A fake tax refund email can look convincing because it uses words people already associate with the Bureau of Internal Revenue: “refund,” “TIN,” “eFPS,” “eServices,” “taxpayer verification,” or “final notice.” The danger is that the email usually has one purpose: to make you click a link, open an attachment, or enter your bank, credit card, GCash, Maya, or online banking details. In the Philippines, real tax refunds follow formal BIR procedures. They are not released through random email links asking for passwords, one-time PINs, or wallet credentials.
What a fake tax refund email usually does
A fake tax refund email is a form of phishing. Phishing means a scammer pretends to be a trusted person or institution to trick you into giving sensitive information or transferring money.
In a Philippine tax refund scam, the email may claim that:
- you have an “unclaimed BIR refund”;
- your refund will expire unless you act within 24 hours;
- your TIN needs “revalidation” before release of funds;
- you must pay a “processing fee” before receiving the refund;
- you must log in to a fake BIR, bank, or e-wallet page;
- your account will be suspended if you do not verify immediately.
The BIR has warned the public about malicious emails that appear to come from the BIR and solicit sensitive personal information such as bank account details and mobile wallet credentials. The BIR’s warning is simple: do not click the link or attachment; close and delete the message.
Why fake BIR refund emails are especially dangerous
Tax refund scams work because they feel believable. Many employees, freelancers, business owners, and foreigners with Philippine tax obligations know that tax refunds can happen. What they may not know is how refunds are actually processed.
A scammer takes advantage of that uncertainty. Instead of explaining the real process, the email creates urgency:
“Your ₱18,740.00 tax refund is ready. Confirm your bank account now.”
That is the trap.
A legitimate refund process does not require you to give your online banking password, OTP, card CVV, or e-wallet PIN through an email link. A real government process also leaves a paper trail: filed tax returns, BIR forms, official receipts or payment confirmations, supporting documents, and communication with the proper BIR office.
How real tax refunds work in the Philippines
A helpful way to spot a fake tax refund email is to compare it with how real refunds are handled.
For employees
Many regular employees do not personally file a BIR refund claim. Excess withholding tax is usually handled through the employer’s year-end adjustment or annualization process. The employee’s BIR Form 2316 shows compensation income and taxes withheld.
If an employee is entitled to a refund because too much tax was withheld, the usual first source of information is the employer’s payroll or HR department, not a random email asking for bank credentials.
For self-employed individuals, professionals, corporations, and other taxpayers
Formal claims for tax credit or refund are generally handled through the BIR. For claims under Section 204(C) in relation to Section 229 of the National Internal Revenue Code, as amended by the Ease of Paying Taxes Act, the taxpayer files a written claim using the required BIR form and supporting documents. BIR issuances on these refunds refer to BIR Form No. 1914, submission to the Revenue District Office or Large Taxpayers office with jurisdiction, complete documentary requirements, and the two-year prescriptive period from payment of the tax or penalty. (Lawphil)
For VAT refunds and other special refund situations
VAT refund claims and other specialized refunds have their own procedures, documentary requirements, and processing offices. These are document-heavy processes. They do not start with a surprise “click here to claim your refund” email.
| Situation | Usual legitimate route | Red flag if the email says this |
|---|---|---|
| Employee over-withholding | Employer year-end adjustment and BIR Form 2316 | “Enter your GCash PIN to receive your BIR refund” |
| Business tax refund | BIR Form 1914 and supporting documents filed with the proper BIR office | “Refund approved without any filing; confirm your bank password” |
| VAT refund | Formal VAT refund claim with required schedules and documents | “Upload your online banking login to release VAT refund” |
| Foreigner or expat with Philippine tax issue | Proper BIR registration, tax return, withholding document, or representative filing | “Foreign taxpayer refund requires card verification fee” |
Legal basis: why this can be a crime in the Philippines
Fake tax refund emails may violate several Philippine laws, depending on what the scammer did and what damage was caused.
Cybercrime Prevention Act — Republic Act No. 10175
Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, covers computer-related offenses. Its implementing rules include computer-related forgery, computer-related fraud, and computer-related identity theft. Identity theft includes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of another person’s identifying information without right. (Supreme Court E-Library)
A fake BIR email may fall under cybercrime rules when it uses computer systems, fake websites, electronic communications, or stolen digital credentials.
Revised Penal Code — estafa and falsification
The Revised Penal Code may also apply. Estafa under Article 315 punishes fraud or deceit that causes damage. If the scammer uses fake documents, fake certifications, or false representations, provisions on falsification may also become relevant. The exact charge depends on the evidence and how the scam was carried out.
Anti-Financial Account Scamming Act — Republic Act No. 12010
Republic Act No. 12010, the Anti-Financial Account Scamming Act, is especially relevant when the scam involves bank accounts, credit cards, payment accounts, or e-wallets. The law defines financial accounts to include bank accounts, credit card accounts, e-wallets, and similar accounts. It also penalizes social engineering schemes, including using electronic communications to obtain another person’s sensitive identifying information. (Lawphil)
This matters because many fake tax refund emails do not merely steal your tax information. They try to take over your financial account.
RA 12010 also allows institutions to temporarily hold funds subject of a disputed transaction for a period prescribed by the BSP, not exceeding 30 calendar days unless extended by a court. This is why speed matters when money has already been transferred. (Lawphil)
Data Privacy Act — Republic Act No. 10173
Republic Act No. 10173, or the Data Privacy Act of 2012, protects personal information and sensitive personal information. The National Privacy Commission may receive complaints involving privacy violations or personal data breaches. (National Privacy Commission)
A fake tax refund email may involve data privacy issues if personal data was unlawfully collected, misused, disclosed, or used to enable identity fraud.
SIM Registration Act — Republic Act No. 11934
Some scams start by email and continue by SMS, phone call, or messaging app. Republic Act No. 11934, the SIM Registration Act, defines spoofing as transmitting misleading or inaccurate information about the source of a call or text message with intent to defraud, cause harm, or wrongfully obtain anything of value. (Supreme Court E-Library)
Red flags that a tax refund email is fake
1. The email asks for your password, OTP, PIN, CVV, or recovery code
This is the biggest warning sign. Treat the email as fake if it asks for:
- online banking username or password;
- GCash, Maya, bank, or credit card OTP;
- ATM PIN;
- CVV or card expiry date;
- recovery codes;
- selfie verification through a suspicious link;
- scanned IDs uploaded to a non-government website.
No refund should require you to surrender access to your financial account.
2. The sender name says “BIR” but the email address is wrong
Scammers can make the display name look like “Bureau of Internal Revenue” even if the actual email address is fake.
Look carefully for:
- misspelled domains;
- Gmail, Yahoo, Outlook, or random business email addresses;
- lookalike domains such as
bir-govph-refund.com; - extra words like
secure-bir,bir-refunds, ortaxpayer-portal-ph; - foreign domains unrelated to the Philippine government.
Even if an email appears to use a government name, do not rely on the display name alone. Spoofing can make an email look more official than it really is.
3. The link does not go to an official government site
Hover over the link without clicking. On mobile, long-press carefully only if you can preview the link without opening it.
Be suspicious of links that:
- use shortened URLs;
- redirect several times;
- use unusual domains;
- contain misspellings;
- ask you to log in outside the official BIR website;
- open a page that copies the BIR logo but has a strange web address.
A fake website can look polished. The logo alone proves nothing.
4. The message creates panic or artificial urgency
Scam emails often say:
- “Claim within 12 hours.”
- “Final notice before forfeiture.”
- “Your TIN will be suspended.”
- “Failure to verify will result in penalties.”
- “Your refund is approved but pending bank authentication.”
Real government processes may have deadlines, but they do not require you to panic-click a suspicious link.
5. The email promises a refund you never applied for
If you are an employee and your taxes are handled through payroll, ask your employer first. If you are a freelancer, professional, corporation, or VAT-registered business, check whether you actually filed a refund or tax credit claim.
A surprise refund is not impossible, but a surprise email requiring your bank credentials is a major red flag.
6. There is a “processing fee” or “release fee”
A scam may ask you to pay ₱50, ₱500, or ₱2,000 to release a refund. This is often designed to get you comfortable with making a small payment before larger unauthorized transactions follow.
7. The attachment is unusual
Be careful with attachments ending in:
.html.shtml.zip.rar.exe.scr.js- password-protected compressed files
Some phishing emails use attachments to open fake login pages or install malware.
Step-by-step: how to check if a BIR refund email is real
Do not click the link or open the attachment. Start from the assumption that the email may be fake.
Check your actual tax situation. Ask: Did you file a refund claim? Did your employer tell you about a year-end adjustment? Did your accountant submit BIR Form 1914 or a VAT refund claim?
Open the BIR website separately. Type the address yourself instead of clicking the email. The official BIR website lists contact details, eServices, and the eComplaint system. (Bureau of Internal Revenue)
Contact the proper BIR office or your RDO. If the email mentions a specific RDO, verify through the BIR directory or official contact channels, not through the contact details inside the suspicious email.
For employees, ask payroll or HR. A real employee tax refund usually appears through payroll records and BIR Form 2316, not through a separate “BIR refund release” email.
For businesses, check your filed documents. Look for the filed return, proof of payment, BIR Form 1914 if applicable, receiving stamp or electronic filing confirmation, and any official BIR communication.
Check whether the email asks for financial credentials. If yes, treat it as fake regardless of how official it looks.
Preserve evidence if money or data was compromised. If nothing happened and you do not need to report it, follow the BIR warning and delete it. If you clicked, entered data, or lost money, keep evidence before deleting.
What to do if you clicked a fake tax refund email
Clicking a link is not always the same as being hacked, but you should act quickly.
If you clicked but did not enter information
Do the following:
- Close the page.
- Do not download anything.
- Clear your browser history and cache if the page loaded suspicious scripts.
- Run an antivirus or device security scan.
- Monitor your email, bank, and e-wallet accounts.
- Change passwords if the page asked you to log in or if your browser auto-filled anything.
If you entered your bank, card, or e-wallet details
Act as if the account is already compromised.
- Change passwords using a clean device.
- Enable or reset multi-factor authentication.
- Call your bank or e-wallet provider through official channels.
- Request immediate blocking, freezing, card replacement, or dispute handling.
- Ask for a ticket or reference number.
- Record the exact time you reported the issue.
- Monitor linked accounts and saved cards.
- Escalate to BSP consumer assistance if the financial institution’s response is unresolved or unsatisfactory. BSP guidance says consumers should first report concerns to the financial institution’s Financial Consumer Protection Assistance Mechanism or customer service channel, then escalate to the BSP Consumer Assistance Mechanism if needed. (Bangko Sentral ng Pilipinas)
If you entered your TIN, birthdate, address, or ID documents
Your risk is identity misuse. Take these steps:
- Save a copy of the fake email and website URL.
- Monitor email and mobile accounts for reset attempts.
- Watch for loan, e-wallet, SIM, or bank account alerts.
- Inform your bank or e-wallet if your IDs were uploaded.
- Consider filing a complaint with the National Privacy Commission if personal data was misused or unlawfully processed. NPC complaint rules require a verified or notarized complaint with evidence, and generally require proof that the respondent was first informed in writing and failed to act within 15 calendar days, unless an exception applies. (National Privacy Commission)
Where to report a fake tax refund email in the Philippines
| Where to report | Best for | Practical notes |
|---|---|---|
| BIR official channels or eComplaint | Fake BIR-branded email, fake BIR documents, impersonation of BIR | Use contact details from the official BIR site, not from the suspicious email. |
| Your bank, credit card issuer, GCash, Maya, or other wallet | Unauthorized transfers, account takeover, card misuse | Report immediately and get a reference number. Speed matters for possible fund holding and investigation. |
| BSP Consumer Assistance | Unresolved complaints against BSP-supervised banks, e-wallets, or financial institutions | Report first to the institution’s own consumer assistance channel, then escalate to BSP if unresolved. |
| NBI Cybercrime Division | Cybercrime complaint, identity theft, phishing, account takeover | The NBI website lists a Cybercrime Division contact at ccd@nbi.gov.ph. (National Bureau of Investigation) |
| PNP Anti-Cybercrime Group | Cybercrime complaint, especially if you need a law enforcement report | Regional anti-cybercrime units may receive reports depending on your location. |
| DOJ Office of Cybercrime | Cybercrime coordination, referrals, and cybercrime-related reporting | DOJ rules identify the Office of Cybercrime as a central authority for cybercrime matters. (Supreme Court E-Library) |
| National Privacy Commission | Misuse, unlawful collection, or exposure of personal data | NPC provides formal complaint procedures and downloadable forms. (National Privacy Commission) |
Evidence to save before filing a report
Good evidence can make the difference between a report that moves and a report that stalls.
Save:
- the full email, not just a screenshot;
- sender email address and display name;
- full email headers, if you know how to download them;
- screenshots of the email, link preview, and fake website;
- the URL of the fake website;
- date and time received;
- date and time clicked;
- what information you entered;
- bank, card, or e-wallet transaction details;
- reference numbers from your bank, e-wallet, BIR, BSP, NBI, PNP, or NPC;
- device used;
- mobile number or email address connected to the compromised account;
- copies of IDs submitted, if any;
- names of persons who called or messaged you after the email.
For a formal criminal complaint, you may be asked for a complaint-affidavit. This is a sworn written statement explaining what happened and attaching evidence. If a representative files for you, a Special Power of Attorney may be required. NPC rules, for example, allow representatives with proper authority, and juridical entities may need board authorization and a secretary’s certificate. (National Privacy Commission)
Practical notes for OFWs, foreigners, and people abroad
Tax refund scams often target people outside the Philippines because they may be less familiar with current BIR procedures.
If you are abroad:
- Do not assume an email is real just because it mentions your TIN, old employer, or Philippine bank.
- Verify through the official BIR website or your RDO.
- Ask your Philippine employer, accountant, or authorized representative to check actual filings.
- For formal filings from abroad, ask the receiving office what form of notarization is acceptable. Documents signed abroad may need consular acknowledgment or apostille, depending on the document and where it will be used. The DFA’s apostille system is the official channel for authentication of covered public documents. (Apostille Philippines)
- If the scam involved a Philippine bank, e-wallet, or financial account, RA 12010 may still be relevant. The law covers financial accounts maintained with Philippine institutions, and jurisdiction may exist when elements are committed in the Philippines, Philippine infrastructure is used, damage is caused to a person in the Philippines, or the financial account is maintained with an institution operating in the Philippines. (Lawphil)
Common mistakes that make the damage worse
Deleting everything immediately after losing money
The BIR advisory says not to click and to delete suspicious emails. That is sensible if nothing happened. But if you already entered details or lost money, preserve evidence first. Investigators, banks, and e-wallet providers may need the original email, headers, screenshots, URLs, and timestamps.
Calling the number inside the suspicious email
A fake email may include a fake “BIR hotline.” Use official sources only. Scammers often operate in layers: email first, then a phone call pretending to help.
Sending IDs again “to reverse the transaction”
After the first phishing attempt, scammers may send a second message pretending to be fraud support. They may ask for another selfie, another OTP, or another ID upload. Do not continue the conversation through the scammer’s link.
Posting your TIN, email, phone number, or bank screenshot publicly
Many victims post on social media to warn others. That is understandable, but cover your TIN, account number, QR code, email address, phone number, transaction reference, and ID details before posting.
Waiting too long to report unauthorized transfers
For bank and e-wallet fraud, minutes can matter. RA 12010 recognizes temporary holding and coordinated verification of disputed transactions. The faster you report, the better the chance that an institution can trace or hold funds that have not yet moved out of the system. (Lawphil)
Frequently Asked Questions
Is a BIR tax refund email asking for my bank details real?
Treat it as fake if it asks for your bank password, OTP, e-wallet PIN, card CVV, or online banking login. The BIR has specifically warned against malicious emails that solicit bank account details and mobile wallet credentials.
Does the BIR send emails?
The BIR may use email for some official communications and taxpayer transactions, especially where a taxpayer has an existing filing, registration, inquiry, or RDO communication. But that does not mean every email using the BIR name is real. A refund email asking you to click a link and enter financial credentials is a major red flag.
How do I know if I really have a tax refund?
Check the source of the possible refund. Employees should check payroll, year-end adjustment, and BIR Form 2316. Businesses and professionals should check filed returns, proof of payment, BIR Form 1914 if applicable, and communications with the proper BIR office. Do not rely on a surprise email.
What if the email uses the BIR logo?
A logo proves nothing. Scammers can copy logos, signatures, QR codes, and letterheads. Verify through the official BIR website, your RDO, your employer, or your tax records.
I clicked the link but did not type anything. Am I safe?
You may be safe, but still check your device. Close the page, do not download anything, run a security scan, and monitor your accounts. If the page downloaded a file or asked for browser permissions, treat it more seriously.
I entered my OTP. What should I do first?
Contact your bank, card issuer, or e-wallet provider immediately using official channels. Ask them to block or freeze the account, dispute unauthorized transactions, and issue a reference number. Then change passwords from a clean device and preserve evidence.
Can scammers go to jail for fake tax refund emails?
Yes, depending on the facts. Possible laws include RA 10175 on cybercrime, RA 12010 on financial account scamming, the Revised Penal Code on estafa or falsification, and other special laws. The exact offense depends on what the scammer did, what information was stolen, and whether money or identity documents were misused.
Can I recover money sent because of a fake tax refund email?
Recovery is possible in some cases, but it is not guaranteed. Report immediately to the financial institution so it can trace, block, or hold disputed funds if still possible. If the institution’s response is unresolved, BSP consumer assistance may be available for BSP-supervised institutions.
Should I report the fake email even if I did not lose money?
Reporting helps agencies and institutions detect patterns, block fake sites, and warn the public. If you report, save the email, sender details, links, and screenshots. If you do not report and nothing was compromised, delete the email without clicking anything.
Key Takeaways
- A real Philippine tax refund is not released by giving your password, OTP, PIN, CVV, or e-wallet credentials through an email link.
- The BIR has warned against malicious emails that appear to come from the BIR and ask for sensitive bank or mobile wallet information.
- Real BIR refund claims usually involve formal documents, proper BIR offices, and supporting records, not surprise “claim now” emails.
- Fake tax refund emails may involve cybercrime, estafa, identity theft, data privacy violations, and financial account scamming under Philippine law.
- If you clicked but entered nothing, secure your device and monitor your accounts.
- If you entered financial details or lost money, report immediately to your bank or e-wallet provider and preserve evidence.
- OFWs and foreigners should verify through official BIR channels and be careful with foreign-notarized documents, apostille, or representative authority when formal filings are needed.
- The safest rule is simple: do not click refund links from unexpected emails; verify separately through official channels.