HMRC phishing attack: How stolen credentials enabled tax fraud

His Majesty’s Revenue and Customs (HMRC) recently announced that it has been hit by a sophisticated phishing scam, which resulted in the theft of approximately £47 million ($63.76 million) from over 100,000 taxpayer accounts. The attack took place in 2024, with the full scale of the incident emerging in June 2025.

The tax authority assured customers that they will not be personally affected by the attack, as the fraudulent claims were made against HMRC, not taken from individuals’ own funds. Even so, this is a significant security breach that raises questions about HMRC’s cybersecurity infrastructure and its ability to protect sensitive taxpayer data.

Let’s take a closer look at what happened and the lessons we can learn from the attack.

HMRC phishing: Attack summary

• Who was targeted: His Majesty’s Revenue and Customs (HMRC) — the UK’s tax, payments and customs authority
• Attack type: Data theft & fraudulent payments
• Entry technique: Account takeover and creation using stolen credentials obtained via phishing methods
• Impact: Direct loss of £47 million ($63.76 million) to HMRC through fraudulent repayments
• Who was responsible: Unnamed organized crime gang

How did the HMRC phishing attack happen?

The attack on HMRC reportedly took place in 2024, though details did not emerge until HMRC shared news of the incident in June 2025. In a statement to Reuters, the organization stated that the attack “involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC.”

This differentiates the HMRC attack from other recent cyber-attacks on British retailers, such as the M&S ransomware hack in April 2025. In the M&S attack, hackers stole sensitive data — such as user credentials — directly from the retailer’s systems. In contrast, the HMRC breach involved cybercriminals using stolen data from external sources to either create fake customer accounts or access existing ones, allowing them to fraudulently claim funds from HMRC.

Through the creation and hacking of customer accounts, the criminals were able to steal £47 million ($63.76 million) from HMRC before they recognized the attack and shut it down. According to reports, an investigation took place in 2024 which resulted in some arrests. The attack has been attributed to an “organized crime” group, which as yet has not been named.

HMRC has since taken steps to secure affected accounts, including locking them down, deleting login credentials to prevent future unauthorized access, and removing incorrect information from tax records.

Specops analysis: What can we learn from the HMRC phishing attack?

A key concern highlighted by the HMRC attack is the security of multi-factor authentication (MFA) methods. Currently, PAYE taxpayers primarily access their HMRC accounts by logging into the Government Gateway system, which uses two-step verification whereby users are required to enter a code sent to their phone, landline or an authenticator app.

However, HMRC agent accounts — which are used by tax professionals to manage multiple clients — currently do not require MFA at all, making them particularly vulnerable to compromise. Following recent attacks, HMRC have announced plans to reintroduce MFA as an option for “agents who want to use it”.

The importance of multi-factor authentication

MFA should be a non-negotiable component of modern cybersecurity and is recommended by nearly all major security guidelines, including those from the National Institute of Standards and Technology (NIST). It significantly strengthens account protection by requiring a second factor beyond just a password.

MFA can be strengthened even further if your provider offers phishing- and fatigue-resistant methods such as authenticator apps or hardware tokens, rather than relying on traditional SMS codes — which can be vulnerable to attacks such as SIM-swapping.

Specops Secure Access integrates with over 15 identity providers and supports phishing- and fatigue-resistant methods like Yubikey hardware tokens and OTP apps without push notifications. It provides a robust MFA solution for Windows logon, RDP, and VPN connections, helping to reduce the risk of password-related attacks and meet requirements for NIST and other key standards. Get started with a free trial of Specops Secure Access today.

Are passkeys the answer?

In an effort to tighten security, the UK government has shared plans to move away from traditional passwords and SMS two-factor authentication, replacing them with passkeys. Government websites, including HMRC, are set to start offering passkeys over the next 12 months.

Passkeys use cryptographic keys to allow users to login to a website, requiring biometric authentication (like a fingerprint) or a PIN. Passkeys are much more secure than traditional passwords and even some MFA methods, as they are designed to be resistant to attacks such as phishing. However, passkeys aren’t a silver bullet — they come with their own limitations, which is why a layered security approach is still essential. Combining passkeys with other best practices, such as endpoint protection and user education, provides more comprehensive protection against evolving threats.

Protect your organization from compromised credentials  

The HMRC attack demonstrates the risks of reused stolen personal data, with attackers leveraging information stolen from past breaches and phishing campaigns to impersonate taxpayers. This highlights the need for organizations to proactively monitor for compromised credentials, which can be used to gain access to systems and steal sensitive information.

Tools like Specops Password Policy with Breached Password Protection support this proactive approach by continuously scanning your Active Directory for credentials that appear in known data breaches, helping organizations detect and respond to stolen password use before it leads to a security incident. Get in touch today to book a free demo.