Business News

Important Update on HMRC Phishing Fraud: Protecting Your Tax Affairs

David Crossley
June 13, 2025

You may have seen recent news about a significant phishing scam that cost HMRC £47 million, impacting around 100,000 taxpayer accounts. We want to share what this means for you, how we’re protecting your information, and steps you can take to stay safe.

As accountants, we’re all too familiar with the complexities of navigating HMRC’s digital systems, from filing returns to managing client accounts. The recent revelation that HMRC lost £47m to a sophisticated phishing scam affecting 100,000 taxpayer accounts is a stark reminder of the vulnerabilities in the systems we rely on daily. This incident, detailed in a Treasury Select Committee hearing, underscores the critical role accountants play in safeguarding clients and the urgent need for enhanced digital security measures.

The Fraud: How It Happened

The scam, which unfolded over the past year, involved organised criminals using stolen personal data—obtained through phishing campaigns outside HMRC’s systems—to either create fraudulent PAYE accounts or hijack existing ones. These accounts were then used to claim illegitimate tax repayments, siphoning off £47m from HMRC’s coffers. According to HMRC’s chief executive, John-Paul Marks, the breach affected approximately 0.2% of the UK’s PAYE population, equating to 100,000 individuals. While HMRC assures that no taxpayers are out of pocket, the financial hit to the public purse is significant, raising questions about systemic weaknesses.

This breach highlights the ease with which fraudsters can exploit stolen credentials. Many of the affected accounts belonged to individuals who had never set up an HMRC digital account, making it challenging for tax officials to distinguish genuine users from impostors. Angela MacDonald, HMRC’s deputy chief executive, noted the difficulty in verifying account holders during cleanup efforts, a process we know all too well when reconciling client records.

Implications for Accountants

For those of us managing client tax affairs, this incident is a red flag. Phishing scams targeting HMRC accounts are not new, but their scale and sophistication are escalating. Clients often rely on us to guide them through HMRC’s Government Gateway, and this breach exposes the risks of lax security practices. The fact that criminals could set up fake accounts using phished data—potentially from social media scams or prior data leaks—means we must double down on educating clients about cybersecurity.

HMRC’s response, including locking down affected accounts and deleting compromised login details, is a step in the right direction. However, the delay in notifying the Treasury Select Committee—leaving MPs to learn of the breach through media reports—raises concerns about transparency. As accountants, we understand the importance of timely communication, especially when client trust is at stake. HMRC’s failure to proactively inform parliament suggests a need for better accountability, a sentiment echoed by many who have called for a “root and branch” reform of HMRC.

What This Means for You

As your accountants, we handle your tax affairs with the utmost care, but this breach is a reminder that we all need to stay vigilant. Phishing scams often come disguised as official HMRC communications, offering refunds or threatening penalties to trick you into sharing personal details. Here’s how you can protect yourself:

Spot Phishing Attempts: Be cautious of emails, texts, or calls claiming to be from HMRC. They may look convincing but often contain misspellings or odd links. Always access your HMRC account directly through GOV.UK, not via links in messages (emails, post, texts or phone).

Use Strong Passwords: Ensure your Government Gateway password is unique, complex, and updated regularly. If you’re unsure how to do this, we’re happy to guide you.

Check Your Account: Let us know if you notice anything unusual in your HMRC account, like unexpected changes to your details. We can help verify and resolve any issues.

Forward Suspicious Messages: If you receive a questionable email or text claiming to be from HMRC, forward it to phishing@hmrc.gov.uk and delete it immediately.

How We’re Protecting You

Rest assured, we’re taking every precaution to safeguard your information. We already use secure systems to manage your tax filings and communications with HMRC, and we’ll be adopting HMRC MFA as soon as it’s available to agents. We also regularly review for any irregularities and stay updated on HMRC’s latest security measures.

The Bigger Picture

This £47m fraud, while significant, is dwarfed by the £1.9bn in attempted fraud HMRC claims to have prevented in the 2023/24 tax year. Yet, as accountants, we know that even one breach can erode client confidence and increase our workload in resolving issues. The incident also fuels scepticism about HMRC’s digital infrastructure, particularly as MTD pushes more clients online. With additional funding for HMRC’s digital transformation expected, accountants must advocate for systems that prioritise security without sacrificing usability.

The criticism from MPs, including Treasury Select Committee Chair Dame Meg Hillier, about HMRC’s delayed disclosure is a reminder of the need for transparency. As advisors, we often bridge the gap between clients and HMRC, and incidents like this underscore the importance of clear, timely communication from the tax authority.

Looking Ahead

As HMRC works with law enforcement to pursue the perpetrators, (some arrests were made last year), we must remain proactive. This breach is a call to action to strengthen our own cybersecurity practices and educate clients on the risks of phishing. While HMRC insists that taxpayers won’t bear the financial burden, the loss of £47m ultimately impacts public funds, which affects us all. By staying vigilant and pushing for systemic improvements, we’re hopeful that stronger protections, like MFA, will prevent future incidents. In the meantime, we’re here to support you with any questions or concerns about your tax affairs. If you’re unsure about a communication from HMRC or need help securing your account, please don’t hesitate to contact us on 0113 5188800 or support@cleveraccounts.com, we’re just a call or email away.

Thank you for your trust in us. By working together, we can keep your tax matters safe and secure.

Next

Seen enough? Want to get started now?

Sign up to Clever Accounts and get fixed fee hassle-free accounting

Sign up today

Related Blogs

Business News
Rachel Reeves' 2025 Spending Review: Impact on Business and Beyond
David Crossley
June 12, 2025
Business News
Understanding the Economic Crime and Corporate Transparency Act: Key Changes to UK Company Law
David Crossley
June 12, 2025
Business News
Spring Statement 2025: Key Implications for UK Businesses
David Crossley
March 27, 2025
If you would like to know more about Clever Accounts, please contact us on 0113 518 8800
Contact us
Social Media :
Who we help
Limited companiesContractorSole TradersConstructionLandlordsSelf AssessmentAccounting for startupsSwitching accountants
Services
BankingInsurancesFinanceLegalBusiness telephone lineOnline accounting softwareMaking tax digitalTake-home pay calculator
Resources
BlogBusiness guidesRefer a friendAccounting resourcesSoftware resourcesVideo guides
Other Pages
ContactLog InRegister an accountAbout UsReviews & testimonialsJoin our team
© Copyright (c) 2003-2022 Clever Accounts Ltd
Clever Accounts Ltd is registered at Radius House, 4th Floor, 51 Clarendon Road, Watford WD17 1HP
|
Social Media :
Clever Accounts Ltd is acting as an agent of TrueLayer, who is providing the regulated Account Information Service, and is Authorised and Regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (Firm Reference Number: 901096)
Speak with our specialists -
0113 518 8800