Skip to main content

How HMRC implemented DMARC to stop 300 million phishing emails

(Image credit: Image Credit: wk1003mike / Shutterstock)

Unless you live in a world that’s free from emails, and what a utopia that would be, then you’ve almost certainly been the recipient of messages purporting to be from reputable companies and even government agencies that you would ordinarily deal with. Known as phishing scams, these messages, some of which are extremely sophisticated, are created by cyber criminals to gain access to sensitive information that can be used for the purposes of identity theft and to defraud businesses and individuals.

One of the most impersonated companies or agencies in the UK has been HMRC, so much so that in 2014 and 2015, taxpayers received an estimated half a billion emails each year alleging to be from the email address. Given the unprecedented extent of the problem, HMRC’s Cyber Security Team has made stemming the tide of phishing emails its priority.

As a turnaround practitioner, I commonly work with company directors that are in the midst of disputes with HMRC. They already have significant enough problems without having to deal with a barrage of phishing emails from scammers purporting to be from HMRC. The vast majority of businesses I work with know what to expect from HMRC communications, but such is the sophistication of some of the fakes that is hasn’t stopped some businesses falling foul of these messages.

Introducing a new level of security 

To enable the UK’s estimated 50 million UK taxpayers to communicate securely with HMRC, the authority has been looking at different security processes it can implement to reduce the flow of phishing emails that taxpayers’ receive.

To this means, the Cyber Security Team has spent the last three years working on the implementation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol. The good news is that this has been done with great success.

By introducing this new level of security, HMRC has been able to tackle the threat of phishing emails head-on and reduce the number of attempts to scam taxpayers by 300 million in 2016. This will better protect taxpayers from fraud and identity theft and allow them to file their returns and pay their taxes with renewed confidence that their sensitive personal and financial information is not being sent elsewhere. 

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email security protocol that prevents spoof emails from reaching users’ inboxes. DMARC makes sure legitimate emails are properly authenticated against established Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) standards, while fraudulent emails appearing to come from domains under the organisation’s control are blocked.

DMARC is unique in that it is the only widely deployed technology that can make the ‘header from’ address (the information users see in their inboxes) trustworthy and reliable. As well as preventing phishing scams from getting through, it reduces the number of messages sent as cybercriminals choose to target organisations without DMRAC in place instead.

In plain English, DMARC determines which email servers are allowed to send messages on behalf of HMRC and which are not. Only if an email passes the relevant checks will it arrive in taxpayers’ inboxes. This protocol protects taxpayers who cannot determine the real messages from the fakes and helps them and HMRC avoid costly exposure.

Getting DMRAC to work

As is so often the case, according to Ed Tucker, Head of Cyber Security at HMRC, implementing DMRAC was easier said than done. Given the size and complexity of HMRC’s email structure, the team found it difficult to identify where even genuine HMRC emails were being sent from. Once that had been understood, it was also challenging to rationalise those domains and subdomains. 

“These two aspects were, for us, the major overhead. We used a third party to help analyse the good and the bad emails and gather evidence of where everything was coming from. We knew it was a huge task. Once we’d done that the easy bit at the end was changing the text record over from Monitor to Reject to finally prevent the spoofing of”

Another part of the project that caused Tucker some problems was tidying up HMRC’s labyrinthine domain structure. He said: “Once you understand where all your email gets sent from, ensuring which should be on subdomains, and generally implementing a better structure, it makes your domains cleaner. Getting all that work done first made the last bit really easy.”

The results of DMRAC implementation

For HMRC, despite the challenges, implementing DMRAC has certainly been worth it. In 2016, the number of spam emails claiming to be from decreased by 300 million and that figure has continued to fall. The large reduction in phishing scams has also allowed HMRC to spend more time investigating those messages that do get through. That includes looking at the URLs, domains and mail headers and getting domains taken down where necessary or buying domains that are similar to so they cannot be used by the crooks.  

Although HMRC may have won the battle, the war against phishing scams will continue. An organisation with 50 million customers that deals with sensitive personal and financial information will always be a target for the scammers. However, what HMRC has done is push the scammers onto domains that give customers a better chance of identifying and avoiding spurious messages before it’s too late.

Such has been the success of the implementation of the DMRAC that Tucker and his team are now working with other government departments to widen the reach of the protocol. There are thousands of organisations that are the subject of phishing scams that could better protect their customers, their employees and their brands by putting DMRAC in place. However, a 2016 study of one million corporate domains found that only 60,000 (6 per cent) had made any attempt at DMARC email authentication. Of those, only a quarter (1.5 per cent) had made any attempt to enforce it.

Plenty more challenges to come

Although Tucker has put a significant dent in the number of phishing emails being received by taxpayers, the scammers continue to innovate. The next challenge for HMRC’s Cyber Security Team is to figure out how to cut down on the number of SMS phishing scams which are targeting taxpayers, with the team currently investigating how the Transmission Path Originating Address (TPOA) can be controlled to prevent the spoof text messages being sent.

In the longer term, there’s a growing skills gap, with the number of graduates with practical knowledge of solving real world cyber security issues nowhere near where it needs to be. The result is likely to be a range of threats that we struggle to get to grips with in the years to come. However, from the point of view of a turnaround practitioner, I’m delighted to see that, for the time being, there’s one less problem for companies to worry out when communicating with HMRC.      

Mike Smith, Co-founder, Company Debt (opens in new tab)
Image Credit: wk1003mike / Shutterstock

Mike Smith is the cofounder of Company Debt, the UK’s largest insolvency hub.