HMRC cuts 300 million scam emails

22 December 2016

HMRC has successfully reduced the number of phishing emails its customers receive by 300 million this year, better protecting taxpayers from fraud and identity theft.

This is a significant decrease in the half a billion phishing emails sent to customers alleging to be from an ‘@HMRC.gov.uk’ email address in both 2014 and 2015, and shows the progress the department is making in tackling these types of cyber threats.

Discussing the achievement, HMRC’s Head of Cyber Security, Ed Tucker, said:

“Phishing emails are a major focus for our Cyber Security Team. They’re more than just unwanted messages; they are a means by which criminals look to exploit members of the public and gain access to their personal and financial data. This in turn can lead to fraud and identity theft.

By introducing a new level of security, we’ve been able to tackle these threats head-on and almost all attempts to scam taxpayers by pretending to be from an HMRC email address will now fall flat. The added security this brings will be invaluable, especially at this time of year when many customers are busy using their online Personal Tax Account to submit their Self-Assessment returns.”

The achievement has been made possible through HMRC’s implementation of the email authentication protocol Domain-based Message Authentication, Reporting and Conformance (DMARC). The security process works by determining which email servers are allowed to send emails on behalf of the organisation. If an email passes the checks it is deemed legitimate and delivered. If it fails then it is deemed fraudulent and is not delivered.

Ed Tucker, who recently won the Security Professional of the Year award at the UK IT Industry Awards, added:

“While this does not mean a complete end to HMRC-based phishing, it has taken hundreds of millions of scam messages out of circulation and will make criminals’ emails look far less legitimate, giving our customers a much better chance of spotting them.”

Together with HMRC’s guidance on genuine contacts and recognising phishing emails, this should make fraudulent attempts easier to spot.

If you do receive an email you’re unsure about send it to phishing@hmrc.gsi.gov.uk, or if it’s an SMS message forward it to 60599. You can find further advice on online safety at http://www.getsafeonline.co.uk/.

Further information on the initiative is available on HMRC’s digital blog.