HMRC removed over 20,000 malicious websites that targeted taxpayers
2 July 2018
HM Revenue and Customs (HMRC) removed as many as 20,750 malicious websites in the past 12 months to protect taxpayers from being defrauded by cyber criminals, 29 percent more than the number of malicious websites taken down in the previous year, figures released by the government have revealed.
Even though the crackdown on malicious websites, many of which spoofed government sites to defraud taxpayers into revealing their financial information, is being trumpeted as a major victory against financial crime, HMRC has acknowledged that the battle is far from over and that taxpayers need to stay alert against financial scams in the days ahead.
“Despite a record number of malicious sites being removed, HMRC is warning the public to stay alert as millions of taxpayers remain at risk of losing substantial amounts of money to online crooks.
“Genuine organisations like banks and HMRC will never contact people out of the blue to ask for their PIN, password or bank details. So people should never give out private information, download attachments, or click on links in emails and messages they weren’t expecting,” the department said.
“The criminals behind these scams prey on the public and abuse their trust in government. We’re determined to stop them. HMRC is cracking down harder than ever, as these latest figures show. But we need the public’s help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims,” said Mel Stride MP, the Minister for Treasury.
Major strides against financial crime
In the past 12 months, several cyber security initiatives taken by HMRC have borne fruit. While the department was able to save more than £2.4 million by tackling fraudsters that tricked the public into using premium rate phone numbers for services that HMRC provided for free, it also implemented a verification system called DMARC that successfully stopped half a billion phishing emails from reaching customers.
A new technology that tagged phishing emails with ‘tags’ that suggested they were from HMRC and blocked such texts from reaching users also helped reduce the number of spoof HMRC-related texts by up to 90 percent. In the meantime, the department also carried out a consistent information campaign to educate taxpayers about financial scams and is now working with the NCSC to take down spoof websites masquerading as official websites.
Commenting on the HMRC’s achievements in the past year, Simon Reddington, cyber resilience expert at Mimecast, said that HMRC continues to highlight the real benefits of DMARC adoption but many organisations are still struggling to counter the rising tide of email impersonation attacks.
“DMARC is an important tool to help protect your brand but the most dangerous domain lookalike attacks are targeted at employees, increasingly using international character sets that can be impossible to detect with the naked eye. Protecting the domains under your control is vital if we are to begin building stronger herd immunity in the UK,” he added.
Protecting its own back
Even though HMRC’s cyber initiatives have proved successful to an extent, the department was itself found to be negligent in securing its own website in the past that allowed malicious attackers to exploit unpatched security flaws.
In September last year, a security researcher going by the name Zemnmez uncovered not only two major security vulnerabilities in the official tax filing website run by HMRC but also revealed how hard it was for a researcher to report security flaws to the HMRC and to get such flaws patched.
While one of the flaws made it possible for a hacker to use the HMRC website as a “forwarding service” to send users to any other malicious website, the other flaw enabled hackers to harvest detailed tax filing details and other financial information belonging to UK citizens.