UK Gov Phishing Attacks

A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc.  They use the fake websites to get your confidential information.

Top 10 Government ‘Brands’

Brand                                                   No of phishing sites    No of attack groups    Phishing Site Availability                                                                            in hours

HM Revenue & Customs                     16,064                         2,466                           10                                                 1,541                           241                              15

TV Licensing                                        172                              93                                5

DVLA                                                   107                              53                                11

Government Gateway                        46                                22                                6

Crown Prosecution Service                 43                                26                                15

Student Loans Company                     19                                11                                17

Student Finance Direct                       13                                3                                  3

British Broadcasting Corporation       8                                  7                                  35


When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked  to take the site down. While some government departments do their own brand protection, most don’t and it is simpler and cheaper for this to be done centrally.

Example of a phishing site impersonating HMRC

The domain name that’s been used is onlinehmrctax @ That’s intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal. Phishing sites are also automatically added to a number of industry safe browsing lists that are consumed by the major browsers and so even if the hosting provider doesn’t respond, or it takes long time for the site to be removed, users of modern browsers with the default security settings are protected anyway

The availability of an attack is the total amount of time the phishing site is available from when the Netcraft service  first becomes aware of the attack through to when it is  finally taken down. This accounts for the

times when an attack is reinstated by the criminal after first being taken down by the provider, which can happen multiple times in some cases. It is also often the case that a single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider. Given a group of attacks are all hosted on the same `server’, we group these together taking the longest time any one of them is available as the availability for that group.

Over the last calendar year, we’ve taken down 18, 067 HMG-related phishing sites.

For comparison, in the previous 6 months 5, the volume was 19; 443 sites, also shown on the chart. It’s clear that we have performed fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.

However, it is very likely (in the opinion of the author) that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.

It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.

Fightback Ninja Signature

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.