London, April 12, 2025 – His Majesty’s Revenue and Customs (HMRC) has reported blocking more than 100 million malicious emails over the past three years, reflecting an alarming increase in cyber threats targeting UK government services.
The figures were revealed through a Freedom of Information (FOI) request, detailing the volume of malicious emails thwarted by HMRC from November 2021 to September 2024. The data indicates a significant surge in cyberattacks, with HMRC blocking 23,751,742 email attacks between November 2021 and October 2022. This number escalated to 40,346,532 from November 2022 to October 2023, and further increased to 40,903,820 blocked emails from November 2023 to September 2024. In total, HMRC has successfully blocked 105,002,094 emails during this period.
Andy Ward, Senior Vice President of International at Absolute Security, emphasized the relentless nature of cybercriminals targeting government institutions, stating, “Email remains one of the main ways attackers try to break into systems—whether through malware, spam or other tactics designed to exploit vulnerabilities.” He highlighted the importance of a robust cyber resilience strategy, which includes real-time monitoring, advanced threat detection, and rapid response capabilities.
Despite the increasing threats, HMRC has indicated that recent changes to its email security systems prevent it from categorizing email threats by type, such as phishing or malware. This technological shift complicates the assessment of evolving cyber risks faced by the department. Sawan Joshi, Group Director of Information Security at FDM Group, remarked on the necessity of robust security measures and a skilled workforce to combat these ongoing threats.
Joshi further noted that protecting critical systems requires not only the right technology but also adequately trained personnel. “Employees must be equipped with the necessary skills to not only detect and respond to threats but also to communicate risks effectively and strengthen business resilience,” he stated, underscoring the critical need for organizations to invest in cybersecurity training.
The substantial number of blocked emails illustrates the escalating cyber threats faced by HMRC and highlights the urgency for enhanced security measures and workforce training to safeguard UK government operations.
