Government employees are popular targets for email-borne threats. So, on one level it was unsurprising to hear recently that public sector employees in the UK were deluged with billions of malicious emails last year. What’s perhaps more concerning is the conclusion the report drew: that the same recipients may have clicked on tens of thousands of malicious links last year.
If nothing else, it’s proof once again that organizations need layered human and technical defenses to mitigate the threat from malicious emails. And they need rapid, automated tools to cut response times in the event something does go wrong.
How bad was it?
Researchers at Comparitech compiled their report from Freedom of Information (FOI) requests sent to nearly 260 UK government organizations. Extrapolating across 764,331 government employees, they estimated just under 2.7 billion malicious emails were received in 2021. The headline findings were as follows:
- Government employees received on average of 2,399 malicious emails each in 2021
- Per employee, NHS Digital recorded the highest number of malicious emails for 2021 (89,353), followed by the government of Northern Ireland (34,561) and the Financial Reporting Council (25,992)
- An average of 0.32% of these emails were opened by staff in 2021, amounting to over 8.6 million that were potentially opened
- Of those that were opened, 0.67% resulted in staff clicking on suspicious links. That amounts to a total of 57,736
The good news is that if government bodies recognized a malicious email as received, it most likely was blocked. However, according to those FOI responses, a significant number were also opened and clicked on. As click rates go, 0.67% is actually pretty low. Verizon observed a 3% rate across organizations in its 2021 Data Breach Investigations Report. However, the sheer numbers involved mean the bad guys don’t need to get lucky often to make it worth their while, especially when automated software does all the heavy lifting by sending out malicious spam en masse.
Comparitech told me it had discounted any FOI answers that weren't clear in order to reduce the chances of over-estimating the figure for click-throughs.
The bigger picture
It goes without saying that email is still the primary threat vector for attacks because it’s still the most effective out there. Clicking on a malicious link or booby-trapped attachment could lead to:
- A direct covert malware download — ransomware, cryptomining malware, banking Trojans, etc.
- Redirection to a convincing-looking phishing site for credential harvesting
- A major breach of user data or sensitive information
- Significant financial and reputational damage
It’s likely that government employees across the Western world are targeted in the same way — as are staff in other sectors, from healthcare to manufacturing. In fact, a recent decision by the UK’s National Cyber Security Centre (NCSC) to expand its Mail Check service to the country’s schools highlights the outsized threat to the education sector.
Undoubtedly the emerging working-from-home trend has added not only to the surge in malicious emails but the risk factor of employees clicking through. Early on in the pandemic, Google claimed to be blocking 240 million COVID-19-themed spam messages each day, and 18 million malware and phishing emails. Comparitech figures bear this out. It claimed government departments saw an increase of 25% in malicious emails from 2018 to 2019, followed by a much bigger surge of 146% between 2019 and 2020.
Research has warned time and again that home workers are more likely to engage in risky behavior such as clicking on phishing links. They may be more distracted by housemates and family members, the logic goes, or even feel psychologically less inclined to follow security policy when not in the office.
What you need to secure email
So what’s the answer to mitigating the email security threat? There are multiple points of weakness that could be exploited by attackers, across the classic trio of people, process, and technology. This is therefore where any effective security strategy must focus:
- Technology. The first layer of defense must be technical. Email security technology has come on a great deal from the days of URL and attachment scanning, as important as these capabilities are. Organizations should also look to complement these with AI tools for spotting suspicious behavior that may otherwise not set off any alarms. And incident response tools designed to remediate quickly if threats do sneak through.
- People. The first line of defense needs to be beefed up with enhanced phishing awareness training. That means tools that can simulate real-world campaigns and provide feedback on results. Sessions should be run in bite-sized lessons to all staff on an ongoing basis.
- Process and policy. Updates in this area can be a useful way to remind all staff of their responsibilities in following best practices. Consider things like: use of multifactor authentication for logins; not clicking on links or opening attachments in unsolicited mail; and not signing up for third-party accounts/services with work email.
Email security, like cybersecurity in general, is everyone’s responsibility. Understanding that is the first step toward creating a true security-by-design culture.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.