To ask the Chancellor of the Exchequer, how many (a) reports of suspicious (i) e-mails, (ii) text messages and (iii) phone calls asking for personal information or threatening a lawsuit were received by HMRC, (b) individuals believed to have been responsible for those communications were (i) identified, (ii) charged and (iii) convicted, (c) HMRC staff were deployed to investigate phishing scams in 2017-18 and (d) HMRC staff have been deployed to investigate such scams in 2018-19; and what recent (A) steps HMRC has taken and (B) assessment he has made of its performance in tackling such scams.
7 January 2019
From April 2018 to November 2018, HMRC has received:
reports of suspicious:
(i) e-mails – 636,789
(ii) text messages – 28,639
(iii) phone calls asking for personal information or threatening a lawsuit were received by HMRC – 44,435
HMRC has a dedicated Customer Protection team targeting scams, which has:
- Reduced reported HMRC-branded phishing texts by 90% due to innovative work with network operators and the National Cyber Security Centre (NCSC).
- Requested removal of over 14,000 websites during financial year 2017/2018.
- Blocked half a billion phishing emails through technical controls since 2016.
- Published guidance on GOV.UK on how to identify scams that has been visited 1.4 million times during financial year 2017/2018.
- Responded to nearly 1 million phishing referrals in the same period.
- Recovered over 130 websites infringing the HMRC brand including those which host low value services such as call connection sites, saving customers in excess of £2.4M in charges to date.
However, the information required to answer (b), (c) and (d) cannot be provided as releasing it may prejudice the prevention or detection of crime. The information could be used by individuals for criminal activity and departmental IT systems could be exposed or left vulnerable to interference or attack.
Doing so could give criminals valuable insight into HMRC’s capabilities and processes in this area and cybersecurity in general, opening up the Department and the wider public to more informed and effective scams and attacks. While publishing the information requested could, on the face of it, reassure the public that HMRC is suitably resourced to handle risks posed by cybercrime, on balance it is not in the public interest.