This is a significant decrease in the half a billion phishing emails sent to customers alleging to be from an ‘@HMRC.gov.uk’ email address in both 2014 and 2015, and shows the progress the department is making in tackling these types of cyber threats.
Discussing the achievement, HMRC’s Head of Cyber Security, Ed Tucker, said:
“Phishing emails are a major focus for our Cyber Security Team. They’re more than just unwanted messages; they are a means by which criminals look to exploit members of the public and gain access to their personal and financial data. This in turn can lead to fraud and identity theft.
“By introducing a new level of security, we’ve been able to tackle these threats head-on and almost all attempts to scam taxpayers by pretending to be from an HMRC email address will now fall flat. The added security this brings will be invaluable, especially at this time of year when many customers are busy using their online Personal Tax Account to submit their Self-Assessment returns.”
The achievement has been made possible through HMRC’s implementation of the email authentication protocol Domain-based Message Authentication, Reporting and Conformance (DMARC). The security process works by determining which email servers are allowed to send emails on behalf of the organisation. If an email passes the checks it is deemed legitimate and delivered. If it fails then it is deemed fraudulent and is not delivered.
Ed Tucker, who recently won the Security Professional of the Year award at the UK IT Industry Awards, added:
“While this does not mean a complete end to HMRC-based phishing, it has taken hundreds of millions of scam messages out of circulation and will make criminals’ emails look far less legitimate, giving our customers a much better chance of spotting them.”
As one of the first departments to apply the DMARC control, HMRC is now at the forefront of contributing to the delivery of the Active Cyber Defence Programme; an essential part of the National Cyber Security Strategy.