Today I’m reporting on a scam affecting HMRC, in which our wonderful tax authority has admitted that it has lost a minimum of £50m, with around 100,000 accounts being hit in a sophisticated phishing fraud.
The scam by cybercriminals, occurred in 2024, with the perpetrators using stolen personal data to access or create thousands of online tax accounts. It has only just come to light after a probe by the Treasury Select Committee, during which senior tax officials admitted to the committee that they’d been scammed and they could not yet be certain if they’d fully repaired the breech in their online security measures.
What happened?
The criminals used data harvested through phishing scams to either set up new HMRC accounts or hijack existing ones, with the goal of fraudulently claiming tax repayments. “This was organised crime phishing for identity data obtained from HMRC systems,” said newly appointed HMRC chief executive John Marks.
“They then tried to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account.” Deputy chief executive Angela MacDonald added: “At the moment, they’ve managed to extract repayments to the tune of £50m. Now that is a lot of money, and it’s very unacceptable.”
The only good news arising from this major breech of HMRC’s cyber-security is that despite the scale of the attack, HMRC have said no individuals have suffered any financial loss. “These are attempts to claim money fraudulently from HMRC, not from customers,” a spokesperson said in a statement.
Criminal investigation
The MP’s on the committee were told that a major investigation was underway and that several arrests have already been made. HMRC also informed the MP’s that they have locked all the affected accounts, deleted compromised credentials, and are now writing to those affected to confirm that their details have been secured.
MacDonald (Little Ange) stressed that this was not a cyberattack on HMRC itself: “We have not been hacked,” she said. “We have not had data extracted from us. This was not a cyberattack, it was phishing activity with credentials obtained elsewhere.” She added that as the fraud unfolded, criminals evolved their methods:
“The nature of the attack altered through the year. As we were closing it down, they were moving their MO over… and it took a lot of action to tackle the perpetrators.” Fraudsters created new accounts in the names of individuals who had never set up an HMRC digital account before, making it difficult for tax officials to identify unauthorised activity without additional identity checks.
“What has been a challenge in terms of cleaning the accounts up is being clear that we were then talking to the genuine customer and not in fact talking to the criminal who was on the other end of the phone line,” Little Ange said. She also told MPs that the Information Commissioner’s Office was aware of the incident and had given advice on its handling.
MP’s angry at not being told
The head of HMRC, John Marks (Big John), and his officials were heavily criticised by the Committee for not notifying it directly of the breach, with the MP’s only finding out about the fraud from press and media reports. They told Big John that he had more questions to answer about the incident and the committee expected to be fully informed of all future developments.
Jason Croke, VAT Director at Rayner Essex, said: “When HMRC are covering up such big errors, you just know it’s time for HMRC to have a root and branch reform.” Big John responded by stating that improving HMRC’s digital resilience was a key priority under his new administration, along with better service levels.
Marks then said that HMRC was preparing to reintroduce multi-factor authentication (MFA) after a spate of fraud attempts targeting accountants, but he didn’t say when. Little Ange then told MPs that protecting HMRC’s systems is a constant effort. “We are always grappling with a level of threat,” she said.
“We are living in an environment where every single organisation is facing some kind of cyber threat. It’s a continuing piece of work to invest in our systems and try to outpace the criminals.” In the 2023/24 tax year, she claimed that HMRC had prevented £2bn worth of attempted fraud across all systems, but without giving any specific details.
Online security
Big John Marks has taken over the reins at HMRC, at a time when it faces renewed scrutiny over the reliability of its digital infrastructure, especially as Making Tax Digital (MTD) is currently being rolled out. Whilst MTD is intended to modernise tax compliance and reduce the tax gap, the programme has faced persistent delays, shifting deadlines, and concerns over system usability.
The government is expected to allocate additional resources to HMRC’s digital transformation programme at the next budget but has not said how much or when.
Other taxpayers have been affected
The reason that the media picked up on the widespread phishing fraud, was because earlier this year many ordinary taxpayers and micro businesses were finding that repayments of tax were not appearing in their bank accounts as they had expected. When these individuals contacted HMRC, usually by phone, they were invariably fobbed off, with no explanation given.
Indeed, I recall a case in April 2025 when a subcontractor client of ours, who’d had tax deducted under the CIS construction scheme and who hadn’t received his anticipated refund, called us for help. When my colleague called the HMRC agents’ direct line to query this, he was told; “we are not able to respond to requests for repayments by telephone or via the chatbot on our website.” We then quickly found out from our AccountingWEB forum, that they’d just become aware of the widespread phishing fraud.
Accountant’s view
In writing today’s Blog, I am surprised that I was not for once, commenting on yet another example of HMRC’s incompetence. That being said, what is clear is the need to urgently beef up their cyber security measures, especially on MFA. This however will need a healthy chunk of additional money, but will Rachel Reeves oblige?
