Person using laptop with large red warning sign projected over the top, surrounded by digital security images

Unauthorised access of HMRC online accounts

5 June, 2025

Updated 10 June 2025: 

On 4 June, HMRC shared that they had detected unauthorised access to the online accounts of around 100,000 taxpayers, with a resultant loss to the Exchequer of £47 million.  The incidents involved criminals gaining and using personal information to impersonate genuine taxpayers in order to claim money fraudulently from HMRC.  HMRC has stated that no one who has been affected should experience any personal financial loss in respect of their tax affairs as a result of their account being targeted - this a fraud against HMRC, rather than the individual directly. 

Background 

HMRC online accounts for individuals are also known as Personal Tax Accounts (PTAs). All taxpayers have a PTA, regardless of whether or not the individual has set up the necessary login details to access their account online. The criminals have used personal information they have gained in a variety of ways, including phishing attacks, to pretend to be genuine taxpayers and access their accounts. 

When HMRC identifies an account has been accessed fraudulently, they will take action to shut the account down. This includes not just locking down the affected account, but also removing any incorrect information and checking no other details were changed. Any existing credentials used to access the account will be deleted, so anyone affected who wants to access their PTA in future will need to recreate login details. 

HMRC letters 

HMRC will be writing to affected taxpayers between 4 June 2025 and 25 June 2025 to explain the steps that have been taken. If recipients have any doubts about any HMRC letter, they can check a list of genuine contacts on GOV.UK. There are two types of letters, depending on whether or not the individual has previously accessed their PTA. 

HMRC has published details of the actions they have taken and what to do if you receive a letter. HMRC says that if a taxpayer does not receive a letter, it is unlikely that their account has been affected, but the page also includes guidance on how to check any recent account activity for suspicious logins.  

HMRC have advised us that letters to impacted taxpayers will make clear that the data used to access an online account may have included their name and date of birth and, address or National Insurance number. It may also have included information from passport or driving licence documents or credit reference data. HMRC do not know where or how this information has been obtained, only that it has been used to access the taxpayer's online account. HMRC have told us that there is no evidence that data has been shared.

Impact for agents 

Members may be approached by individuals seeking support as a result of receiving a letter. We have been asked to remind members to be alert and make sure all such individuals are genuine before completing work. Hackers are increasingly sophisticated and could use this as an excuse to try to access agent systems.

We are expecting further details from HMRC and will update members as we learn more.