HMRC phishing scam affects over 100,000 taxpayers

HM Revenue and Customs (HMRC) has suffered a significant financial blow, losing £47 million to an organised phishing scam that targeted over 100,000 individual taxpayer accounts. This disclosure was made during a recent Treasury committee hearing where senior HMRC officials provided details of the breach and the steps being taken to safeguard affected individuals.

The scam, which began last year, involved criminals using stolen identity data—obtained through phishing or other malicious means—to create or access PAYE accounts and claim fraudulent tax refunds. According to HMRC’s chief executive, John-Paul Marks, the breach has affected approximately 0.2% of the PAYE population, all of whom are being contacted. He reassured those impacted that they would suffer no financial loss, as incorrect information on tax records has already been removed and unauthorised accounts locked down.

HMRC categorically stated that this incident does not constitute a cyber-attack. Speaking to MPs, Angela MacDonald, HMRC’s deputy chief executive, explained that no data had been extracted from HMRC systems, nor had they been compromised. Instead, the scam leveraged personal details obtained elsewhere, highlighting the growing challenge of identity theft in the digital age.

MacDonald further revealed that the fraudulent activity spanned jurisdictions outside the UK, leading to some arrests last year. She acknowledged the severity of the issue, noting the £47 million loss, but pointed out that HMRC had successfully protected £1.9 billion from similar fraudulent attempts during the last tax year.

To reassure taxpayers, HMRC confirmed that letters are being sent to affected individuals over the next three weeks. These communications will explain the situation, provide updates on account security, and confirm that no financial damage has been inflicted.

The incident serves as a stark reminder for both organisations and individuals to remain vigilant against phishing attacks and identity theft. As noted in recent data, fraud tied to international payments is climbing, prompting UK banks and payment firms to bolster their anti-fraud measures. The rise of scams targeting sensitive information underscores the need for constant vigilance and proactive security measures in an increasingly interconnected world.