Cybercriminals have targeted HMRC in a complex fraud scheme, using stolen personal data to create or hijack PAYE tax accounts in an attempt to claim fraudulent repayments. Despite the scale of the attack, HMRC has confirmed that no individual taxpayers have lost money—only HMRC itself has suffered financial losses.
🕵️ How the Fraud Unfolded
Over the past year, criminals used phishing scams to gather identity data, which they then exploited to set up new HMRC accounts or take control of existing ones. By doing so, they processed fraudulent tax repayment claims, resulting in a loss of £47 million.
HMRC chief executive John-Paul Marks explained that this was not a cyberattack on HMRC’s systems, but rather a case of organised crime using stolen credentials acquired elsewhere. As a result, around 100,000 individuals—roughly 0.2% of UK PAYE taxpayers—had their accounts compromised.
🔍 Investigations and Security Measures
A cross-border investigation has led to several arrests, and HMRC has been working to secure affected accounts. Officials have locked compromised accounts, removed stolen credentials, and are reaching out to those impacted.
Despite these efforts, HMRC acknowledged that criminals continually evolved their tactics, making it challenging to fully shut down fraudulent activities. Fraudsters even created new accounts for individuals who had never used HMRC’s digital services before, making it harder to detect suspicious activity without additional identity checks.
⚠️ MP Frustration Over Communication
The Treasury Select Committee criticised HMRC’s handling of the incident, expressing disappointment that MPs were not directly informed and had to learn about the fraud through media reports. MPs are now demanding greater transparency and expect full updates on any future developments.
Meanwhile, industry experts are calling for significant reforms within HMRC. VAT Director Jason Croke remarked, “When HMRC are covering up such big errors, you just know it’s time for HMRC to be root and branch reformed.”
🔒 Strengthening Digital Security
As part of its response, HMRC is preparing to reintroduce multi-factor authentication (MFA) for agent accounts, following a spate of fraud attempts targeting accountants. However, there is no confirmed timeline for its rollout.
🌐 Digital Resilience Under Scrutiny
With the ongoing rollout of Making Tax Digital (MTD), HMRC is under increased scrutiny regarding the security and reliability of its digital infrastructure. While MTD aims to modernise tax processes, it has faced delays and usability concerns. Further investment in HMRC’s digital transformation is expected in upcoming government budgets, but no new commitments have been announced.