NCSC Programme Blocks 30 Million Phishing Emails In One Month

seagate, spear phishing

The National Cyber Security Centre’s ‘Active Cyber Defence’ strategy has blocked millions of scam emails imitating government addresses

The NCSC’s headquarters in Victoria

A National Cyber Security Centre (NCSC) programme aimed at blocking cyber attacks stopped 30.3 million malicious emails during the peak month of June 2017, said the centre, which is GCHQ’s cyber-defence arm.

The findings are amongst those found in a study covering the performance of the first year of Active Cyber Defence (ACD), a programme launched in November 2016 to tackle threats including vulnerabilities in public sector websites and malicious emails that spoof addresses belonging to government organisations.

The programme also includes a DNS service for public sector bodies that stops staff from coming into contact with malicious sites and a takedown service that targets websites used in phishing operations.

One of ACD’s programmes is Mail Check, which involves signing government departments up to an email verification scheme called DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC carries out checks on addresses that are signed up to the scheme, and if they don’t meet verification tests, it instructs client systems to discard the message.

Phishing emails blocked

NCSC said the programme stopped an average of 4.5 million malicious emails per month from reaching users in 2017, peaking at 30.3m in June of last year.

The programme’s policies of removing malicious UK-hosted servers and websites has meant a drop in the proportion of sites used in worldwide phishing campaigns, from 5.3 percent in June 2016 to 3.1 percent in November 2017.

During the same period, the volume of global phishing that’s been measured has risen by 50 percent, the NCSC pointed out.

The NCSC removed 121,479 phishing sites hosted in the UK and 18,067 worldwide that were counterfeiting UK government agencies, with takedown times dropping from 42 hours to 10 hours.

The NCSC said it has seen a “dramatic” drop in scam emails from counterfeit addresses, with a total of 515,658 rejected over the course of ACD’s first year.

Hacking arms race

ACD’s Web Check programme carried out more than 1 million security scans and 7 million tests on public sector sites, delivering remediation tips to the site owners when problems were found.

NCSC technical director Dr Ian Levy said he was encouraged by the programme’s first year, but acknowledged it would inevitably cause criminals to adopt more sophisticated tactics.

“The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt,” he said in a statement.

The “Active Cyber Defence – One Year On” report lists scam domains that were taken down, including, and, and finds that HMRC was the most targeted government body with 16,064 fake sites removed.

Scammers also targeted drivers, students and those contacted by the Crown Prosecution Service using fake domains that were taken down.

Levy said users currently find themselves in the position of having to make complex technical judgements – such as trying to verify the source of an email that appears to come from the government – and that ACD aims to reduce that burden.

“As these measures are scaled up, people should be asked less often to do impossible things,” he said.

‘Eating our own dog food’

At the time of the programme’s launch in 2016, Levy said the government was responding to industry’s concern that the government was telling companies to do more on cyber-security without having a functional understanding of what was involved.

“Our strategy is to use government as a guinea pig for all the measures we want to see done at national scale,” he said at the time. “We’ll be eating our own dog food to prove the efficacy (or otherwise) of the measures we’re asking for, and to prove they scale sensibly before asking anyone else to implement anything.”

Other programmes outlined in the new report include NCSC’s drive to broaden the sharing of detection events between UK ISPs, which builds on a BT MISP threat-sharing platform launched in December.

Do you know all about security? Try our quiz!

Read also :
Click to read the authors bio  Click to hide the authors bio