Skip to the content

HMRC cuts phishing emails by 300 million this year


Department claims early success for campaign to spread use of DMARC system through government

HM Revenue & Customs (HMRC) has claimed to have cut the number of phishing emails attributed to its domain by 300 million through using the DMARC validation system.

Its head of cyber security, Ed Tucker, has said this has also led to the takedown of more than 14,000 fraudulent websites that were attempting to harvest customers’ personal data.

This follows the collection of evidence that phishers, who pretend to be a trustworthy source to obtain sensitive data, sent about 500 million emails from fake addresses during 2015.

DMARC, otherwise known as Domain based Message Authentication, Reporting and Conformance, allows the owner of the domain – in this case HMRC – to publish a policy that enables receiving email exchangers to recognise whether a message comes from the genuine source. It uses two other mechanisms, the Sender Policy Framework and DomainKeys Identified Mail, and provides a reporting process.

The National Cyber Security Centre is pushing for its widespread adoption across the UK. There have recently been press reports that it is planning to roll out the system across all government domains, and list authorities that do not follow the practice.

Six month surge

In an HMRC digital blogpost, Tucker says the use of DMARC has been part of a programme to cut the number of phishing emails that abuse its brand. In the first six months of the year, the department’s customer protection team responded to more than 300,000 phishing referrals, which led to the takedown of the rogue websites.

“By proving DMARC works we hope to encourage implementation by other organisations to across UK, and indeed globally,” he says. “It is only through the wholesale take-up of DMARC that we can truly protect all of our customers from the scourge of phishing emails.”

The department is recognised as one of the most phished brands in the world, most commonly through the use of a false ‘tax refund notification’.

Image from iStock

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.