HMRC has received over 2.6m reports of phishing attempts over the past three financial years, according to a new Freedom of Information (FOI) request from a think tank.

The tax office processed a total of 2,602,528 reports of phishing emails and texts as well as phone scams from 2016-19, according to Parliament Street. Although the worst year was 2016-17 (921,900), 2018-19 saw an increase of 15% over the previous year to reach 897,649.

The largest number were fraudulent emails spoofing tax rebate messages, which accounted for 1,957,003 reports over the three years. The worst year for these was 2016-17, accounting for 733,980.

Next came scam SMS messages, which accounted for 150,009 over the past three financial years — although the volume of these has dropped by almost half between 2016-17 and 2018-19, according to the report.

The number of phone scams reported to the tax office has soared alarmingly over the period: from just 407 in 2016/17, to 104,774 reports in 2018/19.

The number of taxpayers who admitted disclosing financial details to the phishers was 10,647 in 2016-17, but then dropped considerably in the succeeding years, to total 18,792 for the three years. That equates to a success rate of less than 1%.

Also reassuring is the number of phishing websites being reported for removal: 50,323 over the three years, with 2017/18 being the worst year with 19,198 reports.

The HMRC is said to be the government’s most abused ‘brand’ but it has been getting better at combating the fraudsters, having implemented DMARC in 2016, for example. This has helped the agency block hundreds of millions of phishing emails, while a Customer Protection Team works hard to follow-up reports from taxpayers to take down phishing sites.

However, the wider business community may be less well protected, according to Centrify VP, Andy Heather.

“These incidents are just a snapshot of techniques used by hackers to gain confidential financial information as well as credentials and passwords. In many cases we’re seeing fraudsters gaining access to company data, using legitimate user ID and log-in details, without raising suspicion,” he argued.

“For businesses, it’s time to face the reality that cyber-attackers now no longer hack in, they log in using credentials and passwords that are weak, stolen or in cases of phishing are simply handed over to them. Tackling this problem means adopting a zero-trust approach to all user-accounts, ensuring every employee who tries to access critical information is screened with the necessary password, location and authentication procedures to ensure they are who they say they are.”