Criminals stole £47 million from HMRC last year by exploiting over 100,000 taxpayer accounts in a major phishing scam.
The fraudsters used stolen personal data to access or create Government Gateway accounts, then submitted fake tax rebate claims. HMRC says no individuals lost personal funds, as the money was claimed directly from its own systems.
“This was an attempt to claim money from HMRC, not from customers,” the authority said. Affected individuals are now being contacted, though many didn’t know they had an account in the first place.
The incident only came to light during a Treasury Select Committee hearing, prompting criticism from MPs. Arrests have been made following an international investigation.
HMRC insists its systems weren’t hacked but has pledged further investment in account security. It blocked £1.9 billion in similar fraud attempts last year.
To guard against similar attacks, businesses should focus on phishing awareness training, enable strong two-factor authentication, and regularly audit account activity for unauthorised access.