Scammers stole £47 million from HM Revenue and Customs (HMRC) by fraudulently accessing more than 100,000 taxpayer accounts using phishing tactics, the tax authority has revealed.
The large-scale fraud was exposed during a Treasury Select Committee hearing, where senior HMRC officials were criticised for failing to inform MPs earlier. According to the department, the criminals used stolen personal details to impersonate taxpayers and claim false tax rebates, diverting funds meant for legitimate claims.
HMRC has stressed that this was not a cyber attack or data breach of its internal systems but rather a sophisticated case of identity theft. Criminals used phishing methods — in which people are tricked into giving up personal information — to create new online tax accounts in victims’ names.
Angela MacDonald, HMRC’s deputy chief executive, told MPs: “A lot of money was taken, and it’s very unacceptable.” She added that many of those affected had never created online tax accounts and would have been unaware they were being targeted.
John-Paul Marks, HMRC’s chief executive, said the organisation had since identified the compromised accounts and locked them down. “We took significant action to intercept this incident,” he said. “We identified the accounts being misused, shut them down, and have been working to confirm the identity of genuine customers.”
Despite the scale of the fraud, HMRC said no individual taxpayers have lost money directly. All affected customers are being contacted to confirm their accounts are now secure, and that they do not need to take further action.
However, MPs expressed concern at the lack of prior warning from HMRC about the scale of the issue. Dame Meg Hillier, chair of the Treasury Committee, said she only learned of the fraud from press reports. “It would be normal to advise Parliament of something like this if you’re due to appear before a committee,” she said pointedly during the hearing.
She added: “Money was got. By criminals. By penetrating the digital system. A lot of people would consider that a cyber crime, however you define it.”
Ms MacDonald explained that as HMRC’s fraud response tightened, the scammers adapted their tactics. “They were moving their MO [method of operation],” she said. “It’s been a challenge to clean up the accounts and be sure we’re dealing with the genuine customer, not the fraudster.”
She confirmed that HMRC had reported the incident to the Information Commissioner and was acting on its advice. “We are in an environment where every organisation is facing some kind of cyber threat,” she said. “It is a continuing piece of work for us to invest in our systems to try to outpace the criminals.”
While HMRC insisted it had taken extensive steps to secure its systems, next week’s government spending review is expected to include a fresh injection of funding into HMRC’s digital defences, following concerns about rising online fraud.
The scam highlights growing risks to digital tax systems as criminals exploit sophisticated identity fraud and phishing techniques to manipulate government platforms. The case is now part of an ongoing criminal investigation, and arrests were made last year, HMRC confirmed.
Read more:
HMRC scammers stole £47m in phishing fraud targeting 100,000 taxpayer accounts
