HMRC's Battle to Combat Cyber Attacks

Clarence Odogwu, Chief Security Officer, HM Revenue and Customs

Clarence Odogwu, Chief Security Officer, HM Revenue and Customs

Combatting fraudsters impersonating the UK government’s tax office for criminal ends is a major concern for HMRC, the UK government’s tax authority. Making sure we get this right is vital for the take-up of our services, our economy, and our reputation. HMRC’s cyber team is at the forefront of this increasingly sophisticated battle to protect the British public from these scamming attacks. With revenue of £627.9 billion, more than 50 million customers, and the data of almost all UK citizens in our purview, we have to make sure we get it right.

The evolution and expansion of the digital ecosystem have revolutionized the way the global economy functions but along with this the threat of phishing (criminal activity to obtain sensitive information, often by email), smishing (by text message) and vishing(by phone or voice) have grown exponentially. We are all familiar with newspaper headlines detailing millions of pounds and data records lost in a short space of time. As a result, many companies have become numb to this, but my view as HMRC’s Chief Security Officer is that we can’t afford to be desensitized to scams because from every single one, we learn something new and how better to protect ourselves and our customers.

HMRC has been on a rapid digital journey in the past decade, in common with many large z organizations, to adapt to dual customer demands for cutting-edge digital services alongside world-class security for their data. Starting from HMRC’s first digital strategy in 2012, we have come a long way and progressed to a multi-channel Digital Tax Platform with more than 16 million Personal Tax Accounts, supported by the UK government’s largest digital operation. This is serviced by digital specialists working across 130 digital services in seven purpose-built ercenters across the country.

How HMRC Fights Scamming

In the last year alone, our cyber security team reported more than 7,200 malicious websites that were taken down, a third identified proactively and investigated over 600,000phishing referrals. We also received nearly 195,500 scam phone call referrals as a result of a new customer reporting channel, enabling the removal of 1,917 numbers being used by the scammers. We are constantly updating our guidance and alerts for our customers to help them spot scams, and we run industry-leading pilots to disrupt criminal activity. We also support the UK’s National Security Strategy of reducing public harm from phishing, smishing, and vishing.

To combat phishing, we introduced the pioneering DMARC (Domain-based Message Authentication, Reporting, and Conformance), an email authentication protocol that enables us to zminimize attacks on our domains. This has allowed us to block 450 million phishing emails from ever reaching our customers.

We also work with customers to educate them about what to look out for and to develop their antennae for detecting scams. A more vigilant customer base is then able to work with us and the police to take action against scammers. This strategy has resulted in more than 560,000 visits a year to our scam spotting guidance pages on GOV.UK.

We have also developed technology to stop thousands of taxpayers from receiving scam text messages, with 90percent of the most convincing texts now halted before they reach recipients’ phones.

Vishing on the rise

In this fast-moving digital eco-system, however, we know that this work has resulted in criminals being forced to adopt more traditional ways of contacting HMRC customers by phone.

Phishing or vishing calls are used by fraudsters as a gateway to access personal and financial information from unsuspecting citizens. Fraudsters have been able to use technology to make the numbers displayed on phones match up with those used by genuine z organizations, such as HMRC’s front-line tax helplines numbers. They do this to convince their victims that the calls are genuine, which can lead to taxpayers disclosing personal and financial information.

To combat this, HMRC has pioneered the use of technical controls in the UK government to stop our helpline numbers being spoofed. It means that fraudsters can no longer make it appear they are calling from HMRC. The Do Not Originate capability is a technical block on specific numbers, placed by the network operators at the request of the legitimate user when the numbers are used only for inbound calls (such as in a contact center). The operators don’t allow anyone to receive calls from the numbers registered, thereby preventing those numbers from being spoofed.

The team has also initiated a domestic and international alliance to tackle these scams and share insight with partners, who include the City of London Police and the US Internal Revenue Service, as well as other agencies in Australia, Canada, and the US.

HMRC has seen a 94 percent reduction of phone scams spoofing genuine inbound HMRC numbers since controls were introduced in April 2019. Also, in its first two months of operating, the department’s new controls coincided with a 69 percent fall in a financial loss being reported to Action Fraud, the national reporting center for fraud and internet crime.

This project was so successful it won awards at the 2019 UK Digital Leaders and the UK IT Industry awards.

A Matter of Trust

As a result of our work over the last few years HMRC has gone from being the 14th most phished brand globally in 2016 to today, when we are ranked 146th. There is no room for complacency, however, and the threat remains serious across the world.

Everything we do is about trust. We,, have to do everything we can to ensure we earn and retain . Cyberattacks are constantly evolving and, given the gains, attackers will remain both agile and creative. But by working in partnership with our customers, industry leaders and the police we will continue to meet the challenge. As one of the biggest organizations in the UK, responsible for collecting the money that pays for our public services, we must do everything we can to stay one step ahead of these attacks.

Read Also

How to Leverage Zero Trust to Combat Fraud

How to Leverage Zero Trust to Combat Fraud

John Kupcinski, Director, Information Security Transformation, Freddie Mac
Mitigating Cybersecurity Risks

Mitigating Cybersecurity Risks

Giuseppe Donvito, Partner, P101 Ventures
The Evolution of Cybersecurity in the COVID-19 Era

The Evolution of Cybersecurity in the COVID-19 Era

Cedric Gourio, Chief Information Security Officer, Allianz Partners
The Key Practices to Reduce Turnover and Shorten Time to Fill Positions

The Key Practices to Reduce Turnover and Shorten Time to Fill...

Dave Stirling, Chief Information Security Officer, Zions Bancorporation
In 2021, the Last Thing We Need is Another Security Tech Hero

In 2021, the Last Thing We Need is Another Security Tech Hero

Henry Mason, VC Investor, Dawn Capital
 Are You an Information Security Manager?

Are You an Information Security Manager?

Jana Puskacova, CISO, Slovnaft