Pioneering programme defends UK from millions of cyber attacks

Created:  05 Feb 2018
Updated:  05 Feb 2018
Results of the NCSC's Active Cyber Defence programme have been revealed in figures published today.
  • National Cyber Security Centre releases first data and related analysis of defence initiative
  • Millions of malicious emails stopped and UK’s share of global phishing attacks plummeting
  • NCSC, part of GCHQ, has implemented interventionist approach to reducing cyber attacks
  • “Successes in our first year will cause attackers to change behaviour, and we will adapt”

WORLD leading initiatives by the National Cyber Security Centre (NCSC) have detected and prevented millions of online commodity attacks against the UK, figures published today (February 5) have shown.

The results of the UK government’s new bold approach to tackling cyber crime are detailed in ‘Active Cyber Defence – One Year On’, a comprehensive summary compiled by the NCSC’s Technical Director Dr Ian Levy.

Four pioneering Active Cyber Defence (ACD) programmes – Web Check, DMARC, Public Sector DNS and a takedown service – were launched last year as part of the National Cyber Security Strategy to improve basic cyber security by disrupting commodity cyber attacks that affect UK citizens.

The technology, which is free at the point of use, improves defence against threats by blocking fake emails, removing phishing attacks and stopping public sector systems veering onto malicious servers.

Key findings amongst the comprehensive analysis show that since the ACD was introduced;

  • UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017)
  • removed 121,479 phishing sites hosted in the UK – and 18,067 worldwide spoofing UK government
  • takedown availability times for sites spoofing government brands down from 42 hours to 10 hours
  • a dramatic drop of scam emails from bogus ‘’ accounts (total of 515,658 rejected in year)
  • average 4.5 million malicious emails per month blocked from reaching users (peak 30.3m in June)
  • more than 1 million security scans and 7 million security tests carried out on public sector websites

Dr Ian Levy, Technical Director of the NCSC, said:

“Through the National Cyber Security Centre, the UK has taken a unique approach that is bold and interventionalist, aiming to make the UK an unattractive target to criminals or nation states.

“The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks.

“The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt.

“Our measures seem to already be having a great security benefit - we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way.”

The report lists scam domains promoted by phishing emails that have now been removed, such as, and and shares examples of real phishing emails they have prevented from being delivered.

It also puts on record the 10 most spoofed government brands in the year, with HMRC the most targeted with 16,064 fake websites taken down. Also in the list are the DVLA, the Student Loans Company and the Crown Prosecution Service.

The report also breaks down the brands which have been most successfully protected from criminals for each month. Amongst the organisations best defending themselves from spoof attempts thanks to implementing ACD are local authorities such as Northumberland County Council (59,405 attempts in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).

Dr Levy continued:

“This report shows that simple things, done at scale, can have a positive and measurable effect and the British UK public should be safer as a result of these measures.

“As these measures are scaled up, people should be asked less often to do impossible things, like judge whether an email or website is good or bad, less often.

“The NCSC has committed to being transparent and publishing data. We think the results here show that the first year of our Active Cyber Defence programme have been successful – and the following years will be really interesting.”

The paper goes on to outline the NCSC’s intention to broaden sharing of detection events between UK ISPs, building on BT’s new MISP threat sharing platform launched in December and ensuring it provides real security benefit to end users.

Mark Hughes, CEO of BT Security, said:

“The Government’s Active Cyber Defence strategy will make it increasingly difficult for cyber criminals to carry out relatively unsophisticated attacks, which account for roughly 80 per cent of all cyber crime.

“BT is supporting its strategy in a number of crucial ways, including strengthening email security, internet and signalling protocols and by blocking tens of millions of malicious malware infections every week.

“We’ve also launched a collaborative online platform which sees BT share its threat intelligence data with other UK ISPs, so that they can better protect their customers should they choose to take action.”

The NCSC provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice.

GCHQ is the parent body for the NCSC, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities.

You can read the full report here:


Notes to editors

The report breaks down the brands featuring in the most rejected fake emails every month, showing criminals are persistently trying to spoof trusted local councils as well as national organisations such as the NHS and HMRC.

ACD statistics

The report also lists the top 10 most spoofed government related brands and while the majority of attacks are continuing to use the HMRC brand it is also noticeable that criminals also target students, motorists and people contacted by the CPS.


Number of spoof websites created

Number of attack groups

Median group availability (hours)

HM Revenue & Customs







TV Licensing








Government gateway




Crown Prosecution Service




A UK University




Student Loans Company




Student Finance Direct




British Broadcasting Corporation




The ACD programme consists of four services - each free at the point of use - that perform a particular security service for public sector organisations. A summary of each’s outcomes are below.


DMARC helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as though they come from a trusted address. Organisations that deploy DMARC properly can ensure their addresses are not successfully used by criminals as part of their campaigns. We have committed to helping the public sector lead in deploying DMARC.

  • We are prioritising 5,322 government domains for adoption in the first instance. Those with Sender Policy Framework policies (a prerequisite of full DMARC) have risen from 26.85% at the start of 2017 to 38.56%. DMARC adoption is up from 5.58% at the start of 2017 to 18.3%. We expect that to accelerate over the coming months as we demonstrate the benefit.
  • At the end of 2017, we have 555 (about 10%) government domains reporting to Mail Check.
  • We have seen the number of messages spoofed from an address (for example, taxrefund[at] fall consistently over 2017, suggesting that criminals are moving away from using them as fewer and fewer of them are delivered to end users.
  • Across the 555 public sector email domains reporting to Mail Check, we are seeing an average of 44.1 million messages a month which fail verification, with a peak of 78.8 million in June. Of those, an average of 4.5 million are not delivered to the end users. The peak in June saw 30.3 million spoofed messages not delivered to end users.
  • The coming months will see a push to have more public sector bodies to set their domain policies so that spoofed emails are rejected by receivers. Our Mail Check platform is critical to providing the data to help that happen.


This service works by requesting that hosting providers remove malicious content that is pretending to be related to UK Government and also certain types of malicious content hosted in the UK.

  • In 2017, we removed 18,067 unique phishing sites across 2,929 attack groups that pretended to be a UK Government brand, wherever in the world they were hosted. As a result, we have reduced the median availability of a UK Government related phishing site from 42 hours to 10 hours. That means that these sites are available for much less time to do harm to UK citizens. 65.8% of those are down in 24 hours, up from 39% before we started takedowns.
  • In 2017, we removed 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, regardless of who it was pretending to be. As a consequence, we have reduced the median availability of a phishing site physically hosted in the UK from 26 hours to 3 hours, again giving them much less time to do harm. 76.8% of those were down in 24 hours, up from 47.3% before we started takedowns.
  • In 2017, we worked with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to compromise the people that visited them. As a consequence, we have reduced the median availability of these compromises from 525 hours to 39 hours.
  • Over the year 2017, the month-by-month volume of each of these has fallen, suggesting that criminals are using the UK Government brand less and hosting fewer of their malicious sites in UK infrastructure.
  • In 2017, we notified email providers about 3,243 Advance Fee Fraud attacks, pretending to be related to UK Government.
  • In 2017, we have stopped several thousand mail servers being used to impersonate government domains and sending malware to people, in the expectation that the government link makes them more realistic. We have also removed a number of deceptive domains that were registered with the sole intention of deceiving people.
  • While the volume of global phishing we can see has gone up significantly (nearly 50%) over the last 18 months, the share hosted in the UK has reduced from 5.5% to 2.9%.


Web Check performs some simple tests on public sector websites to find security issues. It provides clear and friendly reporting to the service owners, along with advice on how to fix the problems.

  • Between 18th April 2017 and 31st December 2017, Web Check performed 1,033,250 individual scans running 7,181,464 individual tests.
  • In that period, we scanned 7,791 unique URLs across 6,910 unique domains ingesting a total of 7,748 unique pages.
  • In that period, we produced 4,108 advisories for customers, covering a total of 6,218 different issues. We found 2,178 issues relating to certificate management, 1 relating to HTTP implementation, 184 relating to out of date content management systems, 1,629 relating to TLS implementation, 76 relating to out of date server software and 40 other issues.
  • Most issues were fixed by the service owner within 2 days of being reported.


The Public Sector DNS service provides protective DNS services to public sector bodies that subscribe to it. It blocks access to known bad domains, where the block lists are derived from a combination of commercial, open source and NCSC threat feeds. The intent of the service is not just to block bad things, but to notify system owners so they can perform remediation.

  • At it peak in December 2017, public sector DNS services responded to 1.23 billion requests a week.
  • During that peak week, 273,329 requests were blocked, of which 5,768 were unique.
  • During 2017, over 3 terabytes of DNS data has been analysed for security threats and 134,825 unique DNS queries were blocked.
  • Nearly all organisations have benefited from the blocking of DNS queries and, on average, 1 in 6 organisations joining the service have some security issue identified that requires further remediation.
  • The domain generation algorithm detection analytic has found traffic linked to malware in 9 organisations. The malware families involved were Wannacry, BadRabbit, Ramnit and Conficker. Traffic for these was handled appropriately.
  • We also describe the work on securing SS7 which intends to make abuse of UK mobile networks harder and some early (but successful) experiments into tackling SMS spoofing.
  • We also describe our integration platform, the Threat-o-Matic, that links all the Active Cyber Defence measures and the early experiments we have done with others to prove event sharing and the benefits it could bring.

Was this news helpful?

We need your feedback to improve this content.

Yes No