HMRC report that their security systems have detected unauthorised access to some taxpayers’ online accounts, in an attempt to obtain money from HMRC. Around 100,000 individuals are affected, with £47m having been lost by HMRC. Guidance has been published for those impacted.
Background
The 'organised crime' incident began in 2024 and has resulted in £47m in repayments being obtained from HMRC via the online accounts of 100,000 individuals, largely within Pay As You Earn (PAYE).
This week, the Treasury Committee was told by HMRC officials that the incident was not a cyber attack and that HMRC had not been hacked or had data stolen from it. Criminals used personal information from phishing activity or data obtained elsewhere to get money from HMRC. In most cases, the criminals set up new log-in credentials, as the individuals affected did not have an active digital tax account.
Dame Meg Hillier, Chair of the Treasury Select Committee was quoted as saying: "A word to the wise... let me use my position as chair just to remind you, gently – well perhaps not so gently – that it would be normal to advise parliament of things if you're appearing in front of a committee. Not to have it announced during the committee hearing,"
There have reportedly been arrests in connection with the incident.
HMRC stressed that no taxpayer will suffer financial loss as a result of the fraud, and has provided guidance on the action they have taken as well as how individuals can restore access to their online accounts.
Action
HMRC state that where unauthorised access to a taxpayer's account has been identified, they have taken action to protect the affected accounts by:
- Locking them down.
- Deleting log-in credentials (Government Gateway user ID and passwords) to prevent future unauthorised access.
- Removing any incorrect information from tax records.
- Checking that no other details were changed.
HMRC advise that affected taxpayers do not need to take any action and have been directly written to.
- These letters should arrive between 4 and 25 June 2025 and will advise affected taxpayers of the steps to take to access their HMRC account.
HMRC say that where taxpayers do not receive a letter, it is unlikely their account has been affected. Recent activity on online accounts can be checked by:
- Signing in to HMRC online services.
- Going to 'account menu' at the top of the screen and selecting 'profile and settings'.
- Going to 'sign-in details' and selecting 'change'.
- From your security console, view the sign-in history for your account and report any suspicious activity.
If you are using the HMRC App, go to 'managing your sign-in details' and then sign in using your Government Gateway user ID and password.
If a taxpayer believes someone has signed into their account without authorisation, it is recommended that they change their account password and immediately contact
Further guidance
- E-mails, letters, calls or texts claiming to be from HMRC can be checked on the list of genuine HMRC contacts.
- Suspicious HMRC emails, texts, social media accounts and phone calls should be reported to HMRC.
- Stop! Think Fraud has advice on protecting yourself from phishing attacks and fraud.
Agent accounts
This update follows numerous tax agents reporting that their HMRC agent accounts had been suspended without notice.
HMRC provided guidance for impacted agents in the March, April and May 2025 Agent Updates, stating that agent accounts are often a target for fraudsters due to the access they can provide to multiple clients’ tax records.
As a result, if HMRC believe an agent account has been compromised, they may immediately suspend that account without notice to prevent further criminal access.
Useful guides on this topic
Setting up as a tax agent
What do you need to consider when setting up as a tax agent? What are the steps? How do you register with HMRC?
Personal Tax Account
What is a Personal Tax Account? How do I get one? What can I do with it?
External link