Tips for Avoiding Tax Scams

Tips for Avoiding Tax Scams in India (2026)

Tax scams in India have crossed a threshold in 2026: they no longer look like obvious fraud. Scammers now replicate the Income Tax Department's official letterhead pixel-for-pixel, spoof CBDT email domains, and cite real section numbers from the Income-tax Act 1961. The good news is that every genuine government communication leaves a verifiable digital trail. This guide shows you exactly how to use that trail — and what to do when something falls outside it.

Why 2026 Tax Scams Are Harder to Spot Than Before

Three developments have made taxpayers more vulnerable simultaneously.

First, digital filing has created a massive attack surface. Over 9 crore Income Tax Returns were filed for AY 2026-27, meaning fraudsters have a large pool of targets who routinely open emails and SMS about refunds, notices and demand payments.

Second, the government's own transparency tools — Annual Information Statement (AIS) and Taxpayer Information Summary (TIS) — are now widely publicised. Scammers have weaponised this awareness: they send fake "AIS discrepancy" alerts that look credible because taxpayers know the real AIS exists.

Third, Unified Payments Interface (UPI) has made it trivially easy for a scammer to create a payment link that appears legitimate. A message saying "pay your outstanding demand of Rs. 14,200 via this UPI link before midnight to avoid account freeze" exploits both urgency and the familiarity of UPI as a payment mode.

None of these attack vectors require the scammer to know much about you — a leaked PAN number and a mobile number pulled from any data breach are enough to launch a targeted attempt.

Nine Warning Patterns That Identify a Tax Scam

Memorise these. Each is a hard stop — the moment you encounter any one of them, treat the communication as fraudulent until proven otherwise through official channels.

1. Urgency with a countdown — "Your PAN will be deactivated in 24 hours", "Respond before midnight or face arrest". Genuine notices give statutory response windows, typically 15–30 days.
2. Requests for OTP, bank account credentials or UPI payment to a personal number — The Income Tax Department never asks for OTPs or accepts payments to individual UPI IDs.
3. No Document Identification Number (DIN) — Every authentic written communication from the Income Tax Department carries a DIN since CBDT Circular No. 19/2019 (effective 1 October 2019). No DIN = invalid notice.
4. Email from a domain other than `incometax.gov.in` — Scammer domains include variations like incometax-india.in, it-dept-india.com or Gmail/Yahoo addresses.
5. Refund processing fee — Refunds are credited directly to your pre-validated bank account. No fee, no agent and no third-party app is involved.
6. WhatsApp voice calls or video calls from "officers" — The department communicates in writing through the portal, by post or through the assessing officer's official email. Not WhatsApp.
7. Requests to click a shortened URL (bit.ly, tinyurl) — These mask the destination. Always type portal URLs manually.
8. Promises to "settle" a demand informally — This is both a scam and, if you participate, potentially an offence under Section 89 of the Income-tax Act and the Prevention of Corruption Act 1988.
9. GSTIN verification certificates sent unsolicited — Legitimate GST verification is done by you on the GST portal (gst.gov.in), not sent to you by a third party.

The DIN Test: Your First Line of Defence Against Fake Income Tax Notices

The Document Identification Number (DIN) is the single most reliable authenticity check for any paper or email notice from the Income Tax Department.

What the DIN looks like

A DIN is a computer-generated, 20-character unique number printed on all notices, orders, summons and letters issued by income tax authorities. It appears at the top of the document, usually labelled "DIN" or "Document Identification Number".

How to verify a DIN in three steps

1. Log in to the e-filing portal: https://www.incometax.gov.in/iec/foportal/
2. Navigate to e-File → Income Tax Forms → Response to Outstanding Demand or Pending Actions → e-Proceedings.
3. Cross-check: the notice issued to you should appear here with the same DIN. If it does not appear, the document is not genuine.

Alternatively, the CBDT has a standalone DIN verification page within the portal. Enter the DIN and your PAN — a valid DIN will return the document metadata. An invalid DIN returns no record.

What to do if a notice has no DIN: Do not respond. Do not pay anything. File a complaint at [email protected] and on the portal's grievance module.

GST Scams: Fake ITC, Cloned GSTINs and "Refund Processors"

GST fraud has evolved well beyond basic fake invoicing. The three patterns most commonly reported in 2026 are:

Fake Input Tax Credit (ITC) offers. A "consultant" approaches your business promising ITC of, say, Rs. 8,00,000 against a service fee of Rs. 80,000. They generate invoices from shell entities with valid-looking GSTINs. You file GSTR-3B claiming the credit. Six months later, you receive a notice under Section 74 of the CGST Act 2017 — which covers fraud and suppression — with a demand for the full ITC plus 100% penalty plus 18% interest. The original consultant has disappeared with Rs. 80,000.

Refund processing for a fee. If you are an exporter or inverted-duty-structure taxpayer with a genuine refund pending on the GST portal, a caller may offer to "expedite" your refund for 5–10% of the amount. No such service exists outside the GST portal's built-in workflow. Your refund is processed by the jurisdictional GST officer after you file RFD-01 on gst.gov.in.

Cloned GSTIN certificates. Fraudsters send forged GSTIN registration certificates to vendors, requesting that future invoice payments be routed to a new bank account. Verify every bank account change request by calling the vendor's known number — not a number supplied in the email — and cross-checking the GSTIN on gst.gov.in/services/searchtp.

Phishing Emails and Refund SMS: Anatomy of an Attack

A typical refund phishing attempt in 2026 looks like this:

> "CBDT: Your income tax refund of Rs. 22,340 for AY 2027-28 is ready. Bank account not validated. Click here to update: [malicious link] — IT Dept helpline 1800-XXX-XXXX"

The message is effective because:

• The refund amount is plausible (not suspiciously large).
• "AY 2027-28" is the current assessment year, lending credibility.
• The call to action ("bank account not validated") triggers action without requiring you to question the premise.
• The helpline number in the message connects to the scammer, not the real department.

What actually happens when you click: The link opens a replica of the e-filing portal asking for your PAN, Aadhaar and bank account number. Some variants install malware that harvests saved passwords and OTPs from your phone. Your bank account is then drained within hours.

The real process: Log in to incometax.gov.in directly. Navigate to My Account → Refund/Demand Status. If a refund is due, it will appear there. If your bank account needs validation, the portal will prompt you — not an SMS.

Protecting Your KYC and Identity Data

Most tax scams begin not with a sophisticated hack but with leaked personal data. PAN numbers, Aadhaar numbers and mobile numbers are sold in bulk from breached databases. Here is how to reduce your exposure:

• Aadhaar masking: Use a Masked Aadhaar (which shows only the last four digits) wherever a full Aadhaar is not mandatory. Download from myaadhaar.uidai.gov.in.
• Monitor your AIS regularly: Log in to the e-filing portal → AIS/TIS module. Review every reported transaction. If you see income, interest or capital gain that you did not earn, someone may be misusing your PAN to inflate their own transaction records or siphon refunds. Raise a feedback dispute immediately.
• Two-factor authentication (2FA): Enable it on your e-filing account, email account and all banking apps. This one step breaks the majority of credential-stuffing attacks.
• Secure document transfer: When sending Form 16, bank statements or ITR copies to your CA or bank, use password-protected PDFs or a secure cloud link (Google Drive with restricted sharing, for instance). Avoid open WhatsApp forwards of sensitive documents.
• Check your Form 26AS and AIS before anyone else does: If a fraudster has filed a return in your name and claimed a refund, it may show up as an AIS entry before you have even started your own filing.

Worked Example: What Panic Cost One Taxpayer

Consider a salaried professional — let us call him Mr. A — with a legitimate refund of Rs. 18,500 for AY 2027-28 arising from excess TDS deducted by his employer.

A scammer, having obtained Mr. A's mobile number and PAN from a leaked database, sends this SMS:

> "IT Dept: Refund of Rs. 62,800 approved for AY 2027-28 but error in bank record. Share OTP received to credit now."

Mr. A, delighted at a refund larger than he expected, calls the number. The caller says a "one-time verification OTP" must be shared to "unlock" the refund. Mr. A shares the OTP. The OTP was actually an authorisation for a net-banking transaction of Rs. 38,000 from his savings account. The money is gone within minutes.

The damage tally:

• Cash lost to fraud: Rs. 38,000
• Legitimate refund still pending (unaffected, but now delayed due to grievance process): Rs. 18,500
• Net position: Rs. 19,500 worse off than before the call
• Time lost: 4–6 weeks navigating bank fraud investigation and cybercrime complaint

What Mr. A should have done: Ignored the SMS, opened incometax.gov.in directly, checked his Refund Status (showing Rs. 18,500 — not Rs. 62,800), confirmed his pre-validated bank account was correct, and done nothing further.

The rule this example proves: Genuine refunds do not require OTPs from you. The bank transfer is initiated entirely by the CPC (Centralised Processing Centre) on its own system.

Common Pitfalls to Avoid

Even taxpayers who recognise obvious scams can fall into subtler traps:

1. Paying a penalty to avoid a penalty. A caller says your TDS default under Section 201 will attract Rs. 1,50,000 in interest if not "settled" immediately for Rs. 40,000. Real TDS demands appear in TRACES (tdscpc.gov.in) and are payable as Challan 281 — not to any individual account.

2. Sharing the ITR acknowledgement slip. The acknowledgement slip (ITR-V) contains your PAN and assessment-year-specific data. Scammers use it to create convincing personalised phishing messages. Share it only with your bank (for loan processing) or your CA.

3. Assuming a notice with your correct name and address is real. Scammers buy or scrape personal data. A notice with your exact name, address and partial PAN is not automatically genuine. Run the DIN check regardless.

4. Filing a revised return at a scammer's suggestion. Some fraudsters offer to "legally increase your refund" by filing a revised return. Any return filed under your PAN is your legal responsibility. False claims under Section 80C, 80D or the capital-gains exemptions expose you to penalty under Section 270A — 50% of the tax on under-reported income, and 200% if the misreporting is deliberate.

5. Ignoring the AIS mismatch. If your AIS shows income you did not earn, do not simply accept it. Raise a feedback dispute through the AIS module. Leaving it unaddressed creates an apparent tax liability that scammers can then use as leverage ("you owe Rs. X — we can settle it").

How to Handle a Genuine Income Tax Notice Without Treating It Like a Scam

Genuine notices deserve a systematic response, not panic — and certainly not the services of a self-appointed "tax agent" you have never met.

Identify the section: The notice will cite the specific provision — for example, Section 139(9) (defective return), 142(1) (inquiry before assessment), 143(2) (scrutiny selection), 148 (reopening of assessment) or 156 (tax demand). Each section triggers different rights and timelines.

Log in and verify: Confirm the notice appears in your e-Proceedings module with a matching DIN before doing anything else.

Note the response deadline: Scrutiny notices under Section 143(2) must be replied to through the portal. Demand notices under Section 156 carry a 30-day payment or objection window. Missing these creates fresh interest liability under Sections 220 and 234B.

Compile your documents: For an AY 2027-28 scrutiny, you will typically need: Form 16/16A, Form 26AS, AIS/TIS printout, bank statements for FY 2026-27, investment proofs (Section 80C receipts, health insurance premium receipts for 80D), and any capital-gains computation with purchase/sale deeds.

Respond in writing through the portal: Every response submitted through the e-Proceedings module carries a time-stamp and acknowledgement. Oral conversations with an assessing officer carry no evidentiary weight. Written portal submissions do.

Extension requests: If you need more time, file a formal written request for extension through the portal before the original deadline. Most assessing officers accommodate a reasonable, first-time extension request when asked formally in advance.

What to Do If You Are Targeted

If you have received a suspicious communication or, worse, already transferred money or shared credentials:

1. Call your bank immediately — most banks can freeze a transaction within 2–4 hours if reported promptly. Use the national cybercrime helpline 1930 to also flag the receiving account.
2. Report to the cybercrime portal: cybercrime.gov.in — file a Financial Fraud complaint with transaction details (UTR number, recipient UPI ID or account number, amount, time).
3. Email the CBDT nodal address: [email protected] for fake IT notices; [email protected] for phishing emails or malicious links.
4. Report suspicious SMS to TRAI: Forward to 1909 (Do-Not-Disturb and spam reporting service).
5. File a grievance on the e-filing portal: Under e-File → Grievances → Submit Grievance, select the relevant category and describe the fraudulent communication. If someone has filed a return or claimed a refund using your PAN, use the Reset Password and PAN escalation pathway and notify CPC Bengaluru at [email protected].
6. Preserve evidence: Screenshot every message, note every call log, save every email header. Cybercrime investigations depend on digital evidence, and the first 48 hours are critical.

Key Takeaways

• No DIN = not a genuine income tax notice. Verify every DIN on the e-filing portal before taking any action. One check takes under two minutes.
• Genuine refunds need nothing from you. If your pre-validated bank account is linked correctly, the CPC credits the refund automatically. No OTP, no fee, no agent.
• GST ITC fraud rebounds on you. Accepting fake ITC from a shell supplier makes you jointly liable under CGST Section 74, with penalty up to 100% of the ITC claimed plus interest at 18%.
• AIS and TIS are your early-warning system. Review them quarterly, not just at filing time. Unrecognised entries should be disputed immediately, not ignored.
• Section 270A makes "harmless" refund inflation expensive. A dishonest agent who inflates your refund by Rs. 30,000 can expose you to a penalty of Rs. 15,000 to Rs. 60,000 plus the demand plus interest — far exceeding any gain.
• The national cybercrime helpline is 1930, not a WhatsApp number. Save it. Report fraud within the hour — the faster you report, the higher the probability of freezing the fraudulent account.
• Skepticism, not haste, is the correct reflex. Every genuine tax proceeding gives you days or weeks to respond. Any communication demanding action within hours is almost certainly fraudulent.