14 April 2025
His Majesty’s Revenue and Customs (HMRC) has reported blocking over 100 million malicious emails over the past three years, as cyber threats against UK government services continue to escalate.
This alarming data was obtained through a Freedom of Information (FOI) request, revealing significant insights into the frequency and intensity of email-based cyberattacks targeting government institutions.
From November 2021 to October 2022, HMRC successfully blocked 23,751,742 email attacks. The following year saw this figure climb to 40,346,532 blocked emails, which further increased to 40,903,820 between November 2023 and September 2024. In total, HMRC has blocked an astonishing 105,002,094 malicious emails during this three-year period.
"These numbers show just how relentless cybercriminals are when it comes to targeting government institutions," said Andy Ward, SVP International at Absolute Security. "Email remains one of the main ways attackers try to infiltrate systems — whether through malware, spam, or other tactics designed to exploit vulnerabilities."
To combat these growing threats, organizations, including HMRC, are encouraged to develop strong cyber resilience strategies. This includes real-time monitoring of systems, advanced threat detection capabilities, and rapid response measures when incidents occur.
"Security teams need to be able to isolate and shut down compromised systems immediately to stop attacks from spreading," said Ward.
However, despite the growing threat landscape, HMRC has indicated that recent changes to its email security systems mean it can no longer classify email threats by type, such as phishing, malware, or spam. This transition complicates efforts to assess the dynamic cyber risks encountered by the department.
"HMRC’s efforts to block malicious emails show the relentless nature of cyber threats, highlighting the need for robust security measures and a highly skilled workforce," said Sawan Joshi, Group Director of Information Security at FDM Group.
Joshi stressed that protecting critical systems transcends the implementation of technology; it also requires a skilled workforce adept in threat detection, response, and effective risk communication.
"Investing in upskilling staff in cybersecurity training is critical for organizations to enhance their resilience against cyber threats,” said Joshi.
As cyber threats evolve in complexity and frequency, the need for proactive strategies and well-trained personnel has never been more urgent for government departments and organizations alike.
