HMRC hit by GBP £47 million phishing scam affecting 100,000

HM Revenue and Customs (HMRC) has found itself at the centre of a significant cybersecurity breach, with GBP £47 million reportedly stolen through a sophisticated phishing scam that exploited tens of thousands of taxpayer accounts. The incident, described during a Treasury Select Committee hearing, led senior civil servants to confirm that at least 100,000 individuals have had their accounts locked and either have been, or are in the process of being, contacted regarding the attack. The breach has reignited debate over the resilience of government digital infrastructure and the adequacy of measures taken to protect citizens' sensitive information.

HMRC officials told MPs that the scam represents a case of "organised crime" and that its own systems had not been compromised in the traditional sense of a cyberattack. Instead, the criminals were able to exploit older data breaches and cyber incidents, obtaining personal information necessary to impersonate legitimate taxpayers. Utilising these credentials, attackers submitted fraudulent rebate claims on an unprecedented scale.

Will Richmond-Coggan, a partner at Freeths LLP specialising in data and cyber disputes, commented, "While HMRC were at pains to stress that their own systems had not been compromised in a cyber attack, this incident nonetheless underscores how widespread the consequences of cyber incidents can be. It is clear from HMRC's explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks. Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax."

Industry experts have highlighted the pervasiveness and evolution of phishing as a threat. "

"Phishing has moved far beyond amateur scams. Generative AI has made it scalable, polished, and dangerously convincing, often indistinguishable from legitimate communication. And while many organisations have strengthened their security perimeters, email remains the most consistently exploited and underestimated attack vector," said Gerasim Hovhannisyan, CEO of EasyDMARC.

The breach has further drawn scrutiny for the way in which HMRC communicated the incident. The Treasury Select Committee, responsible for scrutinising public spending and policy, learnt of the fraud through media reports rather than formal prior notification

"These scams exploit human trust, using urgency, authority, and increasingly realistic impersonation tactics. If HMRC can be phished, anyone can. What's more alarming is that the Treasury Select Committee only learned of the breach through the news. When £47 million is stolen through impersonation, institutions can't afford to stay quiet. Delayed disclosure erodes trust, stalls response, and gives attackers room to manoeuvre."

Research from EasyDMARC indicates that email vulnerabilities remain rampant, with 92% of the top 1.8 million global domains still susceptible to phishing due to inadequate or improperly configured authentication settings. Hovhannisyan said this widespread issue induces a "false sense of security that leaves the door wide open to phishing."

Technology giants such as Google, Yahoo, and Microsoft have moved to mandate stricter email authentication protocols, but progress across the public and private sectors remains patchy.

Jonathan Frost, Director of Global Advisory for EMEA at BioCatch, condemned HMRC's failure to detect the account opening and takeover, and points to a series of digital breaches faced by the authority. He calls on HMRC to step up in line with banks and other financial institutions.

"The HMRC's failure to detect and mitigate account opening and takeover is unacceptable and is yet another demonstration of it being behind the curve," he said.

"Criminals have repeatedly exploited its digital service; it's time the HMRC stepped up, meeting the norms we see in the financial services sector, such as the adoption of behavioural biometric technology by banks."