LITRG: HMRC system attack is a timely reminder to keep personal data safe

12 Jun 2025

The Low Incomes Tax Reform Group (LITRG) has urged taxpayers to check their online tax account after scammers attempted to defraud HMRC using individuals’ data and login details. The group is also reminding people of the importance of being vigilant and taking care of personal data.

Last week, HMRC announced that criminals had targeted the online tax accounts of nearly 100,000 taxpayers to try to make false tax refund claims1.

In some cases, HMRC have said that criminals gained people’s login credentials and made use of existing online tax accounts. But, in others, they gained personal data that enabled them to set up new online tax accounts via the Government Gateway. 

HMRC have locked down the compromised accounts as a precaution. They will be writing to those affected with details on how they can regain access to their accounts, with letters issued between 4 and 25 June2.  

Joanne Walker, Technical Officer at LITRG, said:

HMRC have confirmed that they were the victim of online scammers who tried to defraud them of money using the details of individual taxpayers.

 While HMRC say this attack has not resulted in any tax-related financial loss for individual taxpayers, it is a timely reminder that fraud is an ongoing threat. 

More than ever, taxpayers should take care of their personal information. It is important to make sure you know who you are dealing with before you hand over any data, especially very sensitive data like your National Insurance number or a copy of your passport photo page. Also, make sure that you don’t inadvertently share such information – on your social media accounts for example.

Criminals can also obtain Government Gateway log-in details and personal information if you click on a link and enter information into a mirror website – these look genuine, but they allow criminals to gather your personal data. So, always ensure you are using the genuine GOV.UK website – do not click on links in emails, text messages or on social media.

And remember, never share your HMRC your log-in details with anyone, including with someone who says they are acting as a tax agent. If they are registered with HMRC, they will have their own log-in credentials that they can use to help clients.” 

Notes

  1. Unauthorised access of HMRC online accounts (HMRC, 4 June 2025) 
  2. To find out more, read LITRG’s news article, Security attack on HMRC online accounts – find out more (LITRG, 9 June 2025)