Unauthorised access of HMRC online accounts

8 Jun 2025

HMRC announced last week that they had detected unauthorised attempts to access the online tax accounts of approximately 100,000 taxpayers (equivalent to around 0.22% of the PAYE population). These incidents involved criminals using personal information obtained from external sources to impersonate genuine taxpayers and fraudulently claim around £47m from HMRC.

HMRC have stated that no taxpayer who has been affected should experience any personal financial loss as a result of their account being targeted - this a fraud against HMRC, rather than the individual taxpayer directly. 

HMRC are writing to affected taxpayers between 4 June 2025 and 25 June 2025 to explain the steps that have been taken to protect their online tax accounts. Online tax accounts are also known as Personal Tax Accounts (PTAs). All taxpayers have a PTA, regardless of whether or not the individual has set up the necessary login details to access their account online. 

Actions taken by HMRC

For all affected accounts, HMRC have:

  • Identified and locked down accounts that were accessed without authorisation.
  • Deleted login credentials to prevent future unauthorised access.
  • Removed any incorrect information added to tax records.
  • Checked no other details they hold about taxpayers were changed.

This means that anyone affected who wants to access their online account in future will need to recreate login details. HMRC’s letter will explain how to do this.

What information may have been accessed

HMRC’s letters make clear that the data used to access an online account may have included the taxpayer’s name, date of birth, address or National Insurance number. It may also have included information from passport or driving licence documents or credit reference data. HMRC do not know where or how this information has been obtained, only that it has been used to access the taxpayer’s account. There’s no evidence that this data has been shared.

Customer support

As noted above, HMRC are sending letters to all individuals identified as having had an unauthorised access attempt on their online account. Two types of letters are being issued:

  1. For those who have never accessed their online tax account (and unlikely to be aware they had one).
  2. For those who have previously used their online tax account.

If individuals have any doubts about any HMRC letter, they can check a list of genuine contacts on GOV.UK.

What taxpayers who are affected need to do

  • If you receive a letter, you are impacted. You don’t need to take any action as HMRC have secured your account.
    - If you want to access your online tax account, you should follow the steps in the letter to set up an account for HMRC online services and create a new Government Gateway user ID and password.
    - If you have any concerns, email HMRC’s fraud team at [email protected] or call HMRC’s online services helpdesk on 0300 200 3600 (Monday to Friday, 8am to 6pm) and select the option for ‘unauthorised access of HMRC online accounts’.
  • If you don’t receive a letter, it’s unlikely your account is affected, but you can check your account for any recent suspicious activity by following these steps:
    - Log into your online tax account using your Government Gateway user ID and password, as normal.
    - Go to account menu at the top of the screen and select profile and settings.
    - Go to sign-in details and select change.
    - From your security console, view the sign in history for your account and report any suspicious activity.
    - If you’re using the HMRC App, go to managing your sign in details and then sign in using your Government Gateway user ID and password.

CIOT members may be approached by individuals seeking support as a result of receiving a letter. We have been asked to remind members to be alert and make sure all such individuals are genuine before completing work. Hackers are increasingly sophisticated and could use this as an excuse to try to access agent systems.