Britain's tax authority says it has taken down 20,750 malicious sites in the past year

HRMC is fighting an online war against fake websites and phishing emails intended to defraud taxpayers in the UK, and it is asking the public to help...

Fishing hooks
Image credit: HMRC

Her Majesty's Revenue & Customs (HMRC) has requested take-downs of a record number of fake websites - 20,750 in the past 12 months - according to numbers released today (Saturday 30 June). HMRC reckons it has "saved the public over £2.4m by tackling fraudsters that trick the public into using premium rate phone numbers for services that HMRC provide for free".

It is also working to reduce phishing attempts. Last week, HMRC won a Cyber Resilience Innovation of the Year award for its "SMIShing Defences".

Treasury Minister Mel Stride said: "HMRC is cracking down harder than ever, as these latest figures show. But we need the public's help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims."

HMRC says "people should forward suspicious emails claiming to be from HMRC to phishing@hmrc.gsi.gov.uk and texts to 60599, or contact Action Fraud on 0300 123 2040 to report any suspicious calls or use their online fraud reporting tool."

Email messages and texts that tell people to log on to a website for a tax refund are always fraudulent. HMRC never sends messages like this. Also, HMRC says it never sends emails or texts that ask people for their PINs, passwords or bank details.

A typical website scam involves copying HMRC's website but substituting premium-rate phone lines for the government department's numbers.

To combat phishing attempts, HMRC started using the free DMARC (Domain-based Message Authentication, Reporting & Conformance) verification system in November 2016. This prevents spoofing because emails can be verified as coming from a genuine source. HMRC says "the system has successfully stopped half a billion phishing emails reaching customers".

DMARC is an Internet standard and free to use, so it should appeal to any organization that uses the SPF and/or DKIM protocols.