Income Tax Refund Scam in India: What Real IT Department Communications Look Like
It’s late July. You filed your ITR a few weeks ago, on the deadline like everyone else. An SMS arrives: “IT Department: Your refund of ₹14,520 is approved. Update bank details to receive within 24 hrs: [link].” The amount is plausible. The timing matches your filing. You tap.
This is one of the highest-volume Indian SMS scams between July and December every year, peaking right after the ITR-filing deadline when millions of Indians are genuinely expecting refunds. This guide covers how the scam works, how the real Income Tax Department actually communicates, and four checks that catch every variant, refund-promise, outstanding-demand, GST-officer, the lot.
The volume problem
The seasonal cycle is the key insight: between July 31 (the ITR filing deadline) and the end of December (when the bulk of refunds are processed), roughly 90 million Indians are simultaneously expecting a small payment from the IT Department. That collective expectation is the soil this scam grows in. The scammers don’t need a high success rate; they need a small percentage of 90 million.
Three real submissions to ScanTotal’s URL scanner over the past 30 days, lightly redacted:
The three variants, refund approved, refund failed, outstanding demand, cover the full emotional spectrum: the small reward, the small fear of losing the reward, the larger fear of consequences. Different mental triggers, same operational pattern.
How the real IT Department actually communicates
The single most important thing to internalise: the Indian Income Tax Department never sends links via SMS for refund claims or demand payments. The communication architecture is intentionally narrow.
Genuine IT Department touchpoints:
- The e-filing portal at
incometax.gov.in, the single source of truth for your refund status, outstanding demands, intimations, and notices. Every legitimate communication is also reflected here once you log in. - The email address registered with the e-filing portal, intimations under Section 143(1), Section 245 adjustments, and notices arrive here from
noreply@incometax.gov.inor specific official IDs. The email always tells you to log in atincometax.gov.in, it does not embed a payment or claim link. - SMS from registered DLT headers, typically
VK-ITDEFL,VM-ITDEPT, or similar. These SMS contain status updates (“Your refund of ₹X has been credited to your account ending XXXX”) after the action has happened, not links to perform an action. - The TIN-NSDL portal at
tin.nsdl.comfor tax-payment-specific actions, but again as a place you log in to, not a link sent to you.
What the IT Department never does:
- Send a clickable link to “claim” a refund, the refund processes automatically to your pre-validated bank account.
- Ask you to re-share your PAN, Aadhaar, or bank account details via SMS or link, they already have all of it.
- Demand a 24-hour payment under threat of asset freeze, recovery proceedings have a defined multi-stage timeline.
- Use bit.ly, tinyurl, or any URL shortener for any official communication.
Real vs scam, side by side
Real IT Department SMS
Sender: 6-character DLT header (e.g. VK-ITDEFL, VM-ITDEPT).
Content: Confirmation after the fact ("Refund of X credited to A/C ending XXXX").
Link: None, or only to incometax.gov.in.
Tone: Informational. No deadline.
Asks for: Nothing. The action is already complete.
Scam SMS
Sender: 10-digit mobile number, or non-DLT header.
Content: Action required from you ("Click to claim refund").
Link: Not incometax.gov.in, lookalike or shortener.
Tone: Urgent. 24 hours. Failure costs money.
Asks for: PAN, bank account, OTP, sometimes AnyDesk install.
Four checks that catch every variant
1Sender format
Real Income Tax Department SMS comes from registered DLT headers in the ITDEFL, ITDEPT, or similar family. Never a 10-digit mobile number. If the message arrives from +91 9XXX XXX XXX, it’s not the IT Department, regardless of how official the wording sounds.
2Link destination
Long-press the link (don’t tap) to preview where it actually goes. The only legitimate IT Department domain for refund-related actions is incometax.gov.in (the .gov.in TLD is restricted to Indian government bodies). For tax-payment-specific actions there’s also tin.nsdl.com. Anything else, itdept-refund.online, incometax-india.xyz, tin-nsdl.in-online.com, or a URL shortener, is impersonation. If unsure, paste the link into ScanTotal’s URL scanner to see the resolved destination.
3Verify by logging in directly
Type incometax.gov.in into your browser yourself. Log in with your PAN and password. If a refund is genuinely on its way, you’ll see its status in your dashboard. If there’s a genuine demand, you’ll see that too. The portal is the source of truth, the SMS is at best a notification, never an authoritative instruction.
4Never share OTP or install remote-access apps
If a “tax officer” calls and asks you to share an OTP or install AnyDesk / TeamViewer to “complete the refund process”, hang up immediately. The IT Department does not work this way. The CBDT has specifically warned against this remote-access variant, which is the same playbook the bank-KYC scammers use.
The GST-officer variant
The same operators sometimes run a parallel campaign impersonating GST officers. The script: a caller claims to be a GST officer following up on your business’s GST return. They name your business correctly (lifted from public GST filings). They reference a small “discrepancy” that requires immediate payment, otherwise GST registration will be suspended.
Real GST officers exist and do conduct legitimate work, but the engagement pattern is meaningfully different:
- Real GST queries come through the GST portal at
gst.gov.in, with formal notices accessible to your account holder. - Suspension proceedings have a defined process with show-cause notices and response windows of 7-30 days, not 24 hours.
- No real GST officer asks for payment via UPI or a personal bank transfer over the phone. Payments go to the government’s e-payment portal.
- If a caller insists on a payment to release a refund or avoid a suspension, hang up and verify by logging into
gst.gov.indirectly.
If you’ve already responded
Whether you clicked a link and entered details, or paid a “refund release fee”, the response is the same:
- Call your bank’s anti-fraud line on the number printed on the back of your debit card. Ask them to flag the account, watch for unauthorised transactions, and block any compromised cards.
- Change your net-banking, UPI, and e-filing passwords from a different, clean device.
- Log into
incometax.gov.indirectly and check for any unauthorised changes to your registered bank account, phone number, or email. If anything has been changed without your authorisation, the portal’s grievance mechanism can help reverse it. - File at cybercrime.gov.in and call 1930. If you paid money in the past hour, the helpline can sometimes recall the transaction before the receiving account drains it.
- Monitor your CIBIL report over the following weeks for new credit applications in your name. PAN-based identity theft often surfaces months after the initial scam.
Why this scam keeps working
The honest answer: most Indians genuinely do not know exactly what an IT Department SMS looks like, because most Indians don’t see many of them. Refund SMS arrive once a year, if at all. The familiarity gap is what the scam exploits.
Closing that gap is the single most useful thing this article can do. Internalise the four checks above, sender, link, login-verify, no-OTP, and you’re immunised against the entire family of these scams, not just the variants circulating this month. The script-writers can rotate brands and amounts forever; the structural signature stays the same.
The IT Department itself is improving the gap, slowly. The Annual Information Statement (AIS), pre-filled returns, and the unified e-filing portal have made the legitimate experience smoother and more recognisable. The Central Board of Direct Taxes (CBDT) issues regular advisories about phishing campaigns. The infrastructure is there. What’s missing is the customer-side knowledge of what real communication looks like, and that’s what the four checks above provide.
Got an "IT refund pending" SMS?
Paste the link into ScanTotal and we’ll tell you whether it’s the real incometax.gov.in or an impersonation.