Phishing Emails Affect 2.5 Billion UK Government Employees

UK government employees get 2.5 billion phishing emails every year, showing that hackers continue to use email as their preferred method of communication, according to Comparitech, a cybersecurity research firm

Each employee received an average of 2,400 phishing emails in 2021. Comparitech received responses from 260 government organisations after sending FOI (freedom of information) requests.

According to the Comparitech research:

In 2021, we estimate that 764,331 government employees received a total of 2.69 billion phishing email across just over 260 government organisations.”

These phishing emails attempted to install malware, such as botnets and ransomware, collect passwords and other confidential information, or trick victims into paying money.

Major Findings

In 2021, workers opened 0.32 % of spam email, meaning that 8.62 million malicious emails were at least previewed. Less than 1% (57,736) of the phishing email opened resulted in employees click on suspicious links. Whilst these figures may already appear high, Phishing Tackle CEO James Houghton, is somewhat sckeptical and suspects they will be much higher. He commented:

We know from our own vast database of statistics the average failure rate for end-users without appropriate education and awareness. We are also aware of the existing level of training provided to local and central government, so based on these factors we believe the open and click statistics may be massively undereported.

James Houghton, CEO, Phishing Tackle

According to Comparitech, “some” government organisations responded with detailed statistical information, revealing a 24.5 percent rise in phishing emails from 2018 to 2019.

From 2019 to 2020, this increased by more than 146 %, more than double. From 2020 to 2021, the rate decreased to slightly over 16 %. It’s perhaps interesting that the greatest increase corresponds with the pandemic (COVID-19) and the majority of those working from home.

It’s also interesting that government agencies that get a high number of malicious emails aren’t always more attractive to hackers. It might be because their IT systems are better at filtering out phishing emails.

State/English government that receive the most phishing emails

NHS Digital’s 3,996 workers received a total of 357 million malicious emails, averaging 89,353 emails per employee.

Northern Ireland’s government received 833.7 million malicious emails targeting 24,122 workers, for a total of 34,561 emails per employee.

Network Rail got 223 million malicious emails, or 5,033 emails per employee, from a total of 44,356 workers, whilst HM Revenue & Customs received 27.9 million malicious emails, or 415 emails per employee, from a total of 67,267 employees.

Despite this, in 2021, English council employees got an average of 2,140 fraudulent emails. It is estimated that 655,038 council workers received 2.1 billion phishing emails in 2021, spread across just over 320 English councils. Each England council employee got an average of 2,140 fraudulent emails. Employees opened an average of 1.79 percent of malicious emails, implying that 37.5 million malicious emails were potentially opened by council employees.

A greater rate of phishing email per employee was also found in 26 councils than the state average. During a 12-month period, the total IT systems of the councils received 951,012,705 malicious emails. With a joint staff of 12,927 and 501 people, each employee receives an average of 70,823 malicious emails every year. 2,740 Medway Council workers got 21.9 million malicious emails, equating to 7,994 malicious emails per employee.

In 2021, the British Tourist Authority’s 293 workers received 2.3 million phishing emails. While this is far less than the top three, it still amounts to little over 7,900 phishing email every year.

Although most of these emails stop by the departments’ IT systems. The ratios of emails per employee give us an estimate of how many harmful emails each department receives.

Threats that malicious emails bring to State/English government

In 2021, one state agency stated that in just 30 days, it had reported an astonishing 97 ransomware attacks.

Major data breaches involving lots of new Personally Identifiable Information (PII) can occur when organisation data is compromised. UK Research and Innovation (UKRI) reported in January 2021, they were target of a ransomware attack. While the data was encrypted, the hackers were able to extract it quickly, according to the report.

Over 426,000 ransomware attempts were blocked by one council in less than four years, while 300 were blocked in 49 weeks by another. It also said that it had no basis to suspect that any information had been taken.

Redcar and Cleveland Borough Council had to report to the Information Commissioner’s Office (ICO) about four severe data breaches in 2021, according to a report released last month. This comes in the wake of an £8.7 million cyber-attack in February 2020.

In 2020, Hackney Council was hit by a severe ransomware attack that damaged its systems and exposed personal information on the dark web. Even though Hackney Council did not respond to Comparitech’s FOI request, it estimated that it receives around 9.88 million phishing emails every year.

It is possible that some councils are attacked significantly more regularly than others, or that IT systems are unable to identify spam emails and ransomware attacks.


Comparitech privacy advocate Paul Bischoff said:

“Government employees are targeted because they constantly work for important services and systems that cannot afford to remain down for long. As a result, some government organisations, particularly those in healthcare where life is at risk, are more ready to pay ransoms.”

English councils, such as Babergh and Mid Suffolk District Councils, have combined or merged IT functions and hence have been listed together. Although each government agency and council receive the identical FOI request, the software used may vary. This implies that the quantity of malicious emails discovered by each government agency and council may differ.

Governments generally hire a large number of people, and not all of them are trained to recognise phishing emails. To improve their chances of success, attackers might target a large group of employees.

Every government employee who uses the internet for work and has a work email account, as well as everyone who connects to government networks, should be prepared to identify and respond to phishing emails. Phishing is more of a business problem than a cyber security issue and employees are the last line of defense.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts