UK tax agency loses £47 million to organised phishing scam targeting tax accounts

LONDON: HM Revenue and Customs (HMRC) has suffered a £47 million loss following a phishing scam that compromised tens of thousands of tax accounts, a group of MPs was told.

During a session with the Treasury Committee on Wednesday, two senior civil servants from HMRC revealed that around 100,000 individuals had been contacted or were in the process of being notified after their accounts were locked due to what officials described as an “organised crime” incident that began last year.

HMRC’s CEO, John-Paul Marks, assured the committee that affected taxpayers would not incur any financial loss. He explained, “It’s about 0.2% of the PAYE population, roughly 100,000 people, who we’ve contacted or are contacting to inform them of detected activity on their PAYE accounts.”

When asked if this concerned individual employees’ PAYE accounts rather than corporate accounts, Marks confirmed: “That’s right, individuals. To be clear, no financial loss to those individuals.” He further explained that the scam involved organised criminals phishing for personal identity data outside of HMRC’s systems—similar to what banks and other institutions face—and then attempting to use that information to create or access PAYE accounts to claim fraudulent repayments or access existing funds.

An investigation into the incident, which began last year and involved multiple jurisdictions outside the UK, resulted in some arrests.

UK charges 4th suspect over fire targeting PM’s properties

Angela MacDonald, HMRC’s Deputy Chief Executive and Second Permanent Secretary, noted that the criminals had managed to extract £47 million in repayments—an amount she described as “a lot of money” and “very unacceptable.” She added, “Overall, in the last tax year, we protected £1.9 billion worth of money that was targeted by attacks.”

MacDonald emphasized that this breach was not a cyber-attack; HMRC had not been hacked nor had any data been extracted from their systems. She clarified, “The ability for someone to breach your systems and extract data, hold you to ransomware, and similar tactics is a cyber-attack. That’s not what happened here.”

HMRC responded by locking down affected accounts, deleting login details to prevent further unauthorized access, and removing any incorrect information from tax records. Officials have also verified that no other account details were altered. Those impacted will receive letters from HMRC within the next three weeks.

Marks also mentioned that HMRC’s phone lines were temporarily down on Wednesday afternoon but described it as “coincidental,” assuring that they would be operational again by Thursday.

An HMRC spokesperson stated, “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with law enforcement agencies both in the UK and abroad to bring those responsible to justice. This was not a cyberattack; it involved criminals using personal information obtained through phishing or other sources to try to claim money from HMRC. We’re reassuring affected customers that their accounts are secure and that they haven’t lost any money.”

Last week, UK banks and payment firms were urged to enhance their anti-fraud systems amid a rise in scammers tricking individuals into transferring money abroad. New figures showed that international payments accounted for 11% of authorized push payment scam losses in 2024—almost double the percentage from 2023.