adimas - Fotolia

HMRC deactivates record number of fake websites

HM Revenue & Customs has removed more than 20,000 malicious websites in the past year, but warns people to stay alert to the threat from online fraudsters

New figures show that HM Revenue & Customs (HMRC) requested a record 20,750 malicious sites to be taken down in the past 12 months, which represents an increase of 29% on the previous year.

Despite a record number of malicious sites being removed, HMRC has warned that millions of taxpayers remain at risk of losing substantial amounts of money to online fraudsters.

HMRC has brought in cutting-edge technology to tackle cyber crime and target fraudsters, but says the public needs to be aware and report phishing attempts to defeat the criminals.

Suspicious emails claiming to be from HMRC can be forwarded to [email protected] and texts to 60599. Any suspicious calls can be reported to Action Fraud through its call centre on 0300 123 2040 or through its online fraud reporting tool.

During the financial year 2017 to 2018, HMRC responded to nearly one million phishing referrals and reduced spoofed phishing texts by 90% through the use of new technology.

The tax department said genuine organisations such as banks and HMRC would never contact people to ask for their personal identification number (PIN), password or bank details.

People should therefore never give out private information, download attachments, or click on links in emails and messages they were not expecting, HMRC warned.

Treasury minister Mel Stride said criminals prey on the public and abuse their trust in government. “HMRC is cracking down harder than ever, as these latest figures show. But we need the public’s help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims,” he said.

“HMRC is cracking down [on malicious websites], but we need the public’s help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims”
Mel Stride, financial secretary to the Treasury and HM Paymaster General

The most common type of scam is the “tax refund” email and SMS, but HMRC does not offer tax refunds by text message or by email.

Putting a stop to phishing messages

HMRC has been trialling technology which identifies phishing texts that claim to be from HMRC, and stops them from being delivered. Since the pilot began in April 2017, there has been a 90% reduction in people reporting spoof HMRC-related texts.

This innovative approach won the HMRC cyber security team the Cyber Resilience Innovation of the Year Award in the recent Digital Leaders (DL100) Awards.

In November 2016, HMRC was the first government department to implement fully the domain-based message authentication, reporting and conformance (Dmarc) protocol. Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme (ACD) led by the UK’s National Cyber Security Centre (NCSC).

Dmarc allows emails to be verified to ensure they come from a genuine source. The system has successfully stopped half a billion phishing emails reaching customers.

HMRC has also saved the public more than £2.4m by tackling fraudsters that trick the public into using premium rate phone numbers for services that HMRC provides for free. Scammers create websites that look similar to HMRC’s official site and then direct the public to call numbers with extortionate costs.

HMRC has successfully challenged the ownership of these websites, masquerading as official websites, and taken them out of the hands of cheats.

HMRC is working with the NCSC to further this work and extend the benefits beyond HMRC customers.

Read more about Dmarc and email security

  • Dmarc email validation – we’re doing it all wrong.
  • About 200 billion emails are sent every day, but because of its importance, email is constantly exploited by attackers, and yet is often overlooked in cyber security strategies.
  • HMRC is first department to implement Dmarc technology to block phishing emails as part of UK government’s active cyber defence programme and self-testing strategy.
  • Return to sender: Improving security with Dmarc email authentication.

Read more on Hackers and cybercrime prevention

Data Center
Data Management