Still phishing

31 January 2017

Mike Down

This week, HMRC published some research into why one of the department’s email marketing campaigns had not been as effective as it was expected to be.

One of the findings was that some recipients had been suspicious of the authenticity of the unsolicited emails, having previously experienced phishing emails purporting to be from HMRC.

In a sense, who can blame them? Nearly everyone has at some point received a phishing email supposedly from HMRC, so we have all learned to be wary.

Given the proliferation of such scam emails, you might be tempted to conclude that the government and HMRC have been asleep at the wheel. In fact, they appear to have been very busy indeed.

At the end of last year Ed Tucker, Head of HMRC Cyber Security published a blogpost in which he said that HMRC is recognised as one of the most phished brands in the world. In 2015, half a billion phishing emails were sent out by criminals, pretending to be from an address.

Working with email service providers, the taxman has been using a control measure called the Domain-based Message Authentication, Reporting and Conformance - or DMARC. This, it claims, can now stop almost all of these legitimate looking emails from ever reaching taxpayers’ inboxes. In total, 300 million were blocked last year. Action has also been taken to bring down more than 14,000 fraudulent websites that were attempting to harvest customer data.

While it may have won some battles, by its own admission HMRC hasn’t yet won the war. Indeed, in recent months we have seen several recent examples of scam emails sent to our clients, albeit with different and less legitimate looking email addresses.

The issue of protecting its customers from cybercrime will become even more important for HMRC in the years ahead. HMRC will be increasing its reliance on digital communications as part of the Making Tax Digital initiative which we now know will be introduced in April 2018. Making sure that its customers aren’t caught hook, line and sinker by phishing scams should be a top priority.

For more information please get in touch with Mike Down, or your usual RSM contact.