HMRC repayment fraud.

Actions that accountants and their clients may need to take

IP image

HMRC's response to the recent cyber attack is below:

HMRC recently detected unauthorised attempts to access approximately 100,000 HMRC online tax accounts (equivalent to approximately 0.22% of our customers).

These incidents involved criminals using personal information they had already obtained from external sources to impersonate genuine customers and claim money fraudulently from HMRC, rather than customers themselves.

Nevertheless, HMRC acted to protect customer data and secure affected accounts. No customers have experienced, or will experience, financial loss in respect of their tax affairs.

Actions taken by HMRC

For all affected accounts, HMRC has:

  • identified and locked down online tax accounts that were accessed without authorisation
  • deleted login credentials to prevent future unauthorised access
  • removed any incorrect information added to tax records
  • checked no other details we hold about customers were changed.

What information may have been accessed

HMRC’s letters to impacted customers make clear that the data used to access an online account may have included name and date of birth and address or National Insurance number. It may also have included information from passport or driving licence documents or credit reference data. HMRC does not know where or how this information has been obtained, only that it has been used to access the account. There’s no evidence that data has been shared.

Customer support

Between 4-25 June 2025 HMRC is sending letters to all customers identified as having had an unauthorised access attempt on their account. Two types of letters are being issued:

  1. For customers who have never accessed their Personal Tax Account (and unlikely to be aware they had one)
  2. For customers who have previously used their Personal Tax Account.

If customers have any doubts about any HMRC letter, they can check a list of genuine contacts on GOV.UK.

Further HMRC activity to inform and reassure impacted customers includes:

  • updated online guidance on GOV.UK (search for 'unauthorised access of online tax accounts')
  • dedicated email and phone channels to provide support
  • briefings to key stakeholders who may be supporting impacted customers, including yourselves.

What customers need to do

  • If a customer has received a letter, they are impacted. They don’t need to take any action as HMRC has secured their account.
  •  However – if they want to access their HMRC account, they should follow the steps in their letter to set up an account for HMRC online services and create a new Government Gateway user ID and password.
  •  If they have any concerns, email the fraud team at FraudPreventionCentre@hmrc.gov.uk or call the online services helpdesk on 0300 200 3600 (Monday to Friday, 8am to 6pm) and select the option for ‘unauthorised access of HMRC online accounts’.
  • If a customer hasn’t received a letter, it’s unlikely their account is affected, but they can check their recent account activity:
  •  Go to account menu at the top of the screen and select profile and settings.
  • Go to sign-in details and select change.
  • From your security console, view the sign in history for your account and report any suspicious activity.
  • If using the HMRC App, go to managing your sign in details and then sign in using your Government Gateway user ID and password.

Following the news of the attack, ACCA wrote to the Treasury Select Committee to confirm that ACCA was not made aware of this directly from HMRC until the news broke and was made public.