{"id":12885,"date":"2025-07-04T14:37:23","date_gmt":"2025-07-04T09:07:23","guid":{"rendered":"https:\/\/threatcop.com\/blog\/?p=12885"},"modified":"2025-07-11T14:54:06","modified_gmt":"2025-07-11T09:24:06","slug":"100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc","status":"publish","type":"post","link":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/","title":{"rendered":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">A sophisticated phishing scam allowed criminals to fraudulently access over 100,000 HMRC online tax accounts. According to the<\/span><a href=\"https:\/\/www.bbc.com\/news\/articles\/cvgnz3r2m7eo\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><span style=\"font-weight: 400;\"> BBC<\/span><\/a><span style=\"font-weight: 400;\">, scammers posing as UK taxpayers stole <\/span><b>\u00a347 million<\/b><span style=\"font-weight: 400;\"> from HMRC. They didn\u2019t break the system but pretended to be a taxpayer and walked straight through the front door.<\/span><\/span><\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #414141;color:#414141\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #414141;color:#414141\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#How_did_it_happen\" >How did it happen?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#Whats_HMRC_Doing_Now\" >What\u2019s HMRC Doing Now?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#This_Isnt_Just_a_Government_Problem\" >This Isn\u2019t Just a Government Problem<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#How_to_Protect_Your_Business_from_Similar_Scams\" >How to Protect Your Business from Similar Scams<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#Key_Takeaways_from_This_Event\" >Key Takeaways from This Event<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#Final_Words\" >Final Words!<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_did_it_happen\"><\/span><span style=\"color: #000000;\"><b>How did it happen?<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Criminals used <a href=\"https:\/\/threatcop.com\/blog\/what-to-do-if-you-receiving-phishing-emails\/\">phishing emails<\/a> and texts to collect personal info of taxpayers, such as names, National Insurance numbers, and date of birth. They then used those details to create or access online tax accounts on HMRC\u2019s self-assessment portal. Once in, they claimed false tax rebates successfully across 100,000 compromised accounts. It results in \u00a347M stolen money through fraudulent claims.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">The shocking part is that some victims didn\u2019t even know they had an HMRC account. Criminals set up brand-new profiles using stolen identities; no need to hack anything.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">HMRC said the scam was not a system hack but a case of identity impersonation. No internal HMRC systems were breached. The attack leveraged externally gathered user data to fraudulently access or create accounts. Personal data is used to pose as legitimate taxpayers.<\/span><\/p>\n\n\n\n<!DOCTYPE html>\r\n<html lang=\"en\">\r\n\r\n<head>\r\n    <meta charset=\"UTF-8\">\r\n    <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\r\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n    <title>Document<\/title>\r\n<\/head>\r\n\r\n<style>\r\n    .interestedBtn {\r\n        width: 80% !important;\r\n        box-sizing: border-box !important;\r\n        display: inline-block !important;\r\n        padding: 11px !important;\r\n        border: 1px !important;\r\n        border-color: #ddd !important;\r\n        margin-top: 10px !important;\r\n        background-color: #183e8b !important;\r\n        background-image: none !important;\r\n        text-shadow: none !important;\r\n        color: #fff !important;\r\n        font-size: 14px !important;\r\n        line-height: 20px !important;\r\n        border-radius: 5px !important;\r\n        margin: 0 !important;\r\n        cursor: pointer !important;\r\n        box-shadow: 0px 4.66px 22.99px 0px rgba(0, 0, 0, 0.10);;\r\n    }\r\n\r\n\r\n        .formSec .formSecTwo{\r\n            padding-top: 15px !important;\r\n            margin-bottom: 30px !important;\r\n        }\r\n\r\n\r\n    .tnp-email {\r\n        width: 80% !important;\r\n        box-sizing: border-box;\r\n        padding: 8px 10px;\r\n        display: inline-block;\r\n        border: 1px solid #ced4da;\r\n        background: #fff;\r\n        color: #000 !important;\r\n        font-size: 13px;\r\n        line-height: 20px;\r\n        border-radius: 2px;\r\n        padding-right: 30px;\r\n        margin-bottom: 0px;\r\n    }\r\n\r\n    .formSec {\r\n        border: 1px solid #ced4da;\r\n        float: left !important;\r\n        width: 55% !important;\r\n    }\r\n\r\n    .mainBox {\r\n       \/* border: 1px solid #183e8b;*\/\r\n         background: white;\r\n        max-width: 600px !important;\r\n        margin: 0 auto !important;\r\n        padding: 20px !important;\r\n        font-family: Arial, Helvetica, sans-serif !important;\r\n    }\r\n\r\n    .boxDiv {\r\n        display: flex !important;\r\n    }\r\n\r\n    .boxConsult {\r\n        float: left !important;\r\n        width: 45% !important;\r\n        padding: 10px !important;\r\n    }\r\n\r\n    .formSecTwo {\r\n        text-align:center !important;\r\n        width: 100% !important;\r\n    }\r\n\r\n    .formHeading {\r\n        font-family: Arial, Helvetica, sans-serif;\r\n        margin-top: 0px;\r\n        font-weight: 700;\r\n        line-height: 25px;\r\n        font-size: 18px !important;\r\n        \r\n       margin-bottom: 60px !important;\r\n       color: #000!important;\r\n          margin-top: 5px !important;\r\n    }\r\n\r\n    .fieldHeading {\r\n        margin: 0 !important;\r\n        font-size: 13px !important;\r\n        text-align: left !important;\r\n        margin: 0px 39px 2px 93px !important;\r\n        font-weight: 500 !important;\r\n    }\r\n\r\n    .image {\r\n        max-width:90% !important;\r\n        height: auto !important;\r\n    }\r\n\r\n     .email-icon {\r\n            position: absolute;\r\n            right: 50px;\r\n             top: 20px;\r\n            transform: translateY(-50%);\r\n            pointer-events: none; \r\n        }\r\n\r\n          .email-container{\r\n             position: relative;\r\n         \r\n        }\r\n       \r\n\r\n        .email-icon img{\r\n                 width: 15px;\r\n        }\r\n\r\n\r\n         input::placeholder {\r\n            color:#495057;\r\n        }\r\n\r\n\r\n     ::placeholder {\r\n        color: #495057;\r\n    }\r\n\r\n        ::-ms-input-placeholder { \r\n          color:#495057;\r\n        }\r\n\r\n\r\n        input:-webkit-autofill {\r\n            background-color: transparent !important;\r\n            -webkit-box-shadow: 0 0 0px 1000px white inset !important; \r\n            box-shadow: 0 0 0px 1000px white inset !important;\r\n            color: #495057 !important; \r\n        }\r\n\r\n        \r\n        input {\r\n            color:#495057 !important;\r\n        }\r\n\r\n\r\n    @media screen and (max-width: 480px) {\r\n        .boxDiv {\r\n            display: block !important;\r\n            padding: 15px !important;\r\n         \r\n        }\r\n\r\n        .image{\r\n        width: 80% !important;\r\n         margin-bottom: 14px;\r\n        }\r\n        .fieldHeading {\r\n            text-align: left !important;\r\n            margin: unset !important;\r\n        }\r\n\r\n        .boxConsult {\r\n            width: unset !important;\r\n            float: none !important;\r\n        }\r\n\r\n        .mainBox {\r\n            border: unset !important;\r\n        }\r\n\r\n        .formSec {\r\n            float: unset !important;\r\n            width: 100% !important;\r\n        }\r\n\r\n        .formSecTwo {\r\n            text-align: center !important;\r\n        }\r\n\r\n        .tnp-email {\r\n            width: 90% !important;\r\n        }\r\n\r\n        .formHeading {\r\n            margin-bottom: unset !important;\r\n        }\r\n\r\n         .email-icon {\r\n            position: absolute;\r\n            right: 25px;\r\n            top: 58%;\r\n            transform: translateY(-50%);\r\n            pointer-events: none; \/* Make sure the icon doesn't block clicking on the input *\/\r\n        }\r\n       \r\n        .email-container{\r\n             position: relative;\r\n        }\r\n\r\n    }\r\n<\/style>\r\n\r\n<body>\r\n\r\n    <div class=\"mainBox\" box-sizing:=\"\" border-box;=\"\">\r\n\r\n        <div class=\"boxDiv\">\r\n\r\n            <div class=\"boxConsult\">\r\n                <div>\r\n                    <h3 class=\"formHeading\" style=\" font-size: 16px !important;\">\r\n                        Book a Free Demo Call with Our People Security Expert<\/h3>\r\n                <\/div>\r\n                <img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/form.svg\" class=\"image\">\r\n            <\/div>\r\n\r\n            <div class=\"formSec\">\r\n                <div class=\" formSecTwo\">\r\n                    <h4 style=\"margin-top: 0; font-size: 16px !important;\">Enter your details<\/h4>\r\n                    <div class=\"tnp tnp-subscription-minimal\">\r\n                        <form action=\"https:\/\/threatcop.com\/thankyou-blog\" method=\"get\" target=\"_blank\">\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n\r\n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"FullName\" value=\"\"\r\n                                    placeholder=\"Full Name\">\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon01.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"email\" required=\"\" name=\"email\" value=\"\"\r\n                                    placeholder=\"Corporate Email Id\">\r\n                                     <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon02.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\" style=\"margin-bottom:20px;\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"text\" required=\"\" name=\"CompanyName\" value=\"\"\r\n                                    placeholder=\"Company Name\">\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon03.svg\" class=\"img-fluid\" \/><\/span>\r\n\r\n                            <\/div>\r\n\r\n                            <div class=\"email-container\">\r\n                               \r\n                                <input class=\"tnp-email\" type=\"number\" required=\"\" name=\"Phone\" value=\"\"\r\n                                    placeholder=\"Phone No.\"><br>\r\n                                    <span class=\"email-icon\"><img decoding=\"async\" src=\"https:\/\/awareness.threatcop.ai\/threatcop_blog\/icon04.svg\" class=\"img-fluid\" \/><\/span>\r\n                            <\/div>\r\n                            <input type=\"hidden\" name=\"BlogForm\" value=\"BlogForm\"><br>\r\n                            <input class=\"tnp-submit interestedBtn\" name=\"submit\" type=\"submit\"\r\n                                value=\"SUBMIT\">\r\n\r\n                        <\/form>\r\n                    <\/div>\r\n                <\/div>\r\n            <\/div>\r\n\r\n        <\/div>\r\n    <\/div>\r\n\r\n<\/body>\r\n\r\n<\/html>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Whats_HMRC_Doing_Now\"><\/span><span style=\"color: #000000;\"><b>What\u2019s HMRC Doing Now?<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">HMRC is taking several steps to contain the damage and rebuild trust. They\u2019re reaching out directly to individuals whose identities were misused and have already secured all compromised tax accounts. On the enforcement side, they\u2019re working closely with national and international authorities, and some arrests have already been made. <\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Looking ahead, HMRC has promised to increase investment in cybersecurity, with more funding expected in the upcoming UK government budget. They\u2019re also actively cooperating with the Information Commissioner\u2019s Office to ensure proper data handling and compliance across their digital systems.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"This_Isnt_Just_a_Government_Problem\"><\/span><span style=\"color: #000000;\"><b>This Isn\u2019t Just a Government Problem<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">This isn\u2019t just the scale of the loss. It\u2019s the simplicity of the attack. This wasn\u2019t zero-day exploitation. It wasn\u2019t advanced persistent threats or a complex <a href=\"https:\/\/threatcop.com\/blog\/ransomware-groups\/\">ransomware gang<\/a>. It was a digital impersonation operation.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">This could happen to any enterprise with a user portal, login page, or rebate system.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">And if you think it won\u2019t, remember: the victims in this case didn\u2019t even know they had HMRC online accounts. However, some accounts were created from scratch by scammers using phished information.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">So if you\u2019re only thinking about protecting existing accounts, it may be time to rethink that strategy.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_Protect_Your_Business_from_Similar_Scams\"><\/span><span style=\"color: #000000;\"><b>How to Protect Your Business from Similar Scams<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">If you\u2019re reading this, here\u2019s your first action step:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">Audit how your user accounts are created. Is it too easy to create an account with just an email and DOB? That\u2019s a red flag.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Implement adaptive authentication. Tie login behavior to risk signals: device, IP, location, time of day, and behavioral biometrics.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Run phishing simulations, like real ones. Not those obvious ones. Make them look like real invoices, HR messages, or tax reminders.<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Log everything. Monitor everything. And don\u2019t assume your alerts will catch new behavior unless you\u2019re training your models frequently.<\/span><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_Takeaways_from_This_Event\"><\/span><span style=\"color: #000000;\"><b>Key Takeaways from This Event<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">This wasn\u2019t a technical failure but it was a trust failure.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"color: #000000;\"><b>1. Phishing Still Works.<\/b><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Even in 2025, people fall for fake links. And when attackers use that data for identity fraud, your MFA, VPN, and SOC tools don\u2019t matter\u2014they\u2019re already \u201cin.\u201d<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"color: #000000;\"><b>2. Account Creation = Attack Vector.<\/b><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Any system that lets users self-register, reset passwords, or submit financial requests needs tighter controls. This includes:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"font-weight: 400; color: #000000;\">Strong identity verification<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">AI-based risk scoring<\/span><\/li>\n\n\n\n<li><span style=\"font-weight: 400; color: #000000;\">Login behavior analysis<\/span><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"color: #000000;\"><b>3. You Don\u2019t Need to Be Hacked to Lose Millions.<\/b><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">We tend to associate \u201ccyberattacks\u201d with malware and <a href=\"https:\/\/threatcop.com\/blog\/how-does-ransomware-spreads\/\">ransomware<\/a>. But impersonation at scale? That\u2019s more lucrative\u2014and harder to detect.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"color: #000000;\"><b>4. Transparency Builds Trust.<\/b><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">HMRC waited to disclose the fraud. That delay is now part of the problem. In the enterprise world, being upfront with your customers and teams is part of your security posture.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Final_Words\"><\/span><span style=\"color: #000000;\"><b>Final Words!<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">Phishing is no longer just a link-clicking risk. It\u2019s a gateway to impersonation, fraud, and identity abuse. Phishing is evolving, and identity fraud is scaling faster than most organizations are prepared for.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"font-weight: 400; color: #000000;\">If you\u2019re still treating phishing as a user training issue and not a systemic design flaw, it\u2019s time to update your model.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated phishing scam allowed criminals to fraudulently access over 100,000 HMRC online tax accounts. According to the BBC, scammers posing as UK taxpayers stole \u00a347 million from HMRC. They didn\u2019t break the system but pretended to be a taxpayer and walked straight through the front door. How did it happen? Criminals used phishing emails [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":12886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41,284],"tags":[],"class_list":["post-12885","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attacks","category-news-and-digest"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC\" \/>\n<meta property=\"og:description\" content=\"A sophisticated phishing scam allowed criminals to fraudulently access over 100,000 HMRC online tax accounts. According to the BBC, scammers posing as UK taxpayers stole \u00a347 million from HMRC. They didn\u2019t break the system but pretended to be a taxpayer and walked straight through the front door. How did it happen? Criminals used phishing emails [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/\" \/>\n<meta property=\"og:site_name\" content=\"Threatcop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-04T09:07:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-11T09:24:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Threatcop\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatcop\" \/>\n<meta name=\"twitter:site\" content=\"@threatcop\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Threatcop\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/\"},\"author\":{\"name\":\"Threatcop\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/e4db27ffd37219d73fc6b40cc9d45cfa\"},\"headline\":\"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC\",\"datePublished\":\"2025-07-04T09:07:23+00:00\",\"dateModified\":\"2025-07-11T09:24:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/\"},\"wordCount\":722,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/Copy-of-Blog-Banner-8.jpg\",\"articleSection\":[\"Cyber Attacks\",\"News and Digest\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/\",\"name\":\"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/Copy-of-Blog-Banner-8.jpg\",\"datePublished\":\"2025-07-04T09:07:23+00:00\",\"dateModified\":\"2025-07-11T09:24:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#primaryimage\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/Copy-of-Blog-Banner-8.jpg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/Copy-of-Blog-Banner-8.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"name\":\"Threatcop\",\"description\":\"Cybersecurity Blogs, News, Updates, and Articles\",\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\",\"name\":\"Threatcop\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"width\":432,\"height\":102,\"caption\":\"Threatcop\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/people\\\/Threatcop\\\/100083109892339\\\/\",\"https:\\\/\\\/x.com\\\/threatcop\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/threatcop\\\/\",\"https:\\\/\\\/www.instagram.com\\\/threatcop_official\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/e4db27ffd37219d73fc6b40cc9d45cfa\",\"name\":\"Threatcop\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/avatar_user_1_1696398433.jpeg\",\"caption\":\"Threatcop\"},\"sameAs\":[\"https:\\\/\\\/threatcop.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/","og_locale":"en_US","og_type":"article","og_title":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC","og_description":"A sophisticated phishing scam allowed criminals to fraudulently access over 100,000 HMRC online tax accounts. According to the BBC, scammers posing as UK taxpayers stole \u00a347 million from HMRC. They didn\u2019t break the system but pretended to be a taxpayer and walked straight through the front door. How did it happen? Criminals used phishing emails [&hellip;]","og_url":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/","og_site_name":"Threatcop","article_publisher":"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","article_published_time":"2025-07-04T09:07:23+00:00","article_modified_time":"2025-07-11T09:24:06+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg","type":"image\/jpeg"}],"author":"Threatcop","twitter_card":"summary_large_image","twitter_creator":"@threatcop","twitter_site":"@threatcop","twitter_misc":{"Written by":"Threatcop","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#article","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/"},"author":{"name":"Threatcop","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/e4db27ffd37219d73fc6b40cc9d45cfa"},"headline":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC","datePublished":"2025-07-04T09:07:23+00:00","dateModified":"2025-07-11T09:24:06+00:00","mainEntityOfPage":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/"},"wordCount":722,"commentCount":0,"publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"image":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg","articleSection":["Cyber Attacks","News and Digest"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/","url":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/","name":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#primaryimage"},"image":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg","datePublished":"2025-07-04T09:07:23+00:00","dateModified":"2025-07-11T09:24:06+00:00","breadcrumb":{"@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#primaryimage","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2025\/07\/Copy-of-Blog-Banner-8.jpg","width":1920,"height":1080,"caption":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC"},{"@type":"BreadcrumbList","@id":"https:\/\/threatcop.com\/blog\/100k-accounts-compromised-47m-stolen-how-phishing-fooled-hmrc\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/threatcop.com\/blog\/"},{"@type":"ListItem","position":2,"name":"100K Accounts Compromised, \u00a347M Stolen: How Phishing Fooled HMRC"}]},{"@type":"WebSite","@id":"https:\/\/threatcop.com\/blog\/#website","url":"https:\/\/threatcop.com\/blog\/","name":"Threatcop","description":"Cybersecurity Blogs, News, Updates, and Articles","publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/threatcop.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/threatcop.com\/blog\/#organization","name":"Threatcop","url":"https:\/\/threatcop.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","width":432,"height":102,"caption":"Threatcop"},"image":{"@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","https:\/\/x.com\/threatcop","https:\/\/www.linkedin.com\/company\/threatcop\/","https:\/\/www.instagram.com\/threatcop_official\/"]},{"@type":"Person","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/e4db27ffd37219d73fc6b40cc9d45cfa","name":"Threatcop","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2023\/10\/avatar_user_1_1696398433.jpeg","caption":"Threatcop"},"sameAs":["https:\/\/threatcop.com"]}]}},"_links":{"self":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/comments?post=12885"}],"version-history":[{"count":3,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12885\/revisions"}],"predecessor-version":[{"id":12892,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/12885\/revisions\/12892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media\/12886"}],"wp:attachment":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media?parent=12885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/categories?post=12885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/tags?post=12885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}