HMRC reduces phishing emails by 300m

A new layer of security has enabled HM Revenue and Customs (HMRC) to cut the number of fake emails sent to taxpayers by 300 million, according to new figures ahead of the busiest period for self-assessment tax returns.

Last year, some 500 million phishing emails were sent to UK taxpayers alleging to be from an @HMRC.gov.uk email address. However, the tax authority’s implementation of the email authentication protocol domain-based message authentication, reporting and conformance (DMARC) has gone some way to stopping scammers in their tracks.

The new layer of security determines whether a specific email server is allowed to send emails on behalf of HMRC. If an email passes these checks it is deemed legitimate, but those that fail are labelled fraudulent and remain undelivered.

Ed Tucker, Head of Cyber Security, HMRC, said: “Phishing emails are a major focus for our cyber security team.

“They’re more than just unwanted messages; they are a means by which criminals look to exploit members of the public and gain access to their personal and financial data. This in turn can lead to fraud and identity theft.

“By introducing a new level of security, we’ve been able to tackle these threats head-on and almost all attempts to scam taxpayers by pretending to be from an HMRC email address will now fall flat.”

Tucker added that HMRC is now one of the most phished brands across the globe, most commonly with the ‘tax refund notifications’.

In order to make their emails appear genuine, criminals will look to spoof legitimate HMRC domains, notably @HMRC.gov.uk.

Any suspicious emails from HMRC that you believe to be fake can be sent to phishing@hmrc.gsi.gov.uk. In addition, suspicious text messages sent from those purporting to be HMRC can be sent to 60599.

HMRC has got its own webpage dedicated to helping taxpayers avoid falling foul of scammers here.

Last updated: 6th December 2016