HM Revenue and Customs (HMRC) has reported a loss of £47 million following a large-scale phishing scam that compromised approximately 100,000 individual tax accounts, members of Parliament were informed on Wednesday.
Senior HMRC officials appeared before the Treasury Committee, revealing that tens of thousands of people have either been notified or are in the process of being contacted after their accounts were suspended in response to the security breach. The attack, described as a case of "organised crime," began in 2023.
John-Paul Marks, HMRC’s chief executive, assured the committee that “It’s about 0.2% of the PAYE population, around 100,000 people, who we have written to, are writing to, to notify them that we detected activity on their PAYE account.”
He clarified that individual taxpayers—not businesses—were targeted, but “no financial loss to those individuals” has occurred.
Marks explained that the attackers used personal information acquired through phishing attempts outside of HMRC’s infrastructure. “This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” he said.
The phishing campaign, which reached across international jurisdictions, has already led to several arrests, according to Marks.
Angela MacDonald, deputy chief executive and second permanent secretary at HMRC, disclosed that “at the moment, they’ve managed to extract repayments to the tune of £47m. Now that is a lot of money, and it’s very unacceptable.” However, she also emphasized HMRC’s broader protective measures, stating: “We have overall, in the last tax year, we actually protected £1.9bn worth of money which sought to be taken from us by attacks.”
MacDonald was firm in stating that the incident does not classify as a cyberattack: “We have not been hacked, we have not had data extracted from us.” She clarified that while this breach involved fraudulent use of external identity data, there was no infiltration of HMRC systems. “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here.”
HMRC has since taken corrective measures by locking affected accounts, deleting login credentials, and rectifying any inaccuracies in taxpayers’ records. Impacted individuals will receive official communication within three weeks.
Meanwhile, Marks noted that an unrelated outage had affected HMRC’s phone lines on Wednesday afternoon, but said this was purely “coincidental” and services would resume on Thursday.
An HMRC spokesperson reiterated the agency’s stance: “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with other law enforcement agencies both in the UK and overseas to bring those responsible to justice. This was not a cyber-attack – it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC. We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”
This revelation follows recent warnings to UK banks and payment providers to enhance anti-fraud systems amid a surge in international scam-related money transfers. New data indicates that 11% of 2024’s authorised push payment scam losses originated from cross-border transactions—nearly double that of 2023.