Financial regulatory body bombarded with malicious emails

The Financial Conduct Authority (FCA) received 238,711 malicious emails during the final three months of 2020, averaging out at about 80,000 email attacks every month, according to figures just disclosed under the Freedom of Information Act (FoIA) and obtained by legal experts at Griffin Law.

The breakdown of emails blocked by the FCA’s systems from October to December 2020 revealed that 99% could be defined as spam, covering everything from unsolicited marketing and advertising emails, which are irritating but rarely dangerous, through to malicious phishing emails designed to compromise systems, exfiltrate data and compromise victims with malware and ransomware. The FCA data showed that it received 2,402 emails that potentially contained trojans, viruses, spyware, adware or worms.

“This is a worrying number of attacks on a government agency well equipped to protect itself,” said Griffin Law principal Donal Blaney. “It suggests that the negative potential of spam and malware for the rest of us is massive. Obviously, we should all do as the FCA did here – ensure all devices are protected and be vigilant. Check and double-check before clicking, responding or providing personal data. On a larger scale, it’s time we went after the organised criminals behind this scourge on society. Phishing is not a victimless crime and we should be doing more to end it.”

The highest volume of attempted attacks came in November 2020, when FCA systems blocked 84,723 malicious emails, 831 of them containing malware. It saw 81,799 malicious emails in October, with attempted malware attacks slightly higher at 1,003, and December saw 72,288 attempts, just 568 containing malware.

Tessian CEO Tim Sadler said the FCA’s data served to highlight the scale of the phishing problem. “Our own data showed an uptick in the number of social engineering and wire fraud scams in the last six months of 2020,” he said. “Why? Because it’s much easier to hack a human to hack an organisation than it is to hack a company’s software.

“Cyber criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it. It just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials.”

Sadler added: “Businesses must make their people aware of how they could be targeted, especially when working remotely, and ensure they have the technology in place to prevent people falling for the scams.”

It is important to note that all known cyber attacks sent to the organisation were successfully blocked by its systems, and there is no indication of wrongdoing or lax cyber security policies at the FCA.

However, the latest disclosure comes less than a year after the FCA found itself on the wrong side of a data breach story, after accidentally publishing the personal data – including names, addresses and phone numbers – of about 1,600 individuals while in the process of responding to a previous FoI request.

This incident, which included among its victims pro-Brexit campaigner Arron Banks, himself the subject of an Information Commissioner’s Office enforcement action for mishandling data, occurred as a result of human error.

Computer Weekly contacted the FCA for comment on the new statistics, but had not received a response at the time of writing.