Thirteen individuals have been arrested in Romania as part of a major international operation targeting tax fraud linked to phishing attacks. The suspects are believed to have used stolen personal data to make fraudulent claims for tax refunds and benefits in the UK. The arrests follow a coordinated investigation involving more than 100 Romanian police officers and criminal investigators from HM Revenue and Customs (HMRC). The suspects, aged between 23 and 53, were detained in the Romanian counties of Ilfov, Giurgiu, and Calarasi.
A separate arrest was also made in Preston, UK. A 38-year-old man was taken into custody in connection with the same investigation. Officers from HMRC seized electronic devices and are continuing to question him.
The international investigation is the result of a joint effort between Romanian prosecutors, HMRC, and the UK’s Crown Prosecution Service (CPS). This partnership was set up earlier this year to investigate serious cross-border crimes involving cyber fraud and financial misconduct.
Phishing and Tax Fraud Operation
According to HMRC, the criminal operation involved the theft of personal data through phishing attacks. Criminals used this information to submit fraudulent PAYE (Pay As You Earn) claims, VAT repayments, and Child Benefit payment requests.
The Romanian Police’s Economic Crimes Investigation Directorate led the arrests. The suspects are being investigated for offences including computer fraud, money laundering, and illegal access to a computer system.
HMRC emphasized that the fraud did not involve a direct cyberattack on its systems. Rather, criminals used data gathered through phishing and other means to exploit HMRC services.
UK Arrest and Ongoing Investigations
The 38-year-old man arrested in Preston remains in custody. He is being questioned as part of a separate but related investigation. The operation also included the seizure of electronic devices that may be key to uncovering further details about the criminal network.
Two other men, aged 27 and 36, had previously been arrested in Bucharest in November on suspicion of cybercrime and fraud offences. Those investigations are ongoing.
Simon Grunwell, Operational Lead in HMRC’s Fraud Investigation Service, praised the international effort and the progress made so far.
“These arrests show we work across borders with our international partners to combat tax crime in all its forms. We have a number of live criminal investigations, and we are grateful to our Romanian partners for their support. We have already acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we continue to work with other law enforcement agencies both in the UK and overseas to bring those responsible to justice.”
How HMRC Responded
HMRC has written to around 100,000 people, which is approximately 0.22% of its customer base, to inform them of attempted unauthorized access to their accounts. These individuals were reassured that their accounts were secured and that no financial losses had occurred.
The organization clarified that this was not a cyberattack on HMRC’s systems. Instead, the criminals used stolen information, likely obtained from phishing or data leaks involving other organizations, to access HMRC services fraudulently.
HMRC stressed its commitment to security and noted that it is continuously upgrading its systems. As part of the UK government’s June 2025 Spending Review, further investment was announced to strengthen the security of HMRC’s IT infrastructure.
HMRC Among Most Spoofed Government Bodies
According to the National Cyber Security Centre, HMRC was the third most spoofed UK government agency in 2022, after the NHS and TV Licensing. Phishing attempts that impersonate HMRC remain common and pose an ongoing risk to taxpayers.
To help the public stay safe, HMRC encourages individuals to report any suspicious emails, texts, or messages. You can report a scam or phishing attempt online via the official HMRC channels.
Conclusion
The arrests highlight the growing need for cross-border cooperation to tackle cyber-enabled financial crimes. The joint investigation team formed between the UK and Romania allowed authorities to share intelligence, resources, and expertise.
By working together, law enforcement agencies were able to swiftly act against organized groups operating across multiple countries. This kind of collaboration is essential in disrupting sophisticated fraud operations that can otherwise evade national borders.
Authorities continue to warn people about the risks of phishing scams. Criminals often send fake emails or text messages that appear to come from trusted sources like HMRC. These messages can trick individuals into sharing sensitive personal or financial information.
HMRC advises everyone to be cautious of unexpected requests for information and to never click on suspicious links. Anyone who suspects they have been targeted by a scam should report it immediately.
