This is a news story and may not be up to date. You can find the date it was published above the title. Our Tax Guides feature the latest up-to-date tax information and guidance. 

Updated on 9 June 2025

Security attack on HMRC online accounts – find out more

News

News outlets have been reporting that scammers have stolen £47 million from HMRC, by using the online tax accounts of individual taxpayers. HMRC have now secured the affected accounts. They have also confirmed that individual taxpayers have not lost any money. HMRC will be writing to everyone affected over the next three weeks.

triangle_with_exclamation_mark_words_system_hacked
kalamazad8350/shutterstock

Content on this page:

The security attack – unauthorised access of online tax accounts

HMRC have announced on GOV.UK that their security systems have detected unauthorised access to some taxpayers’ online tax accounts. This affects about 100,000 individual taxpayers. Most of the affected taxpayers are within the pay as you earn (PAYE) system.

It appears that the attacks aimed to defraud HMRC of money, by making fraudulent tax refund claims. Although the attacks made use of taxpayers’ online tax accounts, HMRC say they did not try to take money from individual taxpayers.

HMRC have indicated that the criminals made use of information obtained from non-HMRC sources, through for example phishing attacks. In some cases, the criminals gained people’s log in credentials and made use of existing online tax accounts, but in others, they set up new online tax accounts via the Government Gateway.

HMRC do not expect individual taxpayers to suffer any tax-related financial loss as a result of the unauthorised access. Nor should the attacks affect an individual’s tax position. However, it may mean that some people cannot currently access their personal tax account.

What HMRC are doing

HMRC have taken the following steps to deal with the situation:

  • Locked down the affected online tax accounts
  • Deleted the login credentials for affected online tax accounts to prevent future unauthorised access – this includes Government Gateway user ID and passwords
  • Removed any incorrect information from tax records
  • Checked that no other details in affected taxpayers’ records have been changed
  • Written to all 100,000 affected taxpayers – they are sending out letters between 4 and 25 June 2025

What to do if you receive a letter from HMRC

If your online tax account has been affected, HMRC will write to you – they are sending out letters between 4 and 25 June 2025.

You can check that the letter you receive from HMRC is genuine by visiting the list of genuine HMRC contacts on GOV.UK.

HMRC have locked down affected accounts and deleted the login credentials, so if you want to access your online tax account in the future you will need to follow the steps set out in the letter. The steps will take you through the process of creating a new account and Government Gateway user ID and password.

The letter also provides details of a dedicated helpline and email address, if you have any concerns.

If you need to use HMRC services that you would normally access using your online tax account before you receive the letter from HMRC, you may need to contact HMRC in writing or by telephone. HMRC’s contact details are on GOV.UK.

What to do if you don’t receive a letter from HMRC

If you do not receive a letter from HMRC, it is unlikely that your account has been affected.

It is possible to check that you online tax account is secure by checking recent activity on your online tax account.

You can do this by:

  • signing into HMRC online services on GOV.UK
  • going to the account menu at the top of the screen and selecting profile and settings
  • going to sign-in details and selecting change – this will take you to your security console
  • viewing the sign-in history for your account from the security console
  • reporting any suspicious activity to HMRC

If you use the HMRC App, you can check activity on your online tax account by going to ‘managing your sign in details’ and then sign in using your Government Gateway user ID and password.

I am worried about my data, what can I do

Your online tax account potentially contains services and information, not just about tax and NIC but including other services such as child benefit. If you are concerned that the criminals may have accessed data in your online tax account, or if you have any other concerns, you can email HMRC’s fraud team at [email protected].

If you think that someone has accessed your online tax account without your knowledge, you should change your password. You can change your password from the security console. You should go to your Government Gateway profile in your online tax account and select password settings.

How to protect yourself

Criminals use various methods to commit identity and financial theft and fraud. They often make use of phishing and malware to obtain personal information. Unfortunately, it is very easy to fall victim to fraudsters. It is important to be vigilant and err on the side of caution. You should try not to give out private information, reply to text messages, download attachments or click on links unless you are sure that they are genuine.

We have guidance on our website about protecting yourself and your data online.

The Stop! Think Fraud page on GOV.UK has guidance to help you protect your data.

  Never give out your Government Gateway login credentials, even to a tax agent who is purporting to help you. Tax advisers registered with HMRC can do things on behalf of their clients using their own ‘agent’ credentials and do not need to ask for individual taxpayers’ login details.

Joanne Walker

Technical officer

Contact us
Back to top