Updated on 6 April 2026

Security considerations

This page tells you how to protect your online tax account from fraud.

A keyboard with a Green key, a person is pressing this key. The key has white text on it that reads 'STAY SAFE' an old fashioned brass coloured key is placed on top of the keyboard.
kenary820 / Shutterstock.com

Content on this page:

In recent times there have been several fraudulent attacks on HMRC. Attacks like this may be carried out by organised criminal groups, and further attempts are likely. Ensuring your account remains secure helps protects your finances, your identity, and public money from misuse.

What’s been happening

In a major event in 2025, scammers stole £47 million from HMRC, by using the online tax accounts of individual taxpayers to claim false refunds. This affected about 100,000 individual taxpayers although HMRC said they wouldn’t lose any money personally. Most of the affected taxpayers were within the pay as you earn (PAYE) system. You can read more about this event on GOV.UK

We are also aware of other issues – for example, earlier in 2025 criminals tried to use taxpayers’ personal information on HMRC’s phone or webchat services to try and divert Self Assessment repayments. 

Scammers can do things like the above, where they have managed to get hold of taxpayers’ personal information. 

How criminals get your details

Criminals use different ways to get the information they need. Some trick people into disclosing information by pretending they are HMRC. This can include by sending messages containing links to fake websites, known as ‘phishing’. Others use stolen personal information from attacks on other organisations. 

Attacks can be focused on gaining people’s Government Gateway login credentials to make use of existing online tax accounts. But in other cases, they may be focussed on getting the identity information they need to set up new online tax accounts via the Government Gateway.

Criminals also use social media to try and find people to trick or persuade people into sharing their personal or login details.

What you can do to protect yourself

Some general tips on staying safe online can be found in our separate page of guidance protecting yourself and your data online. In summary you should try not to give out private information, reply to text messages, download attachments or click on links unless you are sure that they are genuine. 

Unfortunately, it is very easy to fall victim to fraudsters. It is important to be vigilant and cautious. The Stop! Think Fraud page on GOV.UK has guidance to help you protect your data.

In addition - 

  • Never give out your Government Gateway login credentials, even to a tax agent who is purporting to help you. Tax advisers registered with HMRC can do things on behalf of their clients using their own ‘agent’ credentials and do not need to ask for individual taxpayers’ login details. 

  Your Government Gateway details are as sensitive as your bank details. 

  • Use a strong, unique password for your HMRC online account, for example with letters, numbers, and symbols if possible. Longer, memorable passwords (e.g., three random words) offer better protection. Do not re-purpose or use old passwords and avoid using a predictable password and words connected to you e.g. birthdays or pet names. Change your password every three months, or immediately if HMRC prompt you or you suspect unauthorised access (more on this below). 
  • Each login shows the time and date of your last access. Regularly review your login history via your account’s security console. 

You can do this by:

  1. signing into HMRC online services on GOV.UK
  2. going to the account menu at the top of the screen and selecting profile and settings
  3. going to sign-in details and selecting change – this will take you to your security console
  4. viewing the sign-in history for your account from the security console

If you use the HMRC App, you can check the sign-in history in your security console by going to the settings icon, ‘managing your sign in details’ and then signing in using your Government Gateway user ID and password.

Look for unfamiliar devices or locations signing in (under view details). If you see anything suspicious, change your password and report the activity immediately (see Need help or suspect fraud, below). You can change your password from the security console. You should go to your Government Gateway profile in your online tax account and select password settings.

Risks to you of not protecting yourself

In some cases of fraud, HMRC may confirm that individual taxpayers will not suffer tax-related financial loss from fraudulent account access, and that their tax position should not be affected. In these cases, you should not receive demands for incorrect tax liabilities created by fraud. If you do, please let us know.

However, in other instances, HMRC could require you to pay back the full amount of tax debt created in your name. 

In addition, your online account potentially contains services and information, not just for tax and National Insurance, but for items such as child benefit. Once they have got hold of them, fraudsters may use these personal details in different ways but also post or sell them online for anyone to use.

Might your agent be targeted?

Tax agents hold sensitive data for their clients as well as their own business. This makes them an attractive target for fraudsters due to the access they can provide to multiple clients’ tax records. 

HMRC have issued various communications and guidance to agents on protecting data, especially regarding passwords and malware. You may wish to ask your agent what security measures they have in place.

If HMRC suspect a tax agent has been targeted, in some cases they will suspend an agent’s Agent Online Service Accounts (AOSAs) and Agent Services Accounts (ASAs) - sometimes without notice. You should be aware that this could temporarily prevent your agent from accessing your online tax information and dealing with HMRC on your behalf.

What HMRC do to protect your online account

There is some detailed information on GOV.UK about the security protocols that HMRC have in place to keep you safe online, for example, multi factor authentication. 

In addition, HMRC monitor device and sign-in metadata—like device type and location—to detect suspicious patterns or unusual logins that may indicate account misuse. 

If they think your account has been compromised, HMRC may take steps like the following to deal with the situation:

  • Lock down the affected online accounts 
  • Delete the login credentials for affected online tax accounts to prevent future unauthorised access – this includes Government Gateway user ID and passwords
  • Remove any incorrect information from tax records
  • Check that no other details in affected taxpayers’ records have been changed
  • Write to you to explain what has happened and to prompt you to set up a new online account. You can check that the letter you receive from HMRC is genuine by visiting the list of genuine HMRC contacts on GOV.UK.

Need help or suspect fraud?

HMRC have launched a new tool for individuals to report suspicious activity happening in their HMRC online account. This contains helpful examples of suspicious activity such as access codes being sent to your phone when you have not tried to sign in.

Individuals can also report suspicious activity via their online account security console or by calling the Online Services Helpdesk

If you suspect account compromise or fraudulent access, contact the Fraud Prevention Centre promptly by email: [email protected].

Previous
Back to top