Criminals stole £47mn in phishing attack on UK tax agency

Unlock the Editor’s Digest for free

Organised criminals stole £47mn from HM Revenue & Customs in a phishing attack last year that targeted the online accounts of around 100,000 UK taxpayers, the agency disclosed on Wednesday.

A notice published on the tax authority’s website said the attack was “an attempt to claim money from HMRC” and involved “unauthorised access to some customers’ online accounts”.

Angela MacDonald, HMRC deputy chief executive, said criminals had sought to “masquerade” as the taxpayer and had extracted £47mn from the public purse.

The disclosure came as MacDonald and John-Paul Marks, HMRC’s new chief executive, gave evidence to the House of Commons Treasury select committee on the agency’s work and customer service performance, which has come under fire recently.

The MPs criticised HMRC for not disclosing the attack earlier, with chair Dame Meg Hillier saying the committee “would expect to get information about this — not have it emerge because of an announcement while you’re in the committee room”.

HMRC said it had “locked down affected accounts” and “removed any incorrect information from tax records”.

Marks, who has been in post since April, said the incident took place in December and had affected the accounts of about 100,000 pay-as-you-earn taxpayers.

He said affected taxpayers did not need to take any action and the situation was under control.

“This affected 0.2 per cent of the PAYE population, around 100,000 people, who we’ve written to and are writing to,” Marks said, stressing that there had been “no financial loss to those individuals”.

“This was organised-crime phishing for identity data out of HMRC systems,” he said, adding that the criminals had sought to use identity data from HMRC systems to create PAYE accounts to pay themselves a repayment or to access an existing account.

HMRC’s fraud investigation service detected the attack and a criminal investigation was launched, with some arrests made last year, Marks added.

MacDonald, who began her role in August 2020, acknowledged that £47mn was “a lot of money and it’s very unacceptable”. She added that HMRC had “overall, in the last tax year, actually protected £1.9bn worth of money which sought to be taken from us by attacks”.

Cleaning up the accounts and ensuring HMRC was “talking to the genuine customer and not talking to the criminal” had been a “challenge” and taken “some time”, MacDonald said, stressing that no cyber breach had occurred.

Separately, several of HMRC’s phone lines went down on Wednesday because of a system outage. Officials said the outage was not connected to the phishing attack.

Last year, the National Audit Office, the public spending watchdog, said HMRC’s customer service was “in a declining spiral”. Funding pressures, job cuts and a push to cut costs — by encouraging taxpayers to manage their affairs online — had led to worse call-handling performance, it warned.

Speaking to the MPs, Marks set out four key priorities for his leadership: closing the tax gap to bring in an extra £7.5bn a year, improving customer service, modernising HMRC’s systems, including “improving our cyber resilience”, and boosting trust and engagement.

“Ultimately we want to be that modern trusted tax authority. We know trust is fundamental to good compliance, willingness to pay and confidence in the way we operate,” he added.