FCA hit by 80,000 malicious emails every month

FOI request shows scale of phishing attacks

Posted 8 February 2021 by Christine Horton

The Financial Conduct Authority (FCA) was targeted by nearly a quarter of a million (238,711) malicious and unsolicited emails over the final three months of 2020, averaging around 80,000 email attacks per month.

This is according to official figures obtained by the Freedom of Information (FOI) act and analysed by litigation firm Griffin Law.

In the FCA’s response to the FOI request, they provided a breakdown of all emails blocked by their system from the October to December 2020. A staggering 99 percent of all blocked emails were defined as spam, which includes everything from unsolicited marketing and advertising to phishing emails. The FCA also recorded 2,402 emails potentially containing malware.

November 2020 saw the highest number of email attacks, with the FCA recording 84,723 total malicious email, split by 83,892 spam email and 831 malware emails.

“The scale of the phishing problem, today, is huge. Our own data showed an uptick in the number of social engineering and wire fraud scams in the last six months of 2020. Why? Because it’s much easier to hack a human to hack an organisation than it is to hack a company’s software,” said Tim Sadler, CEO at cybersecurity firm Tessian.

“Cybercriminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it. It just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials. Businesses must make their people aware of how they could be targeted, especially when working remotely, and ensure they have the technology in place to prevent people falling for the scams.”

 In February 2020, the FCA was criticised for accidentally revealing personal information of about 1,600 people. It published names, addresses and phone numbers in a document on its website, in response to a previous request for data under the Freedom of Information Act.

Importantly, all known cyberattacks sent to the FCA were blocked, and over the course of the pandemic the FCA has regularly issued warnings about scam campaigns designed to trick individuals and businesses into leaking their confidential information, or send money to a wrong account.

“This is a worrying number of attacks on a government agency well equipped to protect itself. It suggests that the negative potential of spam and malware for the rest of us is massive,” said Donal Blaney, principal, Griffin Law.

“Obviously, we should all do as the FCA did here: ensure all devices are protected and be vigilant. Check and double-check before clicking, responding or providing personal data. On a larger scale, it’s time we went after the organised criminals behind this scourge on society. Phishing is not a victimless crime and we should be doing more to end it.”