How HMRC fends off phishing attacks
An email protocol protects taxpayers from 99% of malicious spam
HMRC has found a "panacea" to phishing attacks by adopting an email protocol called DMARC, achieving a 99% success rate of blocking malicious spam.
Scammers regularly target HMRC tax returns, sending phishing emails masquerading as HMRC messages to self-employed people in order to trick them into handing over the sensitive personal and financial data they would normally send to HMRC during a tax return.
But the protocol, standing for Domain-based Message Authentication, Reporting and Conformance, has put criminals off from targeting users of the tax body, its head of cyber security, Ed Tucker, told attendees of InfoSecurity Europe 2017 today.
"DMARC has had a massive impact on criminal's behaviour," he said. "There is no return on investment for criminals to attack HMRC."
In the deployment of the technology, the most marked effect has come from switching to a mode in DMARC called "p=reject". This is the strongest policy within DMARC, and led to people receiving 300 million fewer phishing emails in 2016.
This instructs email providers to carry out checks on where email has come from and to reject anything suspicious.
But the protocol can also help other organisations build up a "herd immunity", according to Neil Hammet, email security product specialist at Proofpoint. "Once everyone is covered, criminals will go some place else," he explained.
He admitted that coverage in the UK was not complete but government agencies in the country were leading the way in stopping phishing emails.
While stopping phishing attacks via email had been a clear success for Tucker, he said that efforts still had to be made against other forms of phishing. For example, there are no current means of effectively stopping phishing via SMS messages. Tucker said he was working closely with Vodafone and the GSMA to combat these types of attack.