Skip to main content

Combating phishing – a (very) big milestone

Posted by: , Posted on: - Categories: Digital, Tax


How do you stop half a billion phishing emails a year from ever reaching your customers? Well, we just have! 

That’s how many emails criminals sent in 2015 pretending to be from an email address. Together with our email service providers, we’ve just put in place a control that changes everything. With the catchy title Domain-based Message Authentication, Reporting and Conformance - or DMARC – we can now stop almost all of these from ever reaching our customers’ inboxes. To be able to have such a dramatic effect in reducing the threat to our customers is a huge achievement.

HMRC is recognised as one of the most phished brands in the world, most commonly with the classic ‘Tax Refund Notification’. Phishing emails are designed to steal customers’ personal or financial details, or to deliver malware to their machines. The resultant customer compromise leads to onward fraud against financial institutions and identity theft. To make the HMRC phishing emails look more authentic criminals will spoof, or masquerade, as legitimate HMRC domains, most commonly

I lead HMRC’s Cyber Security Team, and we’ve been working hard to tackle this issue by gradually implementing security controls across all of our email domains. We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers. We have just implemented DMARC fully on, by far the most abused HMRC domain by cyber criminals.

Our dedicated Customer Protection Team, part of HMRC’s Cyber Security Team, continues to utilise innovative approaches to combat these threats. In the first six months of this year, they have responded to over 300,000 phishing referrals from customers. They’ve also instigated the takedown of over 14,000 fraudulent websites that were attempting to harvest customer data. These figures represent record levels of performance and demonstrate HMRC’s continued dedication to protecting our customers.

By proving DMARC works we hope to encourage implementation by other organisations to across UK, and indeed globally. It is only through the wholesale take-up of DMARC that we can truly protect all of our customers from the scourge of phishing emails. The National Cyber Security Centre is heavily pushing DMARC adoption across the UK and my team are proud to have put HMRC at the forefront of that movement.

Sadly this doesn’t mean an end to HMRC-based phishing. It will certainly mean there’ll be a lot less, and will force criminals to use other email addresses that don’t look as legitimate. Together with the guidance we publish for our customers, this should make phishing attempts easier to spot.

If you do receive an email you’re unsure about send it to, or if it’s an SMS message forward it to 60599. You can find further advice on online safety at

That’s all for now.

Sharing and comments

Share this page


  1. Comment by Ed Tucker posted on

    Hi Hector, yes we are progressing DMARC across all HMRC domains including


  2. Comment by Hector Wesley posted on

    It would be helpful if you could clarify whether you have applied DMARC on I've seen phishing emails purporting to come from such email addresses.