UK taxpayers were hit by half a billion phishing emails last year, but HMRC is claiming to have made huge strides in protecting them of late by turning on DMARC.
As Infosecurityreported in September, the Cabinet Office’s Government Digital Service (GDS) recently mandated that the strongest DMARC policy (“p=reject”) be the default for email services from 1 October.
The Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol helps protect against phishing and spam by authenticating incoming mail.
By using it, HMRC has so far this year blocked a whopping 300 million phishing emails, explained head of cybersecurity, Ed Tucker.
“It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers. We have just implemented DMARC fully on @HMRC.gov.uk, by far the most abused HMRC domain by cyber-criminals,” he added.
HMRC’s Customer Protection Team has also been hard at work this year, responding to over 300,000 phishing ‘referrals’ from taxpayers, and taking down over 14,000 phishing sites.
The tax office is hoping to act as a high-profile proponent for the protocol, encouraging wider take-up of the security system.
“By proving DMARC works we hope to encourage implementation by other organizations across the UK, and indeed globally. It is only through the wholesale take-up of DMARC that we can truly protect all of our customers from the scourge of phishing emails,” argued Tucker.
“The National Cyber Security Centre is heavily pushing DMARC adoption across the UK and my team are proud to have put HMRC at the forefront of that movement.”
Also in September, the Cabinet Office mandated the use of HSTS and HTTPS for all government sites, in a bid to help protect against Man in the Middle and other attacks.
However, there’s still much work to do inside government to improve cybersecurity.
Also in September, the National Audit Office (NAO) slammedWhitehall’s “chaotic” approach, arguing that there are too many bodies with overlapping security responsibilities, which makes it difficult to know where to go for advice.