momius - Fotolia

HMRC geared up to block 500 million phishing emails a year

HMRC is first department to implement technology to block phishing emails as part of UK government’s active cyber defence programme and self-testing strategy

HM Revenue & Customs (HMRC) is geared up to block the half a billion phishing emails sent per year designed to steal personal and financial information or deliver malware, from ever reaching UK taxpayers.

HMRC is the first government department to implement fully the domain-based message authentication, reporting and conformance (Dmarc) protocol. Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme (ACD) led by the UK’s National Cyber Security Centre (NCSC).

The ACD programme is intended to tackle – in a relatively automated way – a significant proportion of the cyber attacks that hit the UK.

It is broadly aimed at fixing the underlying infrastructure protocols, improving email security, hunting down and blocking malicious activity, filtering out malicious domains, helping government and critical national infrastructure to improve security practices, and encouraging innovative ways to authenticate online.

The NCSC hopes to have all departments running the Dmarc protocol as soon as possible to eliminate malicious emails that appear to come from government.

“With Dmarc, we can now stop almost all of the [500 million phishing emails a year seen in 2014 and 2015] from ever reaching our customers’ inboxes,” said Edward Tucker, head of HMRC cyber security.

“To be able to have such a dramatic effect in reducing the threat to our customers is a huge achievement,” he wrote in a blog post.

Phishing emails caught by Dmarc

HMRC is recognised as one of the most-phished brands in the world, said Tucker, most commonly with the classic "Tax Refund Notification".

“The resultant customer compromise [by phishing emails disguised as such notifications] leads to onward fraud against financial institutions and identity theft,” he said.

To make HMRC phishing emails look more authentic, criminals typically spoof, or masquerade, as legitimate HMRC domains, most commonly

HMRC’s cyber security team, said Tucker, has been working to tackle this issue by “gradually implementing security controls across all of our email domains”.

“We have already managed to reduce phishing emails by 300 million in 2016 through spearheading the use of Dmarc,” he said.

Dmarc enables HMRC and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.

Tucker said HMRC’s customer protection team, part of the cyber security team, continues to utilise innovative approaches to combat these threats.

“In the first six months of 2016, they responded to more than 300,000 phishing referrals from customers. They’ve also instigated the takedown of more than 14,000 fraudulent websites that were attempting to harvest customer data,” he said.

“These figures represent record levels of performance and demonstrate HMRC’s continued dedication to protecting our customers,” he added.

HMRC has now moved Dmarc into "full reject" mode, which will prevent any emails spoofing from ever reaching customers' inboxes, Tucker told Computer Weekly. 

NCSC trials recommendations on government

By proving Dmarc works, the NCSC hopes to encourage implementation by other organisations across the UK and even globally.

“It is only through the wholesale take up of Dmarc that we can truly protect all of our customers from the scourge of phishing emails,” said Tucker.

“The NCSC is heavily pushing Dmarc adoption across the UK and my team are proud to have put HMRC at the forefront of that movement,” he said.

However, Tucker cautioned that the use of Dmarc does not mean an end to HMRC-based phishing. “It will certainly mean there’ll be a lot less, and will force criminals to use other email addresses that don’t look as legitimate," he said.

“Together with the guidance we publish for our customers, this should make phishing attempts easier to spot. If you do receive an email you’re unsure about, send it to [email protected]. If it’s an SMS message, forward it to 60599."

The NCSC has promised to test and prove with government departments everything it recommends.

“Our strategy is to use government as a guinea pig for all the measures we want to see done at national scale,” said Ian Levy, technical director of the NCSC.

“We’ll be eating our own dog food to prove the efficacy – or otherwise – of the measures we’re asking for, and to prove they scale sensibly before asking anyone else to implement anything,” he wrote in a blog post.

Read more about the NCSC

Read more on Privacy and data protection