Arrests made after huge HMRC scam campaign hit 100,000 accounts

HM Revenue & Customs (HMRC) letter pictured on a table top.

(Image credit: Getty Images)

published 14 July 2025

Romanian police have arrested 13 people believed to have been behind a phishing campaign on HM Revenue and Customs (HMRC) that cost millions in bogus tax refunds.

The men and women, aged between 23 and 53, are suspected of having stolen data then used to submit millions of pounds worth of fraudulent PAYE claims, as well as VAT repayments and child benefit payments.

The arrests were carried out by criminal investigators from HMRC, together with more than 100 Romanian police officers, in the Romanian counties of Ilfov, Giurgiu, and Calarasi.

“These arrests show we work across borders with our international partners to combat tax crime in all its forms. We have a number of live criminal investigations, and we are grateful to our Romanian partners for their support," said Simon Grunwell, operational lead in HMRC’s Fraud Investigation Service.

“We have already acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we continue to work with other law enforcement agencies both in the UK and overseas to bring those responsible to justice.”

Two other men, aged 27 and 36, were arrested in Bucharest in November on suspicion of cyber crime and fraud offences, with investigations still ongoing.

Last month, HMRC revealed that scammers had apparently netted £47 million by compromising around 100,000 taxpayer accounts. The tax office revealed a 38-year-old man has been arrested in Preston, apparently in connection with that attack.

“This was organized crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” said HMRC chief executive, John-Paul Marks.

What happened with the HMRC campaign?

The attack, which took place last year, was only revealed in June - drawing criticism from treasury select committee chair Dame Meg Hillier, who told HMRC that its failure to report details of the breach was ‘unacceptable’.

HMRC said it wrote to those affected in June and that it had locked down affected accounts and deleted login credentials - including Government Gateway user ID and passwords - to prevent future unauthorized access.

The tax office also revealed it removed any incorrect information from tax records.

"Tax scams are one of the biggest risks to citizens in the UK as criminals are adopting tactics to make them highly convincing, often using a mix of emails, post and SMS to send out fraudulent comms," said William Wright, CEO of Closed Door Security.

"The correspondence often looks genuine and it takes a very savvy consumer to question its authenticity, especially as criminals often hijack on key tax dates, such as the self-assessment deadline in January."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.