Phishing, malware, and spam are popular techniques deployed by attackers

A new report released today reveals that UK government employees receive an average of 2,400 malicious emails per year

A new report released today reveals that UK government employees receive an average of 2,400 malicious emails per year, as cybercriminals continue to use email as their vector of choice.

The study, from Comparitech, found that the central government departments across the UK received an estimated 2.6 billion suspicious emails in total last year.

These findings were taken from Freedom of Information (FOI) requests sent to 258 public-sector and national organizations including central government departments, the National Health Service and Network Rail.

“Across just under 260 government organizations, we estimate that 764,331 government employees received a total of 2.69 billion malicious emails in 2021,” the report reads.

Comparitech notes that it defines malicious emails as containing either malware (including ransomware), phishing, or spam.

Malicious findings

An average of 0.32 percent of the malicious emails were opened by staff in 2021, meaning 8.62 million malicious emails were at least previewed. Of those opened, less than 1% (57,736) of these malicious emails resulted in staff members clicking on suspicious links.

Comparitech noted that “some” government departments responded with additional historical data, which showed that the years 2018 to 2019 saw an average increase in malicious emails of 24.5% (or around a quarter).

From 2019 to 2020, this jumped to an increase of just over 146% - more than doubling. From 2020 to 2021, the rate slowed again to just over 16%.

Read more of the latest security news from across the UK

“It’s perhaps no surprise that the biggest increase coincides with the pandemic and most people working from home (and emails, therefore, being their predominant method of communication),” Comparitech noted in the study.

The company also noted, however, that central government departments with high volumes of malicious emails “aren’t necessarily that bigger targets for hackers or have ‘weaker’ security systems”.

“Rather, their IT systems may be doing a better job at filtering out malicious emails,” the report states.

Critical targets

NHS Digital had a total of 357 million malicious emails received by 3,996 employees, equating to 89,353 emails per employee.

Other critical infrastructure services such as railway provider Network Rail Limited received 223 million malicious emails received by a total of 44,356 employees, at a rate of 5,033 emails per employee, while tax department HM Revenue & Customs received 27.9 million malicious emails received by 67,267 employees, or 415 emails per employee.


Paul Bischoff, privacy advocate at Comparitech, told The Daily Swig that government employees are targeted because “they often work for critical services and systems that can’t afford to go down for long”.

“That makes some government agencies more likely to pay ransoms, especially those in healthcare where lives are on the line,” Bischoff added.

“Governments also have a lot of employees and not all of them are trained to spot phishing emails. Attackers can target a large number of employees to increase their chances of success.

He advised: “Every government employee who uses the internet for work, has a work email address, or connects to government networks should be trained to spot and handle phishing emails. Phishing is more of an operational problem than a cyber security one.”

YOU MAY ALSO LIKE Critical infrastructure entities on red alert over ‘exceptionally rare and dangerous’ ICS malware