Security chiefs fending off millions of scam emails attempting to trick the public

Messages look as if they are being sent by official bodies such as HMRC or the NHS

Andrew Griffin
Monday 05 February 2018 14:32 GMT
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory (Reuters)

British citizens are being hit by millions of scam email attacks attempting to defraud the public each month, new figures have revealed.

Security chiefs are being forced to block huge volumes of the malicious messages, each of them posing as government or public sector organisations.

The emails show as normal messages from bodies such as HMRC or the NHS, and appear to be genuinely asking for information or personal details. But they are entirely fake – and the information that is entered is hoovered up by criminals who can then use it for identity theft and other attacks.

HMRC is easily the most popular organisation for scammers to set up for fake websites for, with emails being sent that claim they are offering fake tax rebates or other false information. But security experts are taking down thousands of such false websites each year.

Figures compiled by the National Cyber Security Centre (NCSC) show 4.5 million malicious emails were blocked each month on average – or 54 million a year.

Spoof emails are designed to fool citizens into believing they have come from a trusted source so they hand over passwords or personal data.

A breakdown of agencies featuring in the most fake emails shows criminals are persistently trying to spoof local councils, as well as national organisations.

​The study said: “We have seen the number of messages spoofed from an address fall consistently over 2017, suggesting that criminals are moving away from using them as fewer and fewer of them are delivered to end users.”

Programmes to reduce the threat from cyber crime were drawn up by experts at the NCSC, which was launched in November 2016 and is part of intelligence agency GCHQ.

The assessment of the Active Cyber Defence (ACD) scheme published on Monday also showed that more than 120,000 unique phishing sites hosted in the UK were removed last year.

Phishing involves mass emails sent to large numbers of people asking for sensitive information, such as bank details, or encouraging them to visit a fake website.

In 2017, the NCSC took down 18,067 phishing sites pretending to be a UK government brand.

HMRC was the most commonly spoofed organisation, with 16,064 fake websites removed.

Bogus sites were also set up in the names of agencies, including the DVLA, Student Loans Company and Crown Prosecution Service.

While the volume of global phishing has gone up significantly over the last 18 months, the share hosted in the UK has reduced from 5.5 per cent to 2.9 per cent, according to the report.

NCSC technical director Ian Levy said: “The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks.

“The results we have published today are positive, but there is a lot more work to be done.

“The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt.

“Our measures seem to already be having a great security benefit – we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way.”

He added: “This report shows that simple things, done at scale, can have a positive and measurable effect and the British UK public should be safer as a result of these measures.

“As these measures are scaled up, people should be asked less often to do impossible things, like judge whether an email or website is good or bad.”

Additional reporting by agencies

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in