The average UK government employee receives 2,246 malicious emails per year

According to freedom-of-information requests submitted by the research team at Comparitech, UK government employees received 2,246 malicious emails each in 2022, on average. Across 250 government organizations, we estimate 2.16 million government employees received a total of 2.75 billion malicious emails in 2022.

Malicious emails are defined as malware (including ransomware), phishing, and spam emails.

Key findings

  • Government employees received an average of 2,245.88 malicious emails each in 2022
  • 250 government organizations received an estimated 2.75 billion malicious emails in 2022
  • Each government employee received an average of 355.92 spoofing emails, 32.2 emails containing malware/viruses, 184.6 phishing emails, and 832.57 spam/junk emails
  • An average of 0.04 percent of the malicious emails were opened by staff in 2022, meaning 1.1 million malicious emails were potentially opened by government staff
  • Of those opened, 0.21 percent of these malicious emails resulted in staff members clicking on suspicious links = 2,311

Due to changes in reporting systems and our freedom of information requests (requesting individual categories of malicious emails, e.g. spoofing, spam, and phishing), it wouldn’t be fair to compare our 2021 report to our current 2022 report as figures may be skewed due to more/fewer emails being included in these reports. However, in 2021, we did note a slightly higher rate of emails per government employee–2,399.

While this may seem like a slightly encouraging trend, it doesn’t necessarily mean governments are under any less of a threat. As our recent worldwide ransomware map has indicated, ransomware attacks on government departments have remained a consistent and dominant threat in recent years.

It’s also important to note that those government departments with high volumes of malicious emails aren’t necessarily bigger targets for hackers or have “weaker” security systems. Rather, their IT systems may be doing a better job at filtering out malicious emails. Equally, as noted in the methodology and limitations section, IT systems may differ in their tracking and calculating of malicious email volumes.

Government departments with the largest volume of malicious emails

According to the FOI requests submitted (and where data was provided), the following government departments received the most malicious emails:

  1. Government of Northern Ireland: 1.05bn malicious emails received by 24,324 employees = 43,003 emails per employee. (Note: The government of Northern Ireland’s email system is run through Digital Shared Services (DSS) in the Department of Finance. DSS provides IT infrastructure services to all NI government departments, the NI Office, and some wider public organizations. That’s why the employee figure here is based on the number of civil servants within Northern Ireland).
  2. NHS England (which has recently merged with NHS Digital): 473.2m malicious emails received by 1,410,430 employees (the entire NHS staff force) = 336 emails per employee.
  3. The British Council: 44.3m malicious emails received by 1,299 employees = 34,124 emails per employee.
  4. Network Rail Limited: 25.4m malicious emails received by 44,010 employees = 578 emails per employee.

Government departments with the highest rate of emails per employee

12 government departments also had a higher rate of malicious emails per employee than the average. The top five were:

  1. Government of Northern Ireland43,003 emails per employee: As seen above, the 24,324 employees in the civil service in NI are receiving over 43,000 malicious emails each per year. That’s around 118 per day.
  2. The British Council – 34,124 emails per employee: With 44.3m malicious emails received by just under 1,300 employees, each employee at the British Council is receiving over 34,000 malicious emails each per year.
  3. Agriculture and Horticulture Development Board – 14,133 malicious emails per employee: At a rate of just under 5.3m emails per year and with a small team of 372 employees, each staff member at the Agriculture and Horticulture Development Board receives over 14,000 malicious emails per year.
  4. British Tourist Authority (VisitBritain/VisitEngland) – 7,117 malicious emails per employee: In 2022, the 320 employees of the British Tourist Authority received just under 2.3m malicious emails. This equates to just over 7,100 malicious emails each per year.
  5. National Savings and Investments (NS&I) – 6,690 malicious emails per employee per year: With around 200 employees and 1.34m malicious emails per year, employees at the NS&I are targeted by nearly 6,700 of these emails each per year.

While many of these emails will likely be blocked by the departments’ IT systems, these rates of emails per employee help give us an idea of the number of malicious emails received by each department.

To find out how many malicious emails each government department received, please see the table below, which also indicates whether or not the figure is estimated.

Malicious emails by type

In this update, we also asked each government department to provide a breakdown of the type of malicious emails they received. The categories created from these requests were:

  • Spoofing – Emails that trick a user into thinking it has come from a trusted person or entity by using a forged sender address and manipulated email header.
  • Malware/Virus – An email containing a malicious attachment or link that has the potential to download malware/viruses onto the employee’s computer. This includes ransomware.
  • Phishing – Another email that tries to dupe the recipient into thinking it is from a trusted source before giving away personal credentials or downloading a malicious attachment/clicking on a malicious link. Depending on the systems used by each organization, there may be some crossover between this and malware/virus-type emails.
  • Spam/Junk – These emails are often sent out en masse and often contain some form of marketing/selling. They may also include phishing attempts and/or malware/viruses.

Due to each government organization having various email reporting systems and software, we can’t accurately estimate the total number of each type of email received by government organizations. A large number of emails were also categorized as “other” or “rule match/rejected.”

Using the figures provided, we can look at the rate of these types of emails sent to each government employee.

It’s perhaps no surprise that the greatest volume of malicious emails is classed as spam. Spoofing emails are also a dominant threat and, as these are likely more “sophisticated” than spam-type emails, they pose a huge threat to government employees.

What risks do malicious emails pose to government departments?

Malicious emails often contain links or attachments that, when clicked or opened, give the hacker access to the user’s computer or enable them to download malware onto the computer, which in turn enables the theft of and/or encryption of data.

When hackers gain access to data, this can cause serious data breaches involving a whole host of personally identifiable information (PII). It can also have a detrimental impact on the government department’s systems and services. For example, a ransomware attack on UK Research and Innovation (UKRI) saw two services suffer as a result, leading to the UKRI suspending its services until it could recover.

The costs involved in recovering from these cyber attacks can be astronomical, too. While UK councils weren’t covered in these requests, Redcar and Cleveland Council recently admitted that its ransomware attack in February 2020 had ‘catastrophic’ consequences and cost £7m ($8.7m).

Our recent study on government ransomware attacks in the US also found that the average downtime from such an attack in 2022 was nearly six days.

Methodology and limitations

In 2021, our research team submitted freedom of information requests to 471 government departments across the UK (per this list).

Some government departments weren’t subject to FOI requests, contact details weren’t available, were a small commission or society with members but not employees, or had no available staff figures–in which case, they were removed. A large proportion of them also refused our request based on security grounds, suggesting disclosing the figures could lead them open to future attacks. In our 2022 update, we only contacted the government departments that were willing to disclose the data in our previous requests.

While each government department and council received the same FOI request, the software in place may differ. This means the number of malicious emails identified (and potentially blocked) within each government entity and council may be different. And, as mentioned previously, departments receiving large volumes may not be more targeted by malicious emails but may be better at identifying them.

In some cases, figures were only available for certain periods, e.g. 30 days or 90 days. When provided in such a way, the figure was extrapolated to achieve a yearly figure. Where no figure was provided, we have used the average per employee across all of the government departments that did submit figures (2245.88) to create an estimate. These are identified within the tables.

The most up-to-date and exact employee figures available have been used. In a couple of instances, departments only quoted figures like “over 1,500” employees. Where possible, we have used the official headcount but some may only provide the number of full-time-equivalent employees, however, this figure tends to be lower than the official headcount so it avoids over-estimated figures.

In the case of the Northern Ireland Government, the email system is run through Digital Shared Services (DSS) in the Department of Finance. DSS provides IT infrastructure services to all Northern Ireland government departments, the Northern Ireland Office, and some wider public sector organizations. Therefore, we haven’t included any separate Northern Ireland departments unless a separate figure has been provided or they have confirmed that they own their own IT system.

Data researchers: Charlotte Bond, Rebecca Moody