Why Your Agent Account Is Different from Every Other Login
Your email password protects one mailbox. Your case management login protects your practice. But your HMRC agent account protects every client on your books. It is the single credential that grants access to tax records, payment instructions, refund claims, and personal data across your entire client base.
When criminals stole HMRC agent credentials through phishing campaigns, they did not just access one taxpayer. They submitted fraudulent repayment claims across hundreds of accounts, extracting £47 million before the scheme was detected. The attack worked because HMRC agent accounts did not require multi-factor authentication at all.
HMRC has since announced plans to reintroduce MFA as an option for agents. Not a requirement. An option. Which means the vulnerability that enabled a £47 million theft is being addressed with a voluntary control.
How an Accountancy Practice Gets Compromised in 2026
This is not theoretical. In April 2025, a small accountancy practice shared their experience publicly. The attack was targeted, professional, and nearly undetectable.
The firm had antivirus. They had firewalls. They were cautious. But the attack was designed to look like normal business: a prospective client with a plausible story, referencing real local businesses, sending documents in the way any genuine client would. The remote access software was not flagged because it is a legitimate tool used by IT support companies worldwide.
When HMRC Suspends Your Account, Your Business Stops
HMRC has stated explicitly that it will act quickly where it believes an account has been compromised, including suspending the agent's account without notice. Consider what that means operationally:
Restoration requires security verification, potentially forensic investigation, and liaison with HMRC's online services team. There is no guaranteed timeframe. During tax season, even a 48-hour suspension could mean missed deadlines, penalties for your clients, and irreversible damage to trust.
Attackers Know Your Calendar Better Than You Think
Phishing campaigns against accountants are not random. They are timed to coincide with peak filing periods when your team is under maximum pressure and most likely to click without thinking. HMRC reported over 4,800 Self Assessment scams in a single reporting period, with fraudsters stepping up activity precisely around the 31 January deadline.
The pattern is predictable: urgent language, references to penalties or refunds, communications that mimic genuine HMRC correspondence. And it works because during busy periods, even cautious practitioners make decisions faster than they should.
Red: Peak attack windows. Amber: Elevated risk periods. Attackers time campaigns to when staff are busiest and least likely to scrutinise incoming communications.
What Your Practice Should Do This Week
These are not aspirational recommendations. They are practical controls you can implement immediately, ranked by impact.
HMRC has now made MFA available as an option for agent accounts. Enable it immediately. Use an authenticator app, not SMS. This single control would have prevented the £47 million theft. It takes five minutes and costs nothing. There is no legitimate reason to leave it disabled.
ICAEW issued guidance this month reiterating that agents should never use client login credentials for HMRC online services. Beyond the regulatory breach, using client credentials means you cannot distinguish between your access and a criminal's. If a client account is compromised, HMRC cannot tell whether it was the client, you, or an attacker.
The AccountingWeb attack started with a fake prospective client. Before opening any documents from a new enquiry, verify the business exists independently: check Companies House, call a number you find yourself, confirm the contact person. This adds two minutes to onboarding and prevents the most targeted attack vector in the sector.
Traditional antivirus did not catch the AccountingWeb attack because the attacker used legitimate remote access software. You need endpoint detection that monitors for unexpected installations of tools like AnyDesk, TeamViewer, or ScreenConnect, not just known malware signatures. This is the difference between "we have antivirus" and "we have actual protection."
Your HMRC agent account should be accessed from a dedicated, hardened device or at minimum a separate browser profile with no other active sessions. Do not access Government Gateway from the same browser session where you open client emails and attachments. Compartmentalisation limits what a compromised browser session can reach.
Check your agent account regularly for filings you did not make, clients you did not add, and correspondence you did not generate. Set a weekly calendar reminder. The £47 million HMRC theft went undetected for months because nobody was looking at the access logs. Early detection is the difference between a contained incident and a catastrophe.
The Bottom Line
Your HMRC agent account is not just another login. It is the master key to your entire practice's client data. One phishing email, one fake client enquiry, one moment of inattention during tax season, and every client you serve is exposed.
The regulatory environment is tightening. ICAEW is publishing guidance monthly. HMRC is suspending accounts proactively. The government's Cyber Security Breaches Survey shows 43% of businesses were breached in the last year. The question is not whether your practice will face an attack. It is whether you will have the controls in place when it happens.
Protect the credential that protects everything else.