Water regulator has handled more than 20,000 malicious emails in 2021

Malicious emails peaked in March

Ofwat, the water services regulator for England and Wales, has received over 20,000 spam and phishing emails so far in 2021, according to a Freedom of Information (FOI) request from thinktank Parliament Street.

The Water Services Regulation Authority (Ofwat) is the regulatory body for the privatised water and sewerage sectors in England and Wales. The main duty of this non-ministerial government department is to ensure that the firms it regulates provide good quality and efficient services to consumers at a fair price.

Ofwat said in its disclosure that it has received a total of 21,486 malicious emails so far this year, and that all those malicious emails were successfully blocked.

Of those emails, 5,149 were marked as phishing emails, while 16,337 were reported as spam mails.

Cyber criminals send phishing emails to trick potential victims into believing that the message has come from a legitimate source. Such messages often encourage users to either download an attachment or click a link.

Ofwat says it received the highest number of phishing emails (1,600) in March 2021, followed by 1,392 such mails in February. The same pattern held true for spam emails, with 4,769 received in March, and 4,116 in February.

Earlier this year, a different FoI request by Parliament Street revealed that 27,958 suspected phishing emails, and 109,491 spam emails, targetted the NHSmail service last year.

Commenting on the issue, Chris Ross, SVP International, Barracuda Networks, said: "Over the course of the pandemic, we've seen a huge rise in the volume and sophistication of malicious phishing emails designed to trick employees into handing over confidential data.

"These figures are another reminder of the risks these scams pose to critical national infrastructure, such as vital utilities and transport, with hackers seeking to disrupt services, steal personal financial data as well as holding organisations to ransom.

"Tackling this threat requires a concerted effort, both in terms of delivering the necessary cyber awareness training so that staff think twice before handing out critical information and having the right email protection systems in place to identify and quarantine suspicious emails before they reach the inbox of users."

The disclosure comes days after warning from the UK's National Cyber Security Centre (NCSC) that smart cities in the county could be at risk of attacks from threat actors. Councils must be prepared for such situations.

'Some countries seek to obtain sensitive commercial and personal data from overseas, including from the UK,' NCSC's guidance for local authorities warned.

'They may also seek the potential to cause disruption to overseas services.'

'Suppliers that are part of corporate groups based in these countries may be subject to influence from those governments to access and exfiltrate data from UK-connected places, in support of those countries' security and intelligence services,' NCSC added.

NCSC released its fourth annual report on the Active Cyber Defence (ACD programme this week, claiming that it took down more online scams last year than in the previous three years combined.

The ACD programme dealt with 122 NHS-related phishing campaigns in 2020, compared to 36 in 2019. Attackers used the Covid-19 vaccine rollout as a primary lure in their text and email messages to steal people's personal data for fraud.

NCSC's Suspicious Email Reporting Service received nearly 4 million reports of suspect emails from members of the public in 2020 alone, leading to the removal of nearly 26,000 scams that were not previously identified by the Takedown Service.