Press release

Record number of fake HMRC websites deactivated

HMRC has removed more than 20,000 malicious websites during the past year, but warns people to stay alert to the threat from online fraudsters.

This was published under the 2016 to 2019 May Conservative government

New figures show that HM Revenue and Customs (HMRC) requested a record 20,750 malicious sites to be taken down in the past 12 months, an increase of 29% on the previous year.

Despite a record number of malicious sites being removed, HMRC is warning the public to stay alert as millions of taxpayers remain at risk of losing substantial amounts of money to online crooks. The warning comes as Scam Awareness month, run by Citizens Advice, draws to a close.

HMRC has brought in cutting edge technology to tackle cyber-crime and target fraudsters. However, the public needs to be aware and report phishing attempts to truly defeat the criminals. Today (30 June 2018), ministers are urging people to take action to protect themselves as well.

Genuine organisations like banks and HMRC will never contact people out of the blue to ask for their PIN, password or bank details. So people should never give out private information, download attachments, or click on links in emails and messages they weren’t expecting.

People should forward suspicious emails claiming to be from HMRC to phishing@hmrc.gsi.gov.uk and texts to 60599.

They can also contact Action Fraud on 0300 123 2040 to report any suspicious calls, or use its online fraud reporting tool.

Treasury Minister Mel Stride MP, the Financial Secretary to the Treasury, said:

The criminals behind these scams prey on the public and abuse their trust in government. We’re determined to stop them.

HMRC is cracking down harder than ever, as these latest figures show. But we need the public’s help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims.

The most common type of scam is the ‘tax refund’ email and SMS. HMRC does not offer tax refunds by text message or by email.

HMRC has also been trialling new technology which identifies phishing texts with ‘tags’ that suggest they are from HMRC, and stops them from being delivered. Since the pilot began in April 2017, there has been a 90% reduction in people reporting spoof HMRC-related texts.

This innovative approach netted the cyber security team with the Cyber Resilience Innovation of the Year Award in the Digital Leaders (DL100) Awards.

In November 2016, the department implemented a verification system, called DMARC (Domain-Based Message Authentication, Reporting and Conformance), which allows emails to be verified to ensure they come from a genuine source. The system has successfully stopped half a billion phishing emails reaching customers.

HMRC has also saved the public more than £2.4 million by tackling fraudsters that trick the public into using premium rate phone numbers for services that HMRC provide for free. Scammers create websites that look similar to HMRC’s official site and then direct the public to call numbers with extortionate costs.

HMRC has successfully challenged the ownership of these websites, masquerading as official websites, and taken them out of the hands of cheats.

HMRC is working with the National Cyber Security Centre to further this work and extend the benefits beyond HMRC customers.

Further information

HMRC has taken a range of action to protect the public from scams including:

  • since June 2017 HMRC requested 20,750 website links to be removed, compared to 16,069 between June 2016 and May 2017
  • during the financial year 2017 to 2018, responded to nearly 1 million phishing referrals
  • since 2016 blocked half a billion phishing emails through DMARC
  • reduced spoofed phishing texts by 90% due to new technology
  • during financial year 2017 to 2018 provided up to date information and support on the GOV.UK website, which was visited 1.4 million times last year

Check GOV.UK for information on how to avoid and report scams and recognise genuine HMRC contact.

The National Cyber Security Centre’s report ‘Active Cyber Defence — one year on’ states that HMRC is consistently the most abused government brand.

DMARC is the internet standard that is used to allow domain owners to have more control over who can use their email addresses as ‘from’ addresses.

HMRC won the Cyber Resilience Innovation of the Year award at the Digital Leaders (DL100) Awards last week — the premier list identifying individuals and teams leading Digital Transformation in the UK.

Updates to this page

Published 30 June 2018