Tony Baggett -

BBC blasted with millions of malicious emails

Responding to an FoI request, the BBC has revealed it receives more than 300,000 malicious email attacks every day

Email inboxes belonging to the BBC were bombarded by about 50 million malicious email attacks between 1 October 2021 and January 2022, at an average rate of 383,278 a day and up 35% on the summer of 2020.

The corporation revealed the figures in response to a request made by the Parliament Street think-tank under the Freedom of Information Act (FoI). They paint a picture of an organisation under near-constant cyber attack, with 70,589 emails proactively identified as being laced with malware, and 291,042 of them phishing attempts.

As a high-profile media organisation, many BBC email addresses are in the public domain and will have inevitably been scraped into databases used for malicious purposes. The corporation’s news reporting probably leaves it vulnerable to interference from hostile nation states, and it is also highly likely that a not-insignificant number of these attacks will have originated from disgruntled viewers.

“The BBC especially is an attractive target for cyber criminals who are looking to steal information and harvest those all-important credentials,” said Tim Sadler, CEO and co-founder of Tessian.

“There have been a number of cases where threat actors have targeted journalists in phishing campaigns in attempts to steal login credentials, so that they can take over the account and pose as the journalist in emails to other companies.

“Under the guise of the journalist, cyber criminals can trick their new targets into sharing information or downloading malware. This is a sophisticated form of spear phishing, and the threats can be difficult to spot.”

Edward Blake, EMEA VP at Absolute Software, added: “The BBC not only ticks the right boxes for being a good target for cyber criminals, but it is also responsible for tens of thousands of employees, and even more endpoint devices. All it takes is for one well-placed cyber attack to land, before the extremely sensitive information, or even the operational capacity, of an organisation like the BBC is put at risk. 

“This is why it is imperative that businesses adopt endpoint security, which is self-healing and leverages AI [artificial intelligence] technology, as well as a zero-trust approach to verify that all users are who they say they are when accessing certain applications and files. This is key to preventing malicious actors from moving laterally across a network and stopping costly data loss incidents.”

Read more about email security

Besides the BBC’s status as a big media fish, the attack volumes also probably reflect generalised trends in cyber incidents, notably more employees working remotely through the pandemic, which has induced criminal gangs to target home workers who are without the safety of their employer’s main network.

There are also likely seasonal trends in play in the data, said Sadler, who added that email threats to organisations have a natural tendency to increase in the weeks leading up to the Christmas holidays.

“Targeting employees during the busy holiday period is a tried-and-tested tactic used by cyber criminals, who are betting on the fact that people will be busier and more distracted during this time,” he said.

Data compiled by Tessian reveal that, in fact, the majority of malicious emails are sent in October, November and December.

“As the number of email attacks continues to rise year on year, and spikes during busy periods, organisations must find ways to alert employees to potential phishing attacks,” said Sadler. “Staff must also be regularly educated on the threats they could be exposed to and made aware of what they need to do should they receive one.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management