HMRC cuts scam emails by 300m

Ahead of the busiest period for self assessment returns, HMRC has slashed the number of fake emails sent to taxpayers by 300m by introducing a new level of security

The move comes in response to the 500m phishing emails sent to customers alleging to be from an ‘’ email address in 2015.

HMRC has implemented the email authentication protocol domain-based message authentication, reporting and conformance (DMARC).

The security process works by determining which email servers are allowed to send emails on behalf of the organisation. If an email passes the checks it is deemed legitimate and delivered. If it fails then it is deemed fraudulent and is not delivered.

Ed Tucker, HMRC’s head of cyber security, said: ‘Phishing emails are a major focus for our cyber security team. They’re more than just unwanted messages; they are a means by which criminals look to exploit members of the public and gain access to their personal and financial data. This in turn can lead to fraud and identity theft.

‘By introducing a new level of security, we’ve been able to tackle these threats head-on and almost all attempts to scam taxpayers by pretending to be from an HMRC email address will now fall flat.’

Tucker said HMRC is recognised as one of the most phished brands in the world, most commonly with the classic ‘tax refund notification’. To make the HMRC phishing emails look more authentic criminals will spoof, or masquerade, as legitimate HMRC domains, most commonly

DMARC allows HMRC and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.

In the first six months of this year, HMRC’s customer protection team within the cyber security service have responded to over 300,000 phishing referrals from taxpayers. They have also instigated the takedown of over 14,000 fraudulent websites that were attempting to harvest taxpayer data.

Tucker warned that while phishing attempts will be dramatically reduced, they have not been eliminated.

HMRC publishes guidance on how taxpayers can spot fraudulent emails.

Be the first to vote