Britain’s tax service (His Majesty’s Revenue and Customs, or HMRC) was the third most spoofed UK government body in 2022, behind the NHS and TV Licensing.
In early June 2025, HMRC told the UK government’s Treasury Committee about a massive loss to phishing. The Committee subsequently tweeted: “HMRC officials told us today that 100,000 HMRC customers were victims of a phishing scam, resulting in £47m of losses to the taxpayer.”
Separately, in a press release dated July 10, 2025, issued via mynewsdesk, HMRC announced “Fourteen arrested in phishing attack investigations.” Thirteen men and women, aged between 23 and 53, were arrested in Romania by the Romanian Police. A fourteenth, presumably British, was arrested in Preston, UK.
Investigators from HMRC joined more than 100 Romanian police officers to arrest the 13 Romanian suspects in the counties of Ilfov, Giurgiu and Calarasi.
It doesn’t seem likely that Preston and Romanian arrests were linked by anything other than fraud against HMRC and timing, since HMRC also states, “A fourteenth man was arrested in another investigation in Preston.”
Simon Grunwell, operational lead in HMRC’s fraud investigation service commented, “We have a number of live criminal investigations, and we are grateful to our Romanian partners for their support.” The completion of this investigation suggests that HMRC is actively working against other phishing campaigns and may well result in further operations against other phishers wherever they operate.
In this case, a Romania / UK joint investigation team has been established combining the Prosecutor’s Office attached to the Court of Appeal in Bucharest, HMRC and the Crown Prosecution Service (CPS) in the UK.
No specific details on the Romania-based phishing campaign have been released other than a general comment, “It’s suspected that organized criminal gangs have stolen data and used it to submit fraudulent PAYE claims [pay as you earn in the UK, similar to payroll tax withholding in the US], as well as VAT repayments and Child Benefit payments,” and that the Romanians, “Were arrested by Romanian Police’s Economic Crimes Investigation Directorate on suspicion of computer fraud, money laundering and illegal access to a computer system.”
And, of course, the obligatory, “We are unable to provide any more detail about today’s arrest operations.” Meanwhile HMRC has confirmed that the phishers stole money from HMRC rather than its customers, that it has written to affected customers, locked down the accounts, deleted log in credentials (Government Gateway user ID and passwords) to prevent future unauthorised access, and that the phishing attacks have not involved a cyber attack against HMRC.
Related: Tax Phishing Campaign Reminds of DMARC Limitations
Related: Email Attacks Use Fake VAT Returns to Deliver Malware
Related: AI-Powered Polymorphic Phishing Is Changing the Threat Landscape
Related: AI Now Outsmarts Humans in Spear Phishing, Analysis Shows
