HMRC confirms £47m stolen via phishing scam affecting 100,000 accounts; no loss to victims

HM Revenue & Customs (HMRC) has revealed that scammers stole a staggering £47 million by posing as taxpayers and exploiting online accounts belonging to around 100,000 people. The fraud, carried out through sophisticated phishing attacks, targeted individuals’ personal details to make fraudulent claims for tax rebates.

HMRC has assured those affected that their accounts have been secured, no actual money was lost by the victims themselves, and that they need not take any further action. “These are attempts to claim money fraudulently from HMRC, not from customers,” a spokesperson said.

The tax authority’s investigation has been underway for some time, with arrests made last year as part of a criminal probe into the scam. The fraud involved criminals using personal data gathered externally to impersonate taxpayers and create false accounts to claim rebates. HMRC stressed that this was not a direct cyber hack of their systems but rather a form of identity theft via phishing.

Phishing attacks rely on tricking individuals or organisations into revealing sensitive information, which is then used to access accounts illicitly. In this case, the scammers set up new online tax accounts in the names of people who often had no previous dealings with HMRC online services, meaning many victims were unaware of the scam until contacted by HMRC.

Angela MacDonald, HMRC’s deputy chief executive, described the loss as “very unacceptable” during a Treasury Select Committee hearing on Wednesday. HMRC’s chief executive, John-Paul Marks, added that after detecting the scam, the department took swift action to identify and lock down compromised accounts, limiting further damage.

However, MPs expressed frustration that HMRC did not inform the Treasury Select Committee about the fraud earlier, instead only learning about it through media reports. Dame Meg Hillier, the committee chair, reminded HMRC representatives that informing Parliament promptly is a vital part of accountability.

“Money was got by criminals by penetrating the digital system. A lot of people would consider that a cyber crime, however you define it,” Dame Hillier said, emphasising the seriousness of the breach.

Ms MacDonald explained that the scam evolved over time, with criminals altering their methods as HMRC closed down accounts. She highlighted the difficulty in distinguishing genuine customers from criminals when cleaning up the accounts, a challenge that slowed the response.

HMRC has been consulting closely with the Information Commissioner’s Office to ensure the incident is managed properly and in line with data protection laws. Both executives acknowledged that cyber threats are an ongoing challenge for all organisations, requiring continuous investment in security systems.

“We are living in an environment where every single organisation faces some kind of cyber threat,” Ms MacDonald said, noting that HMRC is committed to upgrading its IT infrastructure to stay ahead of criminal tactics.

The BBC understands the government plans to allocate further funding for HMRC’s IT systems in the upcoming spending review, aiming to bolster defences against similar fraud attempts in the future.

This incident serves as a stark reminder of the increasing sophistication of fraudsters and the importance of vigilance when it comes to personal data security.