HM Revenue & Customs (HMRC) has confirmed that a sophisticated phishing campaign orchestrated by organised criminals led to the fraudulent extraction of £47 million from government refund payments. The scheme, which unfolded in 2024, compromised approximately 100,000 online PAYE accounts, about 0.2% of HMRC’s total user base.
Although no individual taxpayers lost money directly, HMRC has locked down affected accounts, deleted invalid credentials, and launched a comprehensive security overhaul. The loss emerged publicly during a June 4, 2025 Treasury
Select Committee hearing, triggering criticism that HMRC failed to notify Parliament or impacted taxpayer bodies in a timely manner. The fraud is now part of an ongoing international criminal investigation that already involves multiple arrests.
What Happened?
Two senior HMRC executives told MPs the fraud stemmed from phishing not a cyberattack where scammers acquired personal data externally and used it to create or take over Government Gateway accounts. They then processed bogus tax rebate claims, diverting funds into criminal hands.
The organised campaign unfolded over several months in 2024 and only came to light when HMRC’s internal fraud detection systems flagged the abnormal activity. The Treasury Committee was the first official body informed.
Scale & Impact
Nearly 100,000 PAYE accounts, around 0.2% of all users were caught up in a major fraud case that saw £47 million lost through bogus tax reimbursement claims. While no individuals were directly out of pocket, the stolen funds came from HMRC itself, making this not just a financial blunder, but a blow to public trust.
As part of a wider effort to crack down on fraud, HMRC also blocked £1.9 billion in attempted scams in the same tax year. Still, this particular breach highlights a worrying gap in the system, and a reminder of just how crucial it is to get tax right, both for individuals and the nation’s coffers.
HMRC’s Response: Securing the System
- Locked all compromised accounts
- Deleted fraudulent login credentials
- Removed false or altered tax data
- Currently writing to all 100,000 affected taxpayers with detailed guidance.
- Coordinating with UK and international law enforcement; arrests have already been made
Parliamentary Criticism
Treasury Committee Chair, Dame Meg Hillier, expressed strong concern over HMRC’s decision to withhold this significant fraud from Parliament until quizzed. She described the oversight as “unacceptable” and demanded clarifications on why HMRC failed to involve its board or professional associations, citing confusion from bodies like the Association of Chartered Certified Accountants.
Restoring Confidence and Preventing Recurrence
This breach highlights vulnerabilities in relying on external authentication rather than direct HMRC system breaches. HMRC is now planning to bolster multi-factor authentication, enhance real-time fraud detection, and encourage passkey adoption to safeguard online taxpayer accounts
Conclusion
HMRC’s experience serves as a stark warning about the evolving threat landscape. Even robust infrastructure can be rendered vulnerable when attackers deploy socially engineered data. While HMRC’s swift lockdown and fraud detection systems mitigated personal losses, the £47 million breach reflects gaps in real-time oversight and cross-organisational communication.
On the positive side, this incident may catalyse much-needed reforms: expanded multi-factor authentication, greater transparency with Parliament, and tighter inter-agency coordination. Ultimately, rebuilding public trust will depend on HMRC turning this crisis into opportunity, enhancing digital resilience and reinforcing its role as a trusted custodian of taxpayer data.
Frequently Asked Questions
Did taxpayers lose money?
No, HMRC paid out fraudulent claims, not direct money from taxpayers’ personal accounts.
Were HMRC systems hacked?
No, phishing was used to steal personal credentials externally; there was no direct breach of HMRC’s servers.
How were the accounts protected?
Compromised accounts were locked, login details deleted, and false entries removed. HMRC is also notifying affected users.
Are criminals being prosecuted?
Yes, some arrests were made in 2024, and an ongoing international investigation aims to bring perpetrators to justice.
What measures are in place to prevent future fraud?
HMRC plans to strengthen multi-factor authentication, introduce passkeys, deploy advanced fraud detection, and improve user education.
