Fighting the phisherman

The UK government  is taking cybersecurity seriously – so seriously, in fact, that it has set up a new security organisation, the National Cyber Security Centre (NCSC), to tackle the problem.

The organisation is tasked with protecting both government departments and UK businesses from cybersecurity threats. It’s a big job. In his speech at the NCSC’s launch in February, the Chancellor, Philip Hammond, outlined the scale of the problem. “The greater connectivity that will enable the development of the digital economy is also a source of vulnerability,” he said. “And those who want to exploit that vulnerability have not been idle.”

Cyberattacks in the UK are increasing in frequency, severity and sophistication. But the business world, for the most part, has proven worryingly unprepared, despite reporting more incidents. According to government statistics, 65% of large businesses reported a breach or attack over a 12-month period. But nine out of ten businesses don’t have an incident-management plan in place in the event of a breach.

To paraphrase the Chancellor, if a business locks its doors and sets a burglar alarm every night, surely it needs to keep its online business secure? Phishing emails are a common method by which cybercriminals target businesses. They are fake messages that appear to be from an organisation or bank but that are designed to steal personal or financial details, or deliver malware to computers. HMRC is one of the most ‘phished’ brands in the world – business owners will often receive an email with the subject line ‘Tax refund notification’.

Phishing campaigns have become more and more sophisticated in recent years – emails and the websites they link to closely mirror the real thing. But HMRC has been working on ways to combat phishing scams through the Cyber Security Agents Subgroup. The role of the Subgroup is to develop a plan to promote improvements in cybersecurity for both agents and their clients, and to create a cross-HMRC cybersecurity communication plan, focusing on all customer groups and key tax events.

AAT is pleased to contribute to the work of the Subgroup. There have been incidents of criminals hacking the computer systems of members to obtain passwords. These are then used to gain access to HMRC’s systems, to generate fraudulent tax repayments. These incidents can be costly, inconvenient and distressing for members and taxpayers.

HMRC reduced the number of HMRC-related phishing emails by 300 million in 2016, by spearheading the use of the DMARC system. It allows HMRC and email service providers to identify fraudulent emails purporting to be from the organisation, and prevent them being delivered to taxpayers. It has been fully implemented on @hmrc.gsi.gov.uk email addresses, which criminals abuse most. HMRC will never ask you to disclose personal or financial information via email or text.

So, if you do receive a suspicious email purporting to come from HMRC, then forward the email to HMRC’s phishing team at phishing@hmrc.gsi.gov.uk.

Aleem Islan is AAT's Technical Consultation Manager.

Related articles