HMRC hit by £47m phishing fraud, MPs question digital defences

HMRC has lost £47m to a sophisticated phishing fraud that saw organised criminals exploit stolen personal data to create or hijack around 100,000 PAYE accounts, senior officials told the Treasury Select Committee this week.

According to the tax authority, the scam, which began last year, targeted approximately 0.2% of the UK’s PAYE population. Criminals used credentials obtained outside of HMRC systems, through phishing campaigns, to fraudulently claim tax repayments either by setting up new online accounts or accessing existing ones.

“This was organised crime phishing for identity data outwith of HMRC systems,” said newly appointed HMRC chief executive John-Paul Marks. “They then tried to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account.”

Deputy chief executive Angela MacDonald described the scale of the incident as “very unacceptable,” adding that the criminals had successfully extracted £47m in repayments.

While HMRC stressed that no individuals have been left out of pocket, the department confirmed that it has locked affected accounts, deleted compromised credentials, and is contacting those impacted to reassure them their data is now secure.

“These are attempts to claim money fraudulently from HMRC, not from customers,” a spokesperson said.

Criminal probe and evolving methods

A cross-border investigation led to several arrests last year. Officials also told MPs that the Information Commissioner’s Office had been kept informed throughout the incident response.

MacDonald clarified that this was not a cyberattack on HMRC itself: “We have not been hacked. We have not had data extracted from us. This was not a cyberattack, it was phishing activity with credentials obtained elsewhere.”

She added that as HMRC tried to shut down the scam, the criminals adapted their approach. “The nature of the attack altered through the year. As we were closing it down, they were moving their MO over… and it took a lot of action to tackle the perpetrators.”

The fraud was particularly difficult to identify in cases where criminals created new accounts using the names of individuals who had never previously registered for HMRC digital services.

This, MacDonald said, complicated the clean-up operation: “What has been a challenge in terms of cleaning the accounts up is being clear that we were then talking to the genuine customer and not in fact talking to the criminal who was on the other end of the account.”

Committee questions and digital scrutiny

HMRC’s handling of the incident came under fire from MPs, who criticised the department for failing to proactively inform the Treasury Select Committee. They warned that future incidents must be communicated promptly and transparently.

“When HMRC are covering up such big errors, you just know it’s time for HMRC to be root and branch reformed,” said Jason Croke, VAT Director at Rayner Essex.

Marks, who recently took over leadership of the tax agency, told MPs that strengthening HMRC’s digital resilience and service delivery is a key priority. He also dismissed any link between the fraud incident and a temporary phone service outage that occurred last week, calling the timing “coincidental.”

HMRC also confirmed it is preparing to reintroduce multi-factor authentication (MFA) for agent accounts in response to a wider increase in fraud attempts targeting accountants. No timeline has been announced for the rollout.

“We are always grappling with a level of threat,” said MacDonald. “It’s a continuing piece of work to invest in our systems and try to outpace the criminals.”

In the last tax year, HMRC said it prevented £1.9bn worth of attempted fraud across all platforms.

MTD and future investment

The incident comes at a time when HMRC’s digital infrastructure is under renewed scrutiny, particularly as the long-running Making Tax Digital (MTD) programme remains delayed.

While MTD is designed to close the tax gap and modernise compliance, concerns persist about the system’s usability and readiness — especially among agents and small businesses.

Further funding commitments to support HMRC’s digital transformation are expected at the next fiscal event, although none have been announced yet.