100,000 HMRC accounts hit by scammers
Newsletter issue – October 2025
HM Revenue and Customs (HMRC) revealed that it suffered a phishing attack that led to the compromise of around 100,000 personal tax accounts. The incident was described by HMRC officials as 'organised crime', targeting identity data outside HMRC systems.
Scammers managed to extract £47 million through fraudulent PAYE repayments. The breach involved individual PAYE accounts, not corporate ones, and accounts for 0.2% of the PAYE population.
Despite the breach, affected individuals have not suffered financial loss, according to HMRC. They stated that 'This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account' and stressed that this was 'not a cyber-attack, we have not been hacked, we have not had data extracted from us.'
The attack began last year and involved international jurisdictions. Arrests have been made as part of the investigation. HMRC locked down compromised accounts and has contacted or is in the process of contacting all affected taxpayers.