Guidance

Keep your HMRC online security information safe as an agent

Find out how to protect your sign in details and reduce the risk of fraud when using HMRC online services.

• From: HM Revenue & Customs
• Published: 28 November 2011
• Last updated: 13 May 2026 — See all updates

Reduce the risk of fraud

Use a strong password and change it if you think someone is aware of it. Combining 3 random words can make a unique password which is easy to remember.

To reduce the risk of fraud you should:

• run antivirus scans and check your systems for any unusual software
• review your digital security processes and ensure your clients understand their responsibilities
• update your and your staff’s knowledge on the latest phishing threats and scams
• encourage use of HMRC’s digital services and stay informed about emerging fraud risks
• access your client details using your own agent registration — do not use your clients’ sign in details
• check your HMRC account for any unauthorised or unusual activity — such as changes to email addresses or the addition of software
• only sign into HMRC account services using the web, do not follow a link in an email

You should also keep:

• your list of administrators and assistants up to date
• sign in details secure, do not share them with anyone — HMRC will never ask for your password
• computers secure, personal computers used for work must have the same security controls as office computers

You should not:

• re-purpose or use old passwords
• use a predictable password and words connected to you, for example birthdays or pet names
• let people use your sign in details — if other people need access you can set up administrators and standard users

Dealing with fraud

You should report suspicious emails, phone numbers, phone calls or text messages.

You should also report suspicious activity happening in an HMRC account and check any third-party software you use for unexpected activity like changes to bank details.

Do not attempt to correct anything in your HMRC account if suspicious activity is identified.

Change your password when HMRC tells you to

If we think that someone has accessed your agent account without your permission, we will send you a temporary password by email.

You will have to change your password when you first sign in. Do not change it to a password that is similar to one you have used before.

Published 28 November 2011

Last updated 13 May 2026 + show all updates

1. 13 May 2026

   'Reduce the risk of fraud’ has been updated with more recommendations and guidance on creating strong passwords. A new section ‘Dealing with fraud’ has been added.

2. 28 November 2011

   First published.