Cybercrime
,
Fraud Management & Cybercrime
,
Geo Focus: The United Kingdom
Britain’s Tax Collector HMRC Lost $63 Million to Fraudsters Wielding Taxpayer Data
Mathew J. Schwartz (euroinfosec) •
July 11, 2025
Image: Chris Dorney/Shutterstock
Police on Thursday arrested 13 individuals in Romania and one in England on suspicion of engaging in a massive tax fraud scheme against Great Britain.
See Also: Strengthening Your Security Program With Open API
The arrests appear to be tied to an operation probing a gang that used phishing attacks against British taxpayers to steal 47 million pounds – $63 million – from His Majesty’s Revenue and Customs, the U.K. government agency responsible for collecting taxes.
Parliament’s Treasury Committee, which oversees the tax collector, slammed HMRC top brass for failing to notify lawmakers about the 2024 losses, which only came to light in June when 100,000 taxpayers received notification that their online accounts had been breached.
As part of an operation targeting suspected members of the group behind the attacks, HMRC said its investigators on Thursday joined more than 100 Romanian police officers who conducted house raids in the counties of Ilfov, Giurgiu and Calarasi, seizing devices along the way.
Romanian Police’s Economic Crimes Investigation Directorate arrested 13 individuals, aged between 23 and 53, on suspicion of computer fraud, money laundering and illegal access to a computer system.
Also on Thursday, HMRC officers arrested a 38-year-old man in Preston, England, and seized multiple electronic devices, in an action “linked to the phishing attacks.” They said the suspect is being questioned by HMRC officers.
That follows the arrest last November in Bucharest of two other men, aged 27 and 36, suspected of cybercrime and fraud offenses, as part of what HMRC said were ongoing investigations into the missing 47 million pounds.
“We have a number of live criminal investigations, and we are grateful to our Romanian partners for their support,” said Simon Grunwell, the operational lead for HMRC’s Fraud Investigation Service. “We have already acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we continue to work with other law enforcement agencies both in the U.K. and overseas to bring those responsible to justice.”
HMRC said the millions lost didn’t stem from its systems being directly hacked, but rather involved criminals using personally identifiable information obtained from other sources, such as phishing attacks or data stolen from third parties, which they used to access tax collector services in the name of legitimate taxpayers.
“We’ve written to around 100,000 people – equivalent to approximately 0.22% of our customers – to inform them we have detected unauthorized attempts to access their online HMRC account, reassure them that their account has been secured and that they have not suffered any financial loss,” HMRC said.
Fraudsters used stolen data to commit fraud in taxpayers’ name. This included false child benefit claims, as well as filing fraudulent “pay as you earn” and value-added tax reimbursement claims. PAYE refers to income tax and national insurance paid through an employer, while VAT is added to most products and services sold by in the country.
“Tax scams are one of the biggest risks to citizens in the U.K. as criminals are adopting tactics to make them highly convincing, often using a mix of emails, post and SMS to send out fraudulent communications,” said William Wright, CEO of Scottish penetration testing firm Closed Door Security.
“The correspondence often looks genuine and it takes a very savvy consumer to question its authenticity, especially as criminals often hijack on key tax dates, such as the self-assessment deadline in January,” he said.
British cybersecurity officials said HMRC is the third most spoofed U.K. government brand in Britain, behind the National Health Service and TV Licensing, which collects an annual fee used to fund the British Broadcasting Corporation.
“We continuously enhance our security measures to tackle evolving fraud tactics,” HMRC said, noting that last month “the government announced further investments in the security of HMRC’s IT systems.”
That announcement came when Chancellor of the Exchequer Rachel Reeves presented her spending review to Parliament, which proposes investing 298 million pounds in the next two years to improve “HMRC customer services and IT,” as part of a drive to “tackle urgent cybersecurity and technical resilience risks, modernize public service delivery and drive a major overhaul in government productivity and efficiency.”
Critics suggest a wide-ranging overhaul is required. “HMRC has not been transparent or timely in its communication over this important issue,” said Glenn Collins, the Association of Chartered Certified Accountants’ head of technical and strategic engagement. In a June 5 letter to the select committee, the industry association said the first it heard from revenue and customs about the fraud wave was on June 4.
“This disappointing failure to communicate in a timely manner is unfortunately representative of the poor levels of customer service received by agents and taxpayers. Despite raising concerns directly with HMRC, standards are not improving,” the letter reads.