwords as a precaution. Avoid clicking suspicious links in the future.

Q3: How quickly can I get my money back if scammed?
Recovering lost money is challenging. RBI guidelines allow bank reversals only if reported within a few hours of fraudulent UPI transactions. File complaints immediately to increase chances of reversal and police investigation.

Stay alert! Always verify suspicious income tax-related messages and notices at BharatSecure.app before you click, share, or pay anything. Your data and money are valuable—protect them wisely.