A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc. They use the fake websites to get your confidential information.
Top 10 Government ‘Brands’
Brand No of phishing sites No of attack groups Phishing Site Availability in hours
HM Revenue & Customs 16,064 2,466 10
Gov.uk 1,541 241 15
TV Licensing 172 93 5
DVLA 107 53 11
Government Gateway 46 22 6
Crown Prosecution Service 43 26 15
Student Loans Company 19 11 17
Student Finance Direct 13 3 3
British Broadcasting Corporation 8 7 35
Phishing
When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked to take the site down. While some government departments do their own brand protection, most don’t and it is simpler and cheaper for this to be done centrally.
Example of a phishing site impersonating HMRC
The domain name that’s been used is onlinehmrctax @ gov.co.uk. That’s intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal. Phishing sites are also automatically added to a number of industry safe browsing lists that are consumed by the major browsers and so even if the hosting provider doesn’t respond, or it takes long time for the site to be removed, users of modern browsers with the default security settings are protected anyway
The availability of an attack is the total amount of time the phishing site is available from when the Netcraft service first becomes aware of the attack through to when it is finally taken down. This accounts for the
times when an attack is reinstated by the criminal after first being taken down by the provider, which can happen multiple times in some cases. It is also often the case that a single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider. Given a group of attacks are all hosted on the same `server’, we group these together taking the longest time any one of them is available as the availability for that group.
Over the last calendar year, we’ve taken down 18, 067 HMG-related phishing sites.
For comparison, in the previous 6 months 5, the volume was 19; 443 sites, also shown on the chart. It’s clear that we have performed fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.
However, it is very likely (in the opinion of the author) that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.
It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.
