The UK’s tax authority has said it is on track to block half a billion phishing emails each year with the use of an email security protocol that stops them from reaching users’ inboxes.
Phishing emails try to steal a person’s financial or personal details – Photo credit: Flickr, CC BY-SA 2.0
HMRC’s head of cyber security Ed Tucker said that the department was one of the “most phished brands in the world, most commonly with the classic ‘Tax Refund Notification’”.
Phishing emails spoof a domain name with the aim of stealing a person’s personal and financial details. The National Cyber Security Centre is pushing departments to introduce a new protocol – Domain-based Message Authentication, Reporting and Conformance, or DMARC – to address this, as part of its active cyber defence strategy.
Related content
National Cyber Security Centre to publish rankings for departmental email security
GDS updates email and service guidelines for tighter security
Are we entering a ‘cognitive era’?
The protocol alerts the domain owners to the malicious emails and allows them to take back control of their domains, and HMRC said it has already reduced phishing emails by 300 million this year.
The team has also taken down more than 14,000 fraudulent websites that were attempting to harvest user data and have responded to 300,000 phishing referrals from customers, which Tucker said were record levels of performance.
The department has now implemented DMARC fully on the most abused HMRC domain, HMRC.GOV.UK, and is one of the first departments to use it so widely.
“By proving DMARC works we hope to encourage implementation by other organisations to across UK, and indeed globally,” said Tucker.
“It is only through the wholesale take-up of DMARC that we can truly protect all of our customers from the scourge of phishing emails. The National Cyber Security Centre is heavily pushing DMARC adoption across the UK and my team are proud to have put HMRC at the forefront of that movement.”
He did note, however, that the protocol would not prevent all phishing, but said that it would mean there will be “a lot less, and will force criminals to use other email addresses that don’t look as legitimate”.
