HMRC has reported that they have reached a milestone in helping to reduce the estimated 500 million phishing emails that are sent to taxpayers every year. HMRC has implemented new controls based on domain-based message authentication, reporting and conformance (DMARC). The security process works by determining which email servers are allowed to send emails on behalf of the organisation.

A lot of the fraudsters sending these emails have been able to make HMRC phishing emails look more authentic by making emails appear as if they have come from a genuine HMRC domain, most commonly @HMRC.gov.uk. Using the DMARC controls, HMRC and email service providers are able to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to taxpayers.

HMRC’s Head of Cyber Security, Ed Tucker, said:

'Phishing emails are a major focus for our Cyber Security Team. They’re more than just unwanted messages; they are a means by which criminals look to exploit members of the public and gain access to their personal and financial data. This in turn can lead to fraud and identity theft.'

HMRC has managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. Whilst this does not mean an end to HMRC-based phishing, taxpayers should notice less of these types of emails and those that do get through the net might not look as legitimate.