HMRC Spoofed 2.5 Million Times In 3 Years

HM Revenue and Customs (HMRC) have been the victim of over 2.6 million phishing attempts over the last three financial years.

According to think tank, Parliament Street, who issued a freedom of information request to look at spoofing attacks between 2016 and 2019, HMRC were sent 2,602,528 scam alerts from concerned members of the public that were sent information claiming to be from HMRC.

Overall, HMRC is spoofed more than any other government department. Over the past three years, it has struggled to combat a barrage of email phishing attempts, text scams and phone fraud all committed using HMRC’s name.

In 2016/17, cyber criminals carried out at least 921,900 attempted frauds in HMRC’s name. Although this figure reduced to 782,979 in 2017/18, this type of fraud increased by 15% to 897,649 in the past financial year.

Spoofed emails promising tax rebates were the most persistent cyber threats being sent to the public. In total, 1,957,003 members of the public reported that they were exposed to phishing attempts during this three-year period.

Over 150,000 text message scams were sent to the public. However, this form of attack has lost popularity as they have halved in the last three years.

In contrast, the number of scam phone calls has increased considerably during this period. Phone calls pertaining to be from HMRC have increased from 407 in 2016/17 to 104,774 in the last financial year.

Overall, 18,793 individuals, or less than 1% of the total number of scam attempts, shared financial information with the fraudsters. It also seems as though the public are becoming a lot more cyber security savvy as the successful scam attempts have fallen during the last three years. In 2016/17, the number of individuals admitting to sharing their financial information was 10,647. However, fewer than 9,000 individuals disclosed sensitive information in the last two financial years combined.

The public are also more adept at spotting the tell-tale signs of spoofed websites. The freedom of information act found that the public had requested 50,323 websites be removed as they are mimicking an original source.

The information suggests that cyber criminals are relentless in their pursuit of information and money. Although only 1% of the attacks worked, the effort and output is usually minimal whilst the rewards are extensive. These figures suggest that security defences need to become a clear priority to ensure the cyber threat is reduced.

In 2016, the Government adopted to incorporate Domain-based Message Authentication, Reporting and Conformance (DMARC) which would prevent hackers from being able to spoof a government-based domain. This technology would make it a lot more difficult for hackers to look legitimate as emails would not be able to use the exact and genuine domain which could make a fraudulent enail easier to spot.

However, a recent report by Egress found that only 28% of all domains are using DMARC to fully prevent impersonation and spoofed phishing attacks.

The report discovered a lack of preparation from many government email administrators. From the 2,000 email domains that were checked, it was clear that almost three quarters were vulnerable to phishing attacks.

53% of the domains that had integrated DMARC also had their policy set to ‘do nothing’ which places each email box in immediate threat of being spoofed.

Is your law firm using DMARC? Are your DMARC settings set to ‘reject’ or is your email domain still vulnerable to being spoofed?