HMRC most targeted government body for cyber attacks

06 February 2018

A report from the National Cyber Security Centre (NCSC) shows that HMRC was the most targeted government body last year with 16,064 fake websites taken down in their Active Cyber Defence programme.

NCSC, part of Government Communications Headquarters (GCHQ) has published results of their Active Cyber Defence programme where millions of malicious emails have been stopped and the UK’s share of global phishing attacks have plummeted.

The results of the UK government’s new bold approach to tackling cyber crime are detailed in ‘Active Cyber Defence – One Year On’, a comprehensive summary compiled by the NCSC’s Technical Director Dr Ian Levy.

Four pioneering Active Cyber Defence (ACD) programmes – Web Check, DMARC, Public Sector DNS and a takedown service – were launched last year as part of the National Cyber Security Strategy to improve basic cyber security by disrupting commodity cyber attacks that affect UK citizens.

Key findings amongst the comprehensive analysis show that since the ACD was introduced;

  • UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017)
  • Removed 121,479 phishing sites hosted in the UK – and 18,067 worldwide spoofing UK government
  • Takedown availability times for sites spoofing government brands down from 42 hours to 10 hours
  • A dramatic drop of scam emails from bogus ‘’ accounts (total of 515,658 rejected in year)
  • Average 4.5 million malicious emails per month blocked from reaching users (peak 30.3m in June)
  • More than 1 million security scans and 7 million security tests carried out on public sector websites

Dr Ian Levy, technical director of the NCSC, said:

“Through the National Cyber Security Centre, the UK has taken a unique approach that is bold and interventionalist, aiming to make the UK an unattractive target to criminals or nation states.

The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks.

The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt.

Our measures seem to already be having a great security benefit - we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way.”

The report lists scam domains promoted by phishing emails that have now been removed, such as, and and shares examples of real phishing emails they have prevented from being delivered.

It also puts on record the 10 most spoofed government brands in the year, with HMRC the most targeted with 16,064 fake websites taken down. Also in the list are the DVLA, the Student Loans Company and the Crown Prosecution Service.

The report also breaks down the brands which have been most successfully protected from criminals for each month. Amongst the organisations best defending themselves from spoof attempts thanks to implementing ACD are local authorities such as Northumberland County Council (59,405 attempts in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).


The full report is available on the NCSC website - ‘Active Cyber Defence – One Year On’.