How HMRC’s use of DMARC Helped it stop 300,000 phishing emails

As one of the most phished brands in the world, HMRC reputedly battles some 500 million fraudulent emails per year attempting to extort money from its 50 million users.

Ranging from emails titled ‘Your 2016 Tax Report’ to those which inform you of a specific tax rebate or penalty, the emails provoke hapless victims into imparting key information such as bank account numbers or credit card details.

>See also: Ransomware top of the class for phishing attacks

Although HMRC has shut down over 22,000 related fraudulent websites since 2014, statistics suggest the scammers have achieved over £100 million in stolen funds via these methods. With such rich pickings on the table, it’s likely the attempts will keep on increasing, and the sophistication of the scammers along with it.

In an effort to make a serious dent in this attempted fraud, HMRC’s head of cyber security has just completed a three-year project to implement DMARC, also known as Domain-based Message Authentication, Reporting & Conformance.

DMARC differs from existing email authentication methods (SPF Sender Policy Framework and DKIM Domain Key Identified Mail) largely by preventing senders from being able to specific a different ‘from’ address than that which they’re sending the email from. This has been one of the primary loopholes by which scammers attempt to present themselves as legitimate HMRC employees.

>See also: Major UK banks targeted by social media phishing scam

Both DMARC and the use of HTTPS have now become requirements for all governmental digital services in an effort to offer the British public the highest possible protection.

As well as blocking potential phishing emails, DMARC also allows email service providers to take specific action when an email fails the validation protocol. One such action might be reporting the failure to HMRC’s cyber security, meaning they have a real-time window into attacks. Another action, known as p=reject prevents the phishing emails from being sent at all.

HMRC was the first government agency to achieve this and, not long after it was turned on, the scam ended, presumably because it was no longer working.

Although DMARC has not eradicated all the phishing, Tucker’s team have managed to lower the volume by a gargantuan 300 million, earning him the coveted ‘UK Security Professional of the Year’ for his contribution to our national online security.

>See also: Why end users should never be held responsible for cyber attacks

His team have also personally responded to over 300,000 phishing referrals from the British public, and is now assisting other governmental agencies with implementing the same protocols. “Simply put, the DMARC standard works,’ Tucker commented.

‘In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls…to rebuild trust and retake the email channel for legitimate brands and consumers.’

With DMARC now achieved, Tucker’s sights are now set on preventing the fraudulent SMS messages by use of Transmission Path Originating Address (TPOA). Given his impressive achievement in reducing the threat to HMRC’s customers using DMARC, his success seems assured.


Sourced by Piers Moore Ede, head of Digital at Company Debt


The UK’s largest conference for tech leadershipTechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security