Here, Professor in Cyber Security, Oli Buckley, discusses how powerful techniques such as phishing emails can be, before they are identified and dealt with, and the steps organisations need to take to build digital resilience through their people not just their technical set up.
“The recent news from HMRC has revealed how a phishing campaign enabled cyber criminals to access around 100,000 taxpayer self-assessment accounts. They got access with stolen credentials and managed to claim more than £47 million in fraudulent tax rebates. While members of the public have not had any actual money picked from their digital pockets, affected accounts have been locked and reset as a precaution.
“Once again, we are seeing that large organisations, whether it be a retail giant like Marks & Spencer or a vital government machine, are susceptible to simple social engineering tactics, either over the phone or as a phishing email. This latest incident underscores how powerful and widespread these techniques can be, especially when criminals combine stolen personal data with the trust people have in institutions like HMRC.
“It is reassuring to know that no taxpayer money was lost, and that HMRC were able to detect and secure the affected accounts, but the amounts being thrown around highlight how organised fraud can operate at scale before it is identified. The fact that around 100,000 accounts needed to be reset really reinforces how far reaching these incidents can be.
“Ultimately, the lesson isn’t only for HMRC to tighten defences - though that’s crucial - it’s also a reminder to the public to treat unexpected communications cautiously, verify sources, and make use of official notices. As we move more public services online, helping people recognise and resist phishing is becoming a key part of digital resilience.
“What we’re seeing in cases like HMRC, M&S, and Co-op is that even the most well-resourced organisations can be caught off guard if the underlying culture doesn’t support secure behaviours. These weren’t purely technical failures, they started with people, processes, and misplaced trust. The National Cyber Security Centre’s newly published Cyber Security Culture Principles couldn’t have arrived at a more relevant moment, as they are calling for leaders, cyber security professionals, and culture specialists to work together. Building a resilient organisation is not just a technical problem, and having people who are engaged, feel supported and able to ask questions is one of the most powerful defences we can have. It’s not just about telling people what to do; it’s about creating an environment where doing the right thing feels natural and doesn’t make everyone’s life more difficult.”
To arrange an interview with Professor Oli Buckley, email the Public Relations team or call 01509 222224.
ENDS