HMRC phishing breach wholly avoidable, but hard to stop

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

HMRC phishing breach wholly avoidable, but hard to stop

A significant cyber breach at

This is the hidden content, please

• Sign In
• or
• Sign Up

(HMRC) that saw scammers cheat the public purse out of approximately £47m has been met with dismay from security experts thanks to the sheer simplicity of the attack, which originated via account takeover attempts on legitimate taxpayers.

This is the hidden content, please

• Sign In
• or
• Sign Up

, revealing that hackers accessed the online accounts of about 100,000 people via

This is the hidden content, please

• Sign In
• or
• Sign Up

and managed to claim a significant amount of money in tax rebates before being stopped.

It is understood that those individuals affected have been contacted by HMRC – they have not personally lost any money and are not themselves in any trouble. Arrests in the case have already been made.

This is the hidden content, please

• Sign In
• or
• Sign Up

, HMRC also came in for criticism by the committee’s chair Meg Hillier, who had learned about the via an earlier news report on the matter, over the length of time taken to come clean over the incident.

Widespread consequences

With phishing emails sent to unwitting taxpayers identified as the initial attack vector for the scammers, HMRC might feel relieved that it has dodged full blame for the incident.

But according to Will Richmond-Coggan, a partner specialising in data and cyber disputes at law firm

This is the hidden content, please

• Sign In
• or
• Sign Up

, even though the tax office had gone to pains to stress its own systems were never actually compromised, the incident underscored just how widespread the consequences of cyber attacks can be – snowballing from simple origins into a multimillion pound loss.

“It is clear from HMRC’s explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks,” said Richmond-Coggan.

“Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax.”

Phishing is changing, thanks to AI

Meanwhile, Gerasim Hovhannisyan, CEO of

This is the hidden content, please

• Sign In
• or
• Sign Up

, an email security provider, pointed out that phishing against both private individuals and businesses and other organisations had long ago moved beyond the domain of scammers chancing their luck.

While this type of scattergun fraud remains a potent threat, particularly to consumers who may not be informed about cyber security matters – the scale of the HMRC phish surely suggests a targeted operation, likely using carefully crafted email purporting to represent HMRC itself, designed to lure self-assessment taxpayers into handing over their accounts.

Not only that, but generative artificial intelligence (GenAI) means targeted phishing operations have become exponentially more dangerous in a very short space of time, added Hovhannisyan.

“[It] has made [phishing] scalable, polished, and dangerously convincing, often indistinguishable from legitimate communication. And while many organisations have strengthened their security perimeters, email remains the most consistently exploited and underestimated attack vector,” he said.

“These scams exploit human trust, using urgency, authority, and increasingly realistic impersonation tactics. If HMRC can be phished, anyone can.”

Added Hovhannisyan: “What’s more alarming is that the Treasury Select Committee only learned of the breach through the news. When £47m is stolen through impersonation, institutions can’t afford to stay quiet. Delayed disclosure erodes trust, stalls response, and gives attackers room to manoeuvre.”

Users are an unreliable first line of defence

Once again a service’s end-users have turned out to be the source of a cyber attack and as such, whether they are internal or – as in this case – external, are often considered an organisation’s first line of defence.

However, it is not always wise to take this approach, and for an organisation like HMRC daily engaging with members of the public, it is also not really possible. Security education is a difficult proposition at the best of times and although the ***’s National Cyber Security Centre (NCSC)

This is the hidden content, please

• Sign In
• or
• Sign Up

for consumers – it also operates a phishing reporting service that as of April 2025 has received over 41 million scam reports – bodies like HMRC cannot rely on everybody having visited the NCSC’s website.

As such, Mike Britton, chief information officer (CIO) at

This is the hidden content, please

• Sign In
• or
• Sign Up

, a specialist in phishing, social engineering and account takeover prevention, argued that HMRC could and should have done more from a technical perspective.

“Governments will always be a high tier target for cyber criminals due to the valuable information they hold. In fact, attacks against this sector are rising,” he said.

“In this case, it looks like criminals utilised account take over to conduct fraud. To combat this,

This is the hidden content, please

• Sign In
• or
• Sign Up

(MFA) is key, but as attacks grow more sophisticated, further steps must be taken.”

Britton said organisations like HMRC really needed to consider adopting more layered security strategies, not only including MFA but also incorporating wider visibility and unified controls across its IT systems.

Account takeover attacks such as the ones seen in this incident can unfold quickly, he added, so its cyber function should also be equipped with the tools to identify and remediate compromised accounts on the fly.

This is the hidden content, please

• Sign In
• or
• Sign Up

#HMRC #phishing #breach #wholly #avoidable #hard #stop

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up

For verified travel tips and real support, visit: https://hopzone.eu/