According to FOI requests submitted by the research team at Comparitech, UK government employees received 2,400 malicious emails each in 2021. Across just under 260 government organizations, we estimate that 764,331 government employees received a total of 2.69 billion malicious emails in 2021.
Malicious emails are defined as malware (including ransomware), phishing, and spam emails.
Our team also submitted FOIs to all of the councils across England. We found that each council employee received only slightly fewer malicious emails than government department employees with an average of 2,140 malicious emails each year. Read more about this below the analysis on malicious emails sent to government departments (or click here).
- Government employees received an average of 2,399.41 malicious emails each in 2021
- 258 government organizations received an estimated 2.69 billion malicious emails in 2021
- An average of 0.32 percent of the malicious emails were opened by staff in 2021, meaning 8.62 million malicious emails were potentially opened by government staff
- Of those opened, 0.67 percent of these malicious emails resulted in staff members clicking on suspicious links = 57,736
According to the historical data provided by some governments in our FOI requests, 2018 to 2019 saw an average increase in malicious emails of 24.5 percent. Then, from 2019 to 2020, this jumped to an increase of just over 146 percent. From 2020 to 2021, the rate slowed again to just over 16 percent.
It’s perhaps no surprise that the biggest increase coincides with the pandemic and most people working from home (and emails, therefore, being their predominant method of communication).
While a dip in growth last year may seem like a slightly encouraging trend, it doesn’t necessarily mean that governments are under any less of a threat. As our recent worldwide ransomware map has indicated–government departments have witnessed an increase in ransomware attacks over the last year.
It’s also important to note that those government departments with high volumes of malicious emails aren’t necessarily bigger targets for hackers or have “weaker” security systems. Rather, their IT systems may be doing a better job at filtering out malicious emails. Equally, as noted in the methodology and limitations section, IT systems may differ in their tracking and calculating of malicious email volumes.
Government departments with the largest volume of malicious emails
According to the FOI requests submitted (and where data was provided), the following government departments received the most malicious emails:
- Government of Northern Ireland: 833.7m malicious emails received by 24,122 employees = 34,561 emails per employee. (Note: The government of Northern Ireland’s email system is run through Digital Shared Services (DSS) in the Department of Finance. DSS provides IT infrastructure services to all NI government departments, the NI Office, and some wider public organizations. That’s why the employee figure here is based on the number of civil servants within Northern Ireland).
- NHS Digital: 357m malicious emails received by 3,996 employees = 89,353 emails per employee.
- Network Rail Limited: 223.3m malicious emails received by 44,356 employees = 5,033 emails per employee.
- HM Revenue & Customs: 27.9m malicious emails received by 67,267 employees = 415 emails per employee.
Government departments with the highest rate of emails per employee
14 government departments also had a higher rate of malicious emails per employee than the average. The top five were:
- NHS Digital – 89,353 malicious emails per employee: As seen above, with 357m malicious emails received by just under 4,000 employees, each employee at NHS Digital is receiving over 89,000 emails each per year. That’s around 245 per day.
- Government of Northern Ireland – 34,561 malicious emails per employee: The 24,122 employees in the civil service in NI are receiving over 34,500 malicious emails each per year.
- Financial Reporting Council – 25,992 malicious emails per employee: At a rate of just under 8.5m emails per year and with a small team of 326 employees, each staff member at the Financial Reporting Council receives just under 26,000 malicious emails per year.
- British Tourist Authority (VisitBritain/VisitEngland) – 7,941 malicious emails per employee: In 2021, the 293 employees of the British Tourist Authority received 2.3m malicious emails. While this is significantly fewer than the aforementioned top three, it still equates to just over 7,900 malicious emails each per year.
- Network Rail Limited – 5,033 malicious emails per employee per year: With 44,356 employees, Network Rail has a large number of email accounts to monitor. It had recorded 195.3m emails to mid-November, which equates to around 223.3m for the year.
While many of these emails will likely be blocked by the departments’ IT systems, these rates of emails per employee help give us an idea of how substantial the number of malicious emails being received by each department is.
To find out how many malicious emails each government received, please see the table below which also indicates whether or not the figure is estimated.
How prevalent are ransomware attacks on government departments?
While we received a large number of responses to our questions about malicious emails, many government departments refused to disclose any data on ransomware attacks as they felt it would make them more vulnerable to future attacks.
However, some government departments did disclose some interesting snippets of information.
In 2021, one government department revealed it had detected 97 ransomware attacks in just 30 days (none of which were successful). 71 government departments were also happy to report that they hadn’t suffered a ransomware attack in 2021 (the remainder–187–didn’t disclose whether they had or not). Only two government organizations revealed that they had suffered a successful ransomware attack in 2021.
Another government organization revealed it fell victim to a ransomware attack in 2020 while blocking a further 29.
What risks do malicious emails pose to government departments?
Malicious emails often contain links or attachments that, when clicked or opened, give the hacker access to the user’s computer or enable them to download malware onto the computer, which in turn enables the theft of and/or encryption of data.
When hackers gain access to data, this can cause serious data breaches involving a whole host of personally identifiable information (PII).
For example, a recent report found that Her Majesty’s Prison and Probation Service (HMPPS) recorded 2,152 data breaches in a one-year period. While the HMPPS failed to provide us with any data, our estimates suggest that with just over 63,000 staff members, the organization could have received as many as 151m malicious emails in 2021.
UK Research and Innovation (UKRI) also disclosed that it had suffered a ransomware attack in January 2021 (confirmed in our FOI request). It suggested that while the hackers encrypted the data, they were able to recover it quickly (without paying the ransom). It also suggested that it had no reason to believe any data had been stolen.
While UKRI disclosed its ransomware attack, it didn’t disclose the number of malicious emails it receives per year. But we estimate it could be in the region of 19m.
So how do these figures compare when we look at England councils?
English council staff receive 2,140 malicious emails each every year
English council employees received 2,140 malicious emails each in 2021. Across just over 320 English councils, we estimate that 655,038 council employees received a total of 2.1 billion malicious emails in 2021.
Malicious emails are defined as malware (including ransomware), phishing, and spam emails.
- England council employees received an average of 2,140 malicious emails each in 2021
- 322 England councils received an estimated 2.1 billion malicious emails in 2021
- An average of 1.79 percent of the malicious emails were opened by staff in 2021, meaning 37.5m malicious emails were potentially opened by council staff
- Of those opened, 0.99 percent of these malicious emails resulted in staff members clicking on suspicious links = 371,493 emails
According to the data provided by councils, 2021 isn’t likely to have been the worst year for malicious emails. Rather, just as was the case with government departments, 2020 was an extraordinary year for malicious emails. Coinciding with the pandemic and many employees turning to email to communication increased hackers’ chances of unleashing a successful malicious email attempt.
Our statistics indicate that malicious email volumes grew by just over 25 percent from 2018 to 2019 and by nearly 16 percent from 2019 to 2020. Then, last year, malicious email levels dropped by just over 31 percent.
Councils with the largest volume of malicious emails
According to the FOI requests submitted (and where data was provided), the following councils received the most malicious emails:
- Lancashire County Council: 915.5m malicious emails received by 12,927 employees = 70,823 emails per employee.
- Buckinghamshire Council: 67.2m malicious emails received by 4,065 employees = 16,537 emails per employee.
- Blackpool Borough Council: 41.7m malicious emails received by 2,618 employees = 15,909 emails per employee.
- Suffolk County Council: 40.7m malicious emails received by 5,276 employees = 7,720 emails per employee.
- West Lancashire District Council: 35.4m malicious emails received by 501 employees = 70,823 emails per employee (there is one email system for Lancashire County Council and West Lancashire District Council).
Councils with the highest rate of emails per employee
26 councils also had a higher rate of malicious emails per employee than the average. The top five councils with the highest rate were:
- Lancashire County Council and West Lancashire District Council – 26,652 malicious emails per employee: The councils’ combined IT system received 951,012,705 malicious emails over a 12-month period. With 12,927 and 501 employees each respectively, that equates to an average of 70,823 malicious emails per employee per year.
- Buckinghamshire District Council – 16,537 malicious emails per employee: With just over 67m malicious emails in a year and 4,065 employees, each employee at Buckinghamshire District Council is receiving around 16,537 malicious emails each per year.
- Great Yarmouth Borough Council – 15,957 malicious emails per employee: Receiving approximately 500,000 malicious emails per month, Great Yarmouth Borough Council’s 376 employees receive around 6m malicious emails a year, which is just under 16,000 each.
- Blackpool Borough Council – 15,909 malicious emails per employee: Blackpool’s workforce of 2,618 employees receives 41.7m malicious emails each year, which is just under 16,000 each.
- Medway Council – 7,994 malicious emails per employee: 21.9m malicious emails are received by 2,740 employees at Medway Council each year, equating to 7,994 malicious emails each.
While many of these emails will likely be blocked by the councils’ IT systems, these rates of emails per employee help give us an idea of how substantial the number of malicious emails being received by each council is.
To find out how many malicious emails your council receive, please see the table below which also indicates whether or not the figure is estimated.
How prevalent are ransomware attacks across English councils?
As with government departments, many councils were unwilling to share data on ransomware attacks, citing security reasons. But from the data that was provided, we do have some interesting findings.
One council disclosed that had it blocked over 426,000 ransomware attacks in just less than 4 years, while another had blocked 300 over the course of 49 weeks. Others suggested they hadn’t had to block any and only two disclosed that they had fallen victim to a ransomware attack in 2021. This could indicate that some councils are far more heavily targeted than others, or that IT systems aren’t able to differentiate from something like a spam email and a ransomware attack.
What risks do malicious emails pose to councils?
Last month it was revealed that Redcar and Cleveland Borough Council had to disclose four serious data breaches to the Information Commissioner’s Office (ICO) in 2021. And that follows a cyber attack in February 2020 which cost £8.7m to rectify.
According to the FOI request submitted to this council, they receive approximately 250,000 malicious emails per year. With 2,121 staff, that’s around 118 malicious emails per staff member per year.
Elsewhere, Hackney Council suffered a devastating ransomware attack in 2020 which crippled its systems and saw personal data being published on the dark web. A recent audit found that the attack costs the council around £10m. While Hackney Council wouldn’t disclose its malicious email volume through our FOI request, our estimates suggest it receives around 9.88m malicious emails per year.
Methodology and limitations
Our research team submitted freedom of information requests to 471 government departments across the UK (as per this list) and 331 England councils (as per this list).
Some government departments weren’t subject to FOI requests, contact details weren’t available, were a small commission or society with members but not employees, or had no available staff figures–in which case, they were removed.
For English councils, some have combined or shared IT services so have been included together, e.g. Babergh and Mid Suffolk District Councils. Only five councils were removed due to lack of data (namely employee figures)–these were, the Common Council of the City of London, the Council of the Isles of Scilly, Newcastle-Under-Lyme Borough Council, Somerset West and Taunton Council, and Staffordshire Moorlands District Council.
While each government department and council received the same FOI request, the software in place may differ. This means the number of malicious emails identified (and potentially blocked) within each government entity and council may be different. And, as mentioned previously, departments receiving large volumes may not be more targeted by malicious emails but may be better at identifying them.
In some cases, figures were only available for certain periods, e.g. 30 days or 90 days. When provided in such a way, the figure was extrapolated to achieve a yearly figure. Where no figure was provided, we have used the average per employee across all of the government departments and councils that did submit figures (2399.41 or 2139.69 respectively) to create an estimate. These are identified within the tables.
The most up-to-date and exact employee figures available have been used. In a couple of instances, departments only quoted figures like “over 1,500” employees. Where possible, we have used the official headcount but some may only provide the number of full-time-equivalent employees, however, this figure tends to be lower than the official headcount so avoids over-estimated figures.
In the case of the Northern Ireland Government, the email system is run through Digital Shared Services (DSS) in the Department of Finance. DSS provides IT infrastructure services to all Northern Ireland government departments, the Northern Ireland Office, and some wider public sector organizations. Therefore, we haven’t included any separate Northern Ireland departments unless a separate figure has been provided or they have confirmed that they own their own IT system.
Only 27 government departments and 22 councils provided us with enough historical data to make comparisons of year-on-year increases in malicious email volumes.
Data researchers: Charlotte Bond, Rebecca Moody