Beware Fake Tax Refund Messages

Beware Fake Tax Refund Messages

Fake income tax refund messages — by SMS, WhatsApp, or email — are the most prevalent tax-related cybercrime in India in 2026. The real Income Tax Department never asks you to click a link, enter a password, share an OTP, or install an app to release your refund. Genuine AY 2026-27 refunds are credited automatically to your pre-validated bank account. If any message tells you otherwise, treat it as a scam — verify status only at incometax.gov.in. A two-minute pause before you click can protect you from losses that take months, and sometimes years, to recover.

Why Fake Refund Scams Spike Every Filing Season

The ITR filing window for AY 2026-27 (FY 2025-26) runs from April 1 to July 31, 2026 for non-audit cases — and the two to three months after this window, when the Centralised Processing Centre (CPC) in Bengaluru processes returns and initiates refunds, creates a completely predictable fraud season. Scam volumes typically spike four to six times above baseline between May and August every year.

The reason scams work is not because taxpayers are careless — it is because fraudsters are systematic.

• Timing: Attacks are timed to the period when refunds are genuinely being processed (roughly September to January for the bulk of ITR-1 and ITR-2 filers, and May–June for those who filed early). You are primed to hear good news about a refund.
• Data sourcing: Fraudsters purchase or access data from breaches of telecom records, PAN-linked databases, and fintech platforms. They can address you by name, know your approximate income bracket, and sometimes even your employer — making the message feel personalised and credible.
• Manufactured urgency: "Your refund of ₹31,800 will lapse if not claimed by midnight tonight." The Income Tax Act has no lapse provision for refunds — this deadline is entirely invented — but urgency short-circuits rational verification. By the time you pause to think, the fraudster wants your OTP already typed.

The Central Board of Direct Taxes (CBDT), which governs the Income Tax Department, does not communicate refund status via WhatsApp, does not use shortened URLs, and does not operate a "Refund Helpdesk" that calls you.

The Anatomy of a Refund Scam, Step by Step

Understanding the exact sequence fraudsters follow makes it far easier to recognise the moment you should stop. Every major refund scam in 2025-26 followed some version of this five-step script.

Step 1 — The hook message You receive an SMS or WhatsApp from a mobile number (or a spoofed sender ID) stating: "Your income tax refund of ₹28,490 for AY 2026-27 is ready. Verify your bank account now: bit.ly/itr-refund-2026." The amount is specific enough to feel real but large enough to be exciting.

Step 2 — The cloned portal Clicking the link opens a pixel-perfect clone of incometax.gov.in. The only visible difference is in the address bar — the URL reads something like incometax-gov-in.refund-india.co or itd-refunds.in. Most users never check the address bar, especially on a mobile screen where the URL is partially hidden.

Step 3 — Credential harvesting The fake portal presents a login screen asking for your PAN and password, or — in the simpler variants — asks for PAN, date of birth, and your bank account number "to verify the refund destination." Every field you fill is transmitted to the attacker in real time.

Step 4 — The OTP trap Armed with your PAN and net-banking credentials, the fraudster logs into your actual bank account and initiates an IMPS or NEFT transfer to a mule account. Your bank sends a transaction OTP to your registered mobile. Seconds later, a call arrives: "This is the Refund Processing Officer from CPC Bengaluru. An OTP has been generated to credit your refund. Please share it so we can complete the transaction." You read out the OTP. The transfer completes — but in the fraudster's favour.

Step 5 — The escalation call (optional) Sophisticated operators call back: "Ma'am, a larger amount was credited to you by error — ₹1,20,000. Please return the excess immediately to this account, or we will initiate a penalty recovery." Victims in a panic sometimes comply. This second transfer is entirely voluntary — and almost never recoverable.

Red Flags You Can Spot in Under 30 Seconds

Before you click, tap, or call back, run this mental checklist.

Check the sender and URL

• Does the SMS come from a 10-digit mobile number? Genuine Income Tax Department messages use registered sender IDs — ITDEPT or ITDINC. A mobile number as sender is never official.
• Does the link go to https://www.incometax.gov.in with a valid SSL padlock and that exact domain? Any other domain — no matter how official-looking — is fraudulent. Note: having an https padlock does not make a site safe; free SSL certificates are available to anyone.
• Does the email arrive from an address ending in @incometax.gov.in or @cpc.incometax.gov.in? Domains like incometaxindia.co.in, incometaxdept.net, or any Gmail, Yahoo, or Outlook address are fake.

Check the content

• Does it address you as "Dear Customer," "Dear Taxpayer," or "Dear PAN Holder" rather than your registered name? Red flag.
• Does it quote a refund amount that does not match your own computation or your ITR acknowledgement? Red flag.
• Does it ask you to click a link, call a number, share an OTP, or install an app? The real department does none of these things to release a refund.
• Does it claim your refund will "lapse," "expire," or be "forfeited"? No such provision exists in the Income-tax Act, 1961.

Requests that are always fraudulent — no exceptions

• Sharing any OTP, CVV, full card number, or net-banking password with anyone
• Installing AnyDesk, TeamViewer, QuickSupport, or any remote-access application
• Transferring money to a "safe account," "nodal CBDT account," or "escrow account"
• Taking part in a WhatsApp video call with someone claiming to be an Income Tax Officer

What Genuine CBDT Communication Actually Looks Like

Knowing the hallmarks of authentic communication is just as important as recognising fakes.

Refunds require zero action from you Once your ITR is processed and a refund is determined, it is credited automatically to the bank account you pre-validated in your e-Filing profile (incometax.gov.in → My Profile → Bank Account). You do not click anything, call anyone, or confirm anything. The process is entirely automated at the CPC end.

Section 143(1) intimation After your return is processed, the CPC sends a Section 143(1) intimation to your registered email address. This email:

• Arrives from [email protected] or [email protected]
• Contains a Document Identification Number (DIN) — a unique 20-digit alphanumeric code that you can independently verify at incometax.gov.in → Services → Verify Your Tax Credit → Verify Notice/Order Issued by ITD
• Is password-protected — the password is your PAN in lowercase followed by your date of birth in DDMMYYYY format (e.g., abcde1234f01011985)
• Shows the tax computation, any demand or refund amount, and the bank account to which the refund will be credited

Bank credit narration When the refund reaches your account, the narration reads REFUND-CPC followed by the Assessment Year, or ITR REFUND AY 2026-27. If a credit appears in your account without this narration and someone later claims it was a tax refund sent by error, that is a red flag for the "accidental overpayment" scam — do not return any amount without verifying on the portal.

How to check your real refund status — exactly two authorised channels

1. incometax.gov.in → e-File → Income Tax Returns → View Filed Returns → Refund Status
2. tin.tin.nsdl.com/oltas/refundstatuslogin.html — enter PAN and Assessment Year

There is no third option. No helpline number, no WhatsApp bot, no third-party tracking app.

Worked Example: How Rs. 38,500 Disappeared in 11 Minutes

Consider this composite scenario, drawn from the pattern of cases reported to cybercrime.gov.in in FY 2025-26.

Ravi, a salaried software engineer in Pune earning ₹14,40,000 p.a., filed his ITR-1 for FY 2025-26 (AY 2026-27) on May 8, 2026. He had changed employers mid-year, and TDS was deducted by both. His CA estimated a legitimate refund of approximately ₹4,800 — excess TDS on account of the old employer not accounting for the new one's deductions.

On June 14, 2026, Ravi received an SMS: "Dear Ravi, your income tax refund of ₹38,500 for AY 2026-27 is pending approval. Verify your bank account to initiate credit: bit.ly/itr-verify-2026."

Three things made Ravi click:

• His first name was in the message, sourced from a 2024 telecom data breach
• ₹38,500 felt plausible — he had two employers, and perhaps TDS reconciliation yielded more than his CA estimated
• He was distracted and clicked the link quickly on his phone while commuting

The fake portal loaded in under two seconds. It asked for his PAN, date of birth, and net-banking user ID and password — Ravi filled all four fields in four minutes.

The fraudster immediately logged into Ravi's actual net-banking portal, initiated an IMPS transfer of ₹38,500 to a mule account, and triggered a transaction OTP to Ravi's registered mobile. Within seconds, a call came in: "Sir, I am calling from the Income Tax CPC Bengaluru. An OTP has been sent to your registered mobile to complete your refund credit. Please share it."

Ravi shared the OTP. Transfer complete — total elapsed time: 11 minutes.

What Ravi should have done instead: Checked incometax.gov.in directly, where the portal would have shown his actual refund of ₹4,800 with status "Refund Initiated" — already on its way, no action required. He would also have seen that the URL in the SMS led to incometax-gov-refund.in, not incometax.gov.in. And he would have recalled that no bank in the world sends an OTP to receive money — OTPs exist only to authorise outgoing transactions.

Ravi's recovery path: He called his bank's 24×7 fraud helpline 40 minutes after the transfer. The bank initiated a "hold at beneficiary" request to the mule account's bank. He filed a complaint on cybercrime.gov.in within two hours — this generated a timestamp that proved critical — and called 1930 to flag the mule account. Because he acted quickly, the funds were frozen before the fraudster could aggregate them into a further transfer. Recovery of the full ₹38,500 took 47 days and required a formal FIR at the local Cyber Crime Police Station.

If You Have Already Clicked: A Time-Critical Action Plan

Speed is the only variable you control after a fraud event. Every passing minute allows the fraudster to move funds further along a chain of mule accounts.

In the first 15 minutes

1. Stay calm — do not call the fraudster's number back under any circumstances
2. Call your bank's 24×7 fraud helpline (printed on the back of your debit card) — say clearly: "I have been phished and an unauthorised transaction may be in progress"
3. Ask for an immediate freeze on internet banking, UPI, and card transactions — most banks execute this in under three minutes over a phone call
4. If a transfer has already been debited, request a "hold at beneficiary" — this contacts the receiving bank and asks them to freeze the mule account; success rates are highest within the first 60 minutes

Within 24 hours

1. File a complaint at `cybercrime.gov.in` — you receive a complaint number immediately; this timestamp is your legal record
2. Call 1930 — the National Cyber Crime Reporting Helpline — to flag the fraudster's account number and trigger a multi-bank alert system
3. Forward the original fraudulent SMS, email, or WhatsApp screenshot to [email protected] and [email protected]
4. Lodge an FIR at your local Cyber Crime Police Station — required for insurance claims and for the bank to formally process a chargeback

Technical cleanup

1. If you clicked a link that downloaded any file or APK, do not open it — if you already installed it, factory reset the device
2. Revoke Device Administrator permissions for unknown apps: Settings → Security → Device Administrators — remove anything unfamiliar
3. Change your e-Filing portal password and net-banking password from a clean, separate device
4. Re-enable two-factor authentication (2FA) on your e-Filing account: incometax.gov.in → My Profile → Security Settings
5. Run a full anti-malware scan using a reputable security application

Note on the FIR window: Many private-sector banks treat the FIR filing date as the starting point for chargeback liability assessment. Filing beyond 72 hours does not eliminate your rights, but it significantly weakens your position in disputes. File as early as possible.

Bank-Side Controls Every Taxpayer Should Activate Before July 31

Proactive controls dramatically reduce the damage if fraud does occur. Set these up before you file — or at the very least, before the refund processing window begins.

• Transaction OTP for all amounts: Enable mandatory OTP confirmation for every internet banking, card, and UPI payment. Most banks let you set an OTP threshold amount; set it to ₹0 or ₹1 so nothing moves without an OTP from you. This single step would have blocked Ravi's ₹38,500 loss — except that he shared the OTP voluntarily. Which is why the next point matters.
• Daily transfer limits: Set a daily NEFT, IMPS, and UPI outward transfer limit that reflects your normal usage. If you never send more than ₹25,000 in a single day, cap it there. This buys you reaction time — the fraudster can only extract up to your daily limit even with full credentials.
• Instant alerts at ₹1: Ensure SMS and email alerts are active for every debit of any amount. Many banks default to alerts only above ₹10,000 — change this to ₹1.
• International transaction block: If you do not transact internationally, block international card usage in your bank's app. Fraudsters routinely test stolen credentials against low-value international merchant sites before attempting larger domestic transfers.
• e-DIS for demat accounts: If you hold shares, switch from Power of Attorney (POA) to e-DIS (Electronic Delivery Instruction Slip) with your broker. Under e-DIS, no securities can be transferred out without a fresh OTP from you for each transaction — even if your broker's own systems are compromised.
• Pre-validate your bank account on the e-Filing portal: Navigate to incometax.gov.in → My Profile → Bank Account → Pre-validate. A pre-validated account is the only account to which the CPC will credit your AY 2026-27 refund. This also removes the pretext for a fraudster to claim that your "account details need updating before the refund can be released."

Common Mistakes — and Why They Are So Easy to Make

Calling back to "just verify" The moment you call the fraudster's number, you confirm that your number is active, that you received the message, and that you are curious or anxious about a refund. You also hand them a live voice to manipulate. Never call back. If you want to verify, navigate directly to incometax.gov.in.

Sharing the OTP because you think it is "for receiving money" This is the single most exploited misconception in refund fraud. OTPs in banking are transaction-authorisation codes — they function identically whether a transfer is incoming or outgoing from your perspective. There is no such thing as a "receive money OTP." If an OTP arrives on your phone and someone is asking you to read it out, that OTP is authorising a debit from your account. Always.

Googling for the CBDT helpline number Searching "income tax refund helpline" on a browser can surface sponsored advertisements for fraudulent helpline numbers. Always type https://www.incometax.gov.in directly into the address bar. Do not click search results, especially not sponsored ones.

Assuming "https" means safe Free SSL certificates (the padlock icon) are available to anyone in minutes. A fake site can — and often does — have https. Always verify the complete domain name character by character, not just the presence of the padlock.

Waiting to report out of embarrassment Cyber fraud carries no stigma — it is reported by engineers, doctors, chartered accountants, and retired civil servants every month. The chargeback window is real and it closes fast. The cost of embarrassment is far smaller than the cost of delayed reporting.

Giving remote access "so the officer can help" No Indian government department — not CBDT, not the Income Tax Department, not the Ministry of Finance — uses AnyDesk, TeamViewer, QuickSupport, or any remote-access software for official work with taxpayers. If anyone makes this request, end the call immediately and report the number to 1930.

Securing Your e-Filing Account: Settings to Review Today

Your account at incometax.gov.in is the master record of your tax identity. A fraudster with access to it can file a fraudulent ITR claiming a large refund in your name, change your pre-validated bank account to their mule account, or access your AIS (Annual Information Statement) and TIS (Taxpayer Information Summary) to profile your financial transactions.

• Password strength: Use a minimum 12-character password combining uppercase, lowercase, numerals, and symbols. Do not reuse it on any other platform.
• Two-factor authentication (2FA): Activate 2FA at My Profile → Security Settings. Even if your password is stolen, a login from an unfamiliar device triggers an OTP to your registered mobile.
• Keep contact details updated: All statutory notices — Section 143(1) intimations, Section 245 adjustment notices, demand notices, and refund intimations — go to your registered email and mobile. An outdated number means you miss genuine communications and may not notice a fraudulent login.
• Review login history: incometax.gov.in → My Profile → Login History shows every session — device type, IP address, and timestamp. Check this monthly during filing season. An unfamiliar IP from a different city or country warrants an immediate password change.
• Use the ERI route for agents: If you use a CA or tax agent, they should file on your behalf via the e-Return Intermediary (ERI) mechanism — a separate professional login that does not require your personal credentials. Sharing your own password with any third party, even a trusted professional, creates a security gap.

Key Takeaways

• The Income Tax Department never asks you to click a link, share an OTP, or install an app to release a refund. Refunds for AY 2026-27 are credited automatically to your pre-validated bank account — no action needed from your side.
• Verify refund status at exactly two authorised addresses: incometax.gov.in → e-File → View Filed Returns → Refund Status, or tin.tin.nsdl.com. No other channel — helpline, app, or WhatsApp bot — is official.
• Genuine Section 143(1) intimations carry a 20-digit DIN verifiable on the portal, arrive from @cpc.incometax.gov.in, and are password-protected (PAN in lowercase + DDMMYYYY date of birth). Bank credit narration reads REFUND-CPC or ITR REFUND AY 2026-27.
• If you have clicked a suspicious link, act within 15 minutes: freeze card and internet banking, file on cybercrime.gov.in, call 1930, and lodge an FIR within 24 hours to protect your chargeback rights.
• Activate bank-side controls now: transaction OTPs for all amounts, daily outward transfer limits, instant debit alerts at ₹1, and pre-validate your bank account on the e-Filing portal before July 31, 2026.
• An OTP always authorises an outgoing transaction. There is no "receive money OTP." Reading your OTP to anyone — regardless of what they claim — directly authorises a debit from your account.
• Scam volumes are highest between May and August. During this window, treat every unsolicited refund message as suspect by default — however personalised, authoritative, or urgent it appears.