His Majesty’s Revenue and Customs (HMRC) has blocked more than 100 million malicious emails over the past three years, as the scale and sophistication of cyber threats facing UK government departments continues to escalate.
The figures, obtained through a Freedom of Information (FOI) request, reveal a sharp rise in attempted email attacks targeting HMRC systems, underlining the persistent risk to critical national infrastructure.
Between November 2021 and October 2022, HMRC blocked 23.7 million malicious emails. That figure rose sharply to 40.3 million between November 2022 and October 2023, and a further 40.9 million were blocked in the following 11 months, up to September 2024.
In total, 105 million malicious emails were intercepted by HMRC’s security systems over the three-year period.
A growing and relentless threat
Cybersecurity experts say the scale of attempted attacks demonstrates the relentless nature of cybercriminal activity and the need for a proactive, robust defence posture.
“These numbers show just how relentless cybercriminals are when it comes to targeting government institutions,” said Andy Ward, SVP International at Absolute Security.
“Email remains one of the primary routes into systems — whether via malware, phishing or spam designed to exploit vulnerabilities. Organisations need a strong cyber resilience strategy that includes real-time monitoring, advanced threat detection and the ability to isolate compromised systems swiftly.”
Ward added that as threats become more sophisticated, investment in both technology and expertise is more critical than ever to protect government operations.
Sawan Joshi, Group Director of Information Security at FDM Group, emphasised the importance of having a highly skilled workforce to complement cybersecurity tools.
“Protecting critical systems isn’t just about having the right tech in place,” he said.
“It’s also about ensuring staff have the skills to detect, respond and communicate cyber risks effectively. Upskilling and training are essential components of long-term cyber resilience.”
Despite its success in blocking attacks, HMRC has acknowledged that recent changes to its email security systems mean it can no longer categorise threats by type — such as phishing, malware or spam. Experts say this limits visibility into the evolving nature of cyber threats and could make strategic planning more difficult.
The warning comes amid broader concerns about cybersecurity across UK public services, with government departments increasingly targeted by hackers, criminals and state-backed actors looking to exploit weaknesses in digital systems.
With over 100 million attempted breaches already blocked, the latest data offers a stark reminder of the scale of the challenge — and the need for constant investment in defences, talent and resilience to stay one step ahead.
