HMRC has reported a loss of £47m due to a large-scale phishing scam which targeted the UK tax system in 2024. Organised crime gangs carried out this fraud by exploiting stolen personal information to create new tax accounts or by hijacking existing ones.
Using these accounts, they fraudulently claimed tax refunds meant for genuine taxpayers. This affected around 100,000 individuals, representing roughly 0.2% of the PAYE population. However, HMRC confirmed that no individual taxpayer suffered a direct financial loss.
HMRC’s Phishing and Scams Guidance Collection
How the Scam Worked
Criminals sent phishing emails and text messages to trick people into revealing personal data. Once they obtained this information, they used it to impersonate taxpayers. In some cases, they accessed existing digital tax accounts. Otherwise, they created entirely new accounts in the names of those who had never registered with HMRC.
This made it difficult for HMRC to identify fraudulent activity without additional identity verification. However, HMRC has stated that its internal systems were never hacked. The stolen data came from external sources, making this a phishing scam rather than a breach of HMRC’s systems.
This type of identity theft also frequently targets banks and other public organisations.
HMRC Responds to the Phishing Scam
After discovering the fraud activity, HMRC locked the affected accounts and deleted compromised login credentials, while correcting any suspicious or false information. HMRC also began contacting the affected individuals to confirm their identities and guide them on safely regaining access to their accounts.
Although the fraudsters stole money from HMRC, this did not impact private bank accounts. HMRC reassured the public that the situation is now under control and that they will not hold those affected liable for the fraudulent claims made in their names.
A criminal investigation is currently underway, with several arrests already made. HMRC is also working closely with national and international law enforcement agencies. The Information Commissioner’s Office has also reviewed HMRC’s response and confirmed that they had taken the appropriate data protection steps.
MPs Demand Better Communication
Members of Parliament have strongly criticised HMRC for not informing them about the incident sooner. Instead, details emerged through media reports. Dame Meg Hillier, Chair of the Treasury Select Committee, said the committee only heard about the scam during a public hearing.
The Committee has now demanded that HMRC adopt a more transparent approach in the future. This includes proactively informing Parliament of any significant incidents involving taxpayer data or financial security.
How You Can Stay Safe
While there were no individual losses, phishing scams remain a serious and ongoing threat. Criminals often pose as trusted organisations to gather personal information. This incident is a timely reminder to remain cautious and vigilant.
If you receive a message claiming to be from HMRC, avoid clicking links or sharing sensitive details. Instead, verify the communication by visiting the official HMRC website or calling their helpline. HMRC is also working to reintroduce multi-factor authentication.
Contact Us
We are not just accountants; we are Chartered Accountants with one of the most reputable and premium accounting bodies. We are registered and regulated by ACCA; so you can rest assured that you are in good hands. Knowing this, don’t hesitate to get in touch with us if you require assistance: Pi Accountancy | Contact Us