HMRC website and a pen and letter

Image credit: Getty

“Recent cyber attacks weren’t purely technical failures, they started with people, processes, and misplaced trust” – Cyber Security expert comments on run of high-profile online attacks

HMRC revealed yesterday that more than 100,000 taxpayer accounts had been compromised, as cyber criminals stole more than £47 million through fraudulent tax rebates. While the tax authority managed to secure the accounts, meaning no taxpayer’s money was lost, the incident highlights how susceptible to organised fraud large organisations can be.

Here, Professor in Cyber Security, Oli Buckley, discusses how powerful techniques such as phishing emails can be, before they are identified and dealt with, and the steps organisations need to take to build digital resilience through their people not just their technical set up.

“The recent news from HMRC has revealed how a phishing campaign enabled cyber criminals to access around 100,000 taxpayer self-assessment accounts. They got access with stolen credentials and managed to claim more than £47 million in fraudulent tax rebates. While members of the public have not had any actual money picked from their digital pockets, affected accounts have been locked and reset as a precaution.   

“Once again, we are seeing that large organisations, whether it be a retail giant like Marks & Spencer or a vital government machine, are susceptible to simple social engineering tactics, either over the phone or as a phishing email. This latest incident underscores how powerful and widespread these techniques can be, especially when criminals combine stolen personal data with the trust people have in institutions like HMRC.

“It is reassuring to know that no taxpayer money was lost, and that HMRC were able to detect and secure the affected accounts, but the amounts being thrown around highlight how organised fraud can operate at scale before it is identified. The fact that around 100,000 accounts needed to be reset really reinforces how far reaching these incidents can be.

“Ultimately, the lesson isn’t only for HMRC to tighten defences - though that’s crucial - it’s also a reminder to the public to treat unexpected communications cautiously, verify sources, and make use of official notices. As we move more public services online, helping people recognise and resist phishing is becoming a key part of digital resilience.

“What we’re seeing in cases like HMRC, M&S, and Co-op is that even the most well-resourced organisations can be caught off guard if the underlying culture doesn’t support secure behaviours. These weren’t purely technical failures, they started with people, processes, and misplaced trust. The National Cyber Security Centre’s newly published Cyber Security Culture Principles couldn’t have arrived at a more relevant moment, as they are calling for leaders, cyber security professionals, and culture specialists to work together. Building a resilient organisation is not just a technical problem, and having people who are engaged, feel supported and able to ask questions is one of the most powerful defences we can have. It’s not just about telling people what to do; it’s about creating an environment where doing the right thing feels natural and doesn’t make everyone’s life more difficult.”

To arrange an interview with Professor Oli Buckley, email the Public Relations team or call 01509 222224.

ENDS

Notes for editors

Press release reference number: 25/90

Loughborough is one of the country’s leading universities, with an international reputation for research that matters, excellence in teaching, strong links with industry, and unrivalled achievement in sport and its underpinning academic disciplines.

It has been awarded five stars in the independent QS Stars university rating scheme and named the best university in the world for sports-related subjects in the 2025 QS World University Rankings – the ninth year running.

Loughborough is ranked 6th in The UK Complete University Guide 2025, 10th in the Guardian University League Table 2025 and 10th in the Times and Sunday Times Good University Guide 2025. 

Loughborough was also named University of the Year for Sport in the Times and Sunday Times Good University Guide 2025 - the fourth time it has been awarded the prestigious title. 

Loughborough is consistently ranked in the top twenty of UK universities in the Times Higher Education’s ‘table of tables’, and in the Research Excellence Framework (REF) 2021 over 90% of its research was rated as ‘world-leading’ or ‘internationally-excellent’. In recognition of its contribution to the sector, Loughborough has been awarded seven Queen's Anniversary Prizes.

The Loughborough University London campus is based on the Queen Elizabeth Olympic Park and offers postgraduate and executive-level education, as well as research and enterprise opportunities. It is home to influential thought leaders, pioneering researchers and creative innovators who provide students with the highest quality of teaching and the very latest in modern thinking.

Categories

CrimeTechnologyWar and security