Hi, I’m Donald Wooller, part of HMRC’s Cyber Security team. Our work on SMiShing Defences is one of 10 innovations that have been accepted into the Digital Leaders 100 2018 list in the category of Cyber Resilience Innovation of the Year. So I’m here to tell you a bit more about what we’ve been doing.
People often ask me: what exactly do the Cyber Security team do? Well, we’re in the business of protecting our customers and we’ve got a big job on our hands. HMRC is one of the most phished brands in the country with criminals pretending to be us to extort money from our customers. We are a major target for cyber criminals because we have a legitimate need to contact our customers frequently and we have a lot of customers.
We understand how phishing can affect and disrupt people lives, so we have worked tirelessly to significantly reduce the effectiveness of email phishing attacks. And we’ve done a pretty good job. In the last twelve months we’ve seen a reduction of 450 million phishing emails because of our technical controls working. We also now prevent almost all of the @HMRC.gov.uk phishing emails from ever reaching our customers’ inboxes.
Great news, but sadly this has resulted in criminals attempting different approaches to deceive the public, including the use of SMS (phone text) phishing or ‘SMiShing’. The volumes of SMiShing attacks grew significantly during 2016 and 2017 and evidence shows that people are more than nine times more likely to be duped by SMS phishing attacks than email attacks because they can appear very credible.
Our team were not to be beaten, so we rolled up our sleeves again to help protect our customers. We have delivered an innovative pilot to protect HMRC-related ‘alpha tags’ - the sender that displays on your phone when you get a text message. The new technology identifies fraudulent text messages and stops them before they are even delivered to your phone.
Since the pilot began, there has been a 90 percent reduction in customer reports of SMiShing attempts with an HMRC alpha tag. This has forced criminals to use less credible alpha tags, which are easier for potential victims to spot.
In the last 12 months we’ve also initiated the removal of more than 16,000 malicious websites, meaning even if the texts are delivered, the associated phishing website is likely to have been removed. Excellent news for us all. But it doesn’t stop there. As we manage to prevent the fraudsters achieving their goals, they change their tactics. We’re constantly having to up our game to stay one step ahead.
We continue to research and apply innovative techniques, working closely with the National Cyber Security Centre and industry to help protect the public from attacks including those through malicious emails, SMS and websites. We will not be beaten!