Increase in HMRC fraudulent submissions

We have recently been made aware of an increase in cyber-attacks, in which criminals are submitting fraudulent VAT returns and requesting VAT Refunds from HMRC. There have previously been cyber attacks in relation to self-assessment, where criminals have also been requesting refunds.

We have seen an influx of phishing emails being sent out, asking you to click on the link suggesting that HMRC are carrying out a compliance check on your account or similar. HMRC will never ask you to disclose personal information via email and you should never click on any links from emails. If you receive a genuine email from HMRC it will tell you that you have a message on your online account, but there will be no link in the email, you will then need to log into your Government Gateway to receive the message. Please see below an example of a recent phishing email which has been sent out:

Is your VAT linked to your Government Gateway?

The attacks are targeting businesses/individuals who don’t have the relevant tax accounts e.g VAT linked to their Government Gateway, this means they are able to set up fraudulent Government Gateway accounts and link it to VAT/self-assessment accounts, therefore allowing them to submit a return via the new portal.

It is important that you ensure that your Government Gateway has all the relevant information linked; if it is correctly linked to your own Government Gateway, it cannot then be linked to another account easily.

HMRC have lost millions to online fraud

In June 2025, it was published that HMRC have lost £47 million to online fraud. HMRC are currently investigating the accounts affected which at the moment are mostly self-assessment accounts, they have also locked down the affected accounts and cleared any fraudulent information. Further to this announcement they have confirmed there is no risk to taxpayers, and you will not suffer any financial loss because of any fraudulent activity on your account. However, your accounts will likely be blocked, and any submissions will be on hold until they have been investigated.

Next steps for you

We are advising all clients to do the following as soon as possible:

1. Check all relevant taxes are linked to your Government Gateway, e.g. self assessment, VAT, corporation tax (even where we act as agent for you)

2. If you do not have a Government Gateway, this should be set up asap, our agent log in is not the same as your personal log in - you can use this link for HMRC instructions of how to create a Government Gateway account

3. Change your password for Government Gateway

4. Set up a multifactor authentication on your Government Gateway log in

If you do receive a suspicious email, please forward onto phishing@hmrc.gov.uk for their security team to investigate and then delete the email you have received.

We would also advise you to spend 2 minutes looking through the link below on how to report suspicious emails, calls etc.

Report suspicious HMRC emails, texts, social media accounts and phone calls.