Last week HMRC contacted the Institute ahead of the announcement that taxpayers have been targeted by criminals creating and/or accessing their online HMRC accounts to set out what had happened and what action it was taking. HMRC’s security systems detected unauthorised access to some online accounts (particularly inactive accounts), and the creation of new credentials, which has ultimately resulted in approximately £47 million in fraudulent tax repayments being paid out. This loss has been directly suffered by HMRC and not individual taxpayers.
Between 4 and 25 June 2025, HMRC is contacting affected individuals by letter to explain the incident, including how they can restore access to their online accounts if necessary. The full briefing received by the Institute from HMRC is available here. In discussions with HMRC we were also made aware that a much larger sum of over double the amount lost in fraudulent repayments was stopped by HMRC during this incident.
The letters being sent also explain how the person can contact HMRC if they have any concerns. Only those individuals with affected accounts are being contacted. Anyone receiving contact from HMRC can check if the letter is genuine on GOV.UK.
According to HMRC, it has protected the affected accounts by deleting the associated log-in credentials i.e. the government gateway user ID and password. Any incorrect information has also been removed from the individuals’ tax records, and a check has been performed that no other details were changed.
HMRC provided more information on this incident during an evidence hearing of the House of Commons Treasury Committee last week. According to this, the criminals involved used information obtained from non-HMRC sources via phishing attacks on individuals as opposed to this being a cyber breach of HMRC systems. The attack has impacted on around 100,000 individuals, mostly in PAYE, at a cost of £47 million in fraudulent repayments. Overall, in its evidence to the Committee, HMRC says that it protected the loss of nearly £2 billion in criminal attacks in 2024/25.
Often the taxpayer did not have an active online tax account hence the criminals set up new accounts and credentials. HMRC has also said that work on this issue has been ongoing for some time, with some arrests made in 2024. Discussions with HMRC also highlighted that the majority of the taxpayers involved are not represented by an agent and comprise 0.22 percent of all online tax accounts.
LOADING...