Phishing Attack Compromises Tax Records of 100,000 Individuals

The HM Revenue & Customs (HMRC) reported a significant phishing incident resulting in the breach of tax accounts, leading to a loss of £47 million to organized crime. Details of the fraud were disclosed during a session with the Treasury committee.

Two high-ranking officials from HMRC informed Members of Parliament that approximately 100,000 individuals have either been contacted or are in the process of being notified following the lockdown of their PAYE accounts. This breach originated last year.

Angela MacDonald, deputy chief executive of HMRC, stated that criminals attempted to steal identity information to impersonate taxpayers, successfully extracting £47 million in the process. John-Paul Marks, HMRC’s chief executive, assured that the affected taxpayers would incur “no financial loss.”

Marks elaborated: “About 0.2 percent of the PAYE population, around 100,000 people, are being notified that we observed suspicious activity on their PAYE account.”

When inquired whether the notifications pertained to individuals rather than businesses, he confirmed, “That’s correct, individuals. To clarify, those individuals will not experience any financial loss. This incident involved organized crime engaging in phishing to obtain identity data from HMRC systems and subsequently attempting to create PAYE accounts for illicit repayments or accessing existing accounts.”

Dame Meg Hillier, chair of the committee, expressed dissatisfaction that the matter had come to light through an announcement made during the session, rather than being proactively communicated to the committee.

A thorough investigation conducted last year, which included international jurisdictions, has led to “some arrests” related to the incident, according to Marks.

MacDonald added that the criminals have thus far obtained £47 million, describing the amount as “substantial” and “very unacceptable.”

“Overall, last tax year, we successfully safeguarded £1.9 billion from various attacks aimed at the HMRC,” she noted.

MacDonald emphasized that this incident did not classify as a cyberattack, clarifying that there was no hacking or data extraction from their systems.

She further detailed that a cyberattack involves intruders successfully breaking into systems to extract data or hold them for ransom, which was not the case here.

To mitigate further unauthorized access, HMRC promptly locked down the impacted accounts and removed login details. Those affected will receive correspondence from HMRC in the coming three weeks.

The HMRC stated: “We’ve taken action to safeguard customers after discovering attempts to access a very small number of tax accounts. We are collaborating with law enforcement agencies both in the UK and abroad to pursue those responsible for this crime.

“This incident does not constitute a cyberattack, as it involves criminals utilizing personal information from phishing scams or other sources to claim funds from HMRC. We are reassuring affected customers that their accounts are secured, and they have not suffered any financial loss.”