HRMC Cyber Attack

HM Revenue & Customs (HMRC) were a victim of a major fraud incident. Criminals managed to steal approximately £47 million from HMRC by exploiting over 100,000 taxpayers’ online accounts. They did this not by hacking HMRC’s computers, but by phishing – tricking people into revealing their login details – and then impersonating those taxpayers on HMRC’s online system. Using the stolen credentials, the scammers filed fake tax rebate claims and had HMRC pay out money that was never actually owed. Importantly, HMRC has confirmed that no individual taxpayer’s bank account was directly accessed or drained in this scam. In other words, the criminals stole from HMRC itself (the public purse) via bogus refunds, rather than stealing from the taxpayers’ own funds.

HMRC discovered the fraud and has since contacted the roughly 100,000 affected individuals, assuring them that their accounts have been secured and that they won’t lose any money personally. In this blog post, we’ll break down what happened in plain language, explain how the phishing scam worked, clarify why taxpayers didn’t directly lose money, and look at how HMRC responded. We’ll also discuss the broader issue of impersonation-based fraud in today’s digital world and share tips on how you can stay vigilant against phishing and identity theft scams.

What Happened in the £47 Million HMRC Fraud?

This fraud was an “organised crime” scam targeting HMRC’s online self-assessment tax system. The criminals gained access to a large number of HMRC online accounts belonging to ordinary taxpayers – about 0.2% of PAYE taxpayers, which is around 100,000 people. Once they had control of these accounts, the fraudsters pretended to be the legitimate taxpayers and filed phoney tax refund claims in their names. In many cases, HMRC’s system paid out these false rebates, adding up to a total of roughly £47 million lost to the scammers.

To put it simply, the thieves masqueraded as taxpayers who were owed a tax refund, tricking HMRC into issuing payments. Because the scammers were claiming refunds from the government, the money came from HMRC’s coffers. Affected taxpayers did not have money taken out of their own bank accounts – they were mostly unaware that anything was happening at all. In fact, many of the people whose accounts were used didn’t even know they had an online tax account set up (since if you’re on Pay-As-You-Earn taxation, an account might exist for you even if you’ve never logged into it). This made it easier for the fraud to go unnoticed, because those individuals weren’t actively monitoring accounts they never used.

By the time HMRC caught on, the criminals had already siphoned off tens of millions of pounds. The good news is that when HMRC realised what was happening, they moved to stop the fraud and secure everyone’s accounts – and they have made it clear that no individual will face financial loss from this incident. The loss falls on HMRC (and by extension, the public funds), not on the 100,000 taxpayers whose identities were misused.

Phishing for Tax Accounts: How Did the Criminals Break In?

Phishing was the key to this entire scam. In a phishing attack, criminals send fake but convincing-looking messages (often emails or texts) to trick people into providing personal information like usernames, passwords, or one-time passcodes. The scammers might pose as a trusted organisation, such as a bank, an e-commerce site, or in this case HMRC, and lure people to click a malicious link or fill out a bogus form.

In the HMRC fraud, officials say the criminals obtained users’ HMRC login details through phishing tactics or data leaks outside of HMRC’s own systems. In other words, HMRC itself wasn’t hacked – instead, people were tricked into handing over their HMRC account credentials (or perhaps the scammers found those details in databases from other breaches). Armed with real usernames and passwords, the fraudsters could log in to taxpayers’ online accounts just as if they were the legitimate users. HMRC’s deputy chief executive Angela MacDonald explained that the criminals were essentially “masquerading as the customer” using stolen credentials.

Using those credentials, the attackers either took over existing accounts or, in some cases, created new online accounts for individuals who hadn’t made one yet. Once they had access, they updated the account details (for example, adding their own bank information) and submitted fake refund requests in those people’s names. All of this was possible because the scammers had gathered enough personal data (through phishing emails, calls, or other tricks) to fool the login process. As a result, HMRC’s systems thought it was dealing with genuine taxpayers when in reality it was criminals operating from the shadows.

It’s important to note that this wasn’t a sophisticated technical hack on HMRC’s databases. A senior HMRC official stressed that “this was not a cyber-attack” on their infrastructure – no firewall was breached, and no HMRC data was stolen directly from their servers. Instead, the incident relied on the oldest trick in the cybercrime book: conning people into divulging their secrets. By targeting the human element (through phishing and possibly malicious software like info-stealing malware), the attackers found an easier path in than attacking HMRC’s computers head-on. This is a common pattern in modern cybercrime – why crack a secure system when you can log in with a stolen password?

How HMRC Responded to the Incident

Once HMRC uncovered the scam (which had been running through 2024), they took swift action to contain it and protect taxpayers. Here are the key steps HMRC took in response to the fraud:

• Locking down affected accounts: HMRC froze or locked about 100,000 online accounts that showed signs of fraudulent activity.

• Deleting compromised credentials: After locking the accounts, HMRC deleted the login details (passwords, etc.) for those accounts as an extra security measure. Essentially, they reset the accounts.

• Removing bogus data and claims: HMRC technicians went through the compromised accounts and removed any incorrect information that the fraudsters may have added to the tax records. 

• Contacting and reassuring taxpayers: The agency began writing to every affected person (around 100k letters) to explain what happened and to reassure them that their account has been secured. The letters also make it clear that no action is required on the taxpayer’s part.

• Working with law enforcement: They also launched a criminal investigation, working with law enforcement agencies in the UK and even abroad (since such scams often involve international crime rings). This investigation actually began in 2024 as the fraud was uncovered, and it resulted in several arrests of those believed to be involved.

An HMRC spokesperson emphasised that they’ve “secured [customers’] accounts” and are working with other agencies to “bring those responsible to justice.” While £47 million is a significant loss, HMRC also noted that in the past year, they managed to block or prevent around £1.9 billion worth of fraud attempts, showing that attacks like this are happening frequently, and many are stopped in time.

Staying Vigilant: How to Protect Yourself from Phishing and Identity Theft

Incidents like the HMRC fraud are a reminder that we all need to be proactive about our digital security. Here are some friendly, practical tips to help you stay safe online and avoid falling victim to phishing or impersonation scams:

• Be cautious with unexpected messages: Treat any unsolicited email, text, or call asking for personal information or urging you to click a link with scepticism. Scammers often send emails that look like they’re from a legitimate source (HMRC, your bank, a delivery company, etc.). Double-check the sender’s address and don’t rush to respond. If you get an email about a tax refund or an unpaid bill that you weren’t expecting, it could be a phishing email. Verify it through official channels – for example, log in to your HMRC account by typing the official URL yourself, or call the organisation using a number from their official website (not a number provided in the suspicious message). As a rule, HMRC won’t email you asking for passwords or bank details, so any message that does so is a red flag.

• Protect your personal information: Think carefully about what information you share and where. Never give out your passwords, one-time codes, or full login credentials in response to an email or text. Legitimate institutions will never ask for your password via email. Also, be mindful of what you post on social media – scammers can gather details like your birthday, pet’s name, or mother’s maiden name, and use those to guess security answers or make their phishing attempts more convincing. Keep personal data private when possible.

• Use strong passwords and 2FA: Secure your important accounts with strong, unique passwords (avoid using the same password on multiple sites). Consider using a reputable password manager to help with this. Even more importantly, enable two-factor authentication (2FA) or multi-factor authentication (MFA) on your accounts whenever it’s available. This feature adds an extra step (like a code texted to your phone or generated by an app) when you log in, so a password alone isn’t enough to access your account. It can feel like a minor inconvenience, but it dramatically boosts security – even if a hacker steals your password, they’d still need that second factor to break in.

• Keep an eye on your accounts: For any online accounts you have (including government, banking, email, etc.), it’s wise to check in periodically. Make sure your contact details and settings are correct and look out for any activity you don’t recognise. Many of the taxpayers affected by the HMRC scam had accounts they rarely or never used, so they didn’t notice someone else using them. Simply logging in once in a while and reviewing things can help catch issues early. If your account offers login alerts (notifications when a new device signs in, for example), consider turning those on.

• Report suspicious communications: If you suspect an email or message is a phishing scam, report it – you’ll be helping others as well as yourself. In the UK, you can forward suspicious emails to the National Cyber Security Centre’s reporting service at report@phishing.gov.uk, and suspicious HMRC-related emails can be sent to phishing@hmrc.gov.uk for them to investigate. Reporting scams helps authorities take down fraudulent sites and warn other potential victims. Likewise, if you think your account has been compromised, inform the service provider (like HMRC, your bank, etc.) immediately so they can secure your account and investigate.

Following these steps, you’ll significantly reduce the risk of being caught off guard by phishing or identity fraud. Staying safe online is a habit we all need to learn. Remember that criminals are always looking for the easiest way in, and often that means targeting people through deception rather than high-tech hacking. A little bit of caution and awareness goes a long way in foiling their plans.