NHS staff received over 137,000 malicious emails last year

The data is based on reported cases by NHS staff to NHS Digital using report buttons on email accounts.

Figures from NHS Digital (NHSD) have revealed that staff across the NHS received over 137,000 malicious emails in 2020.

Of the reported cases, doctors, nurses and admin staff were sent 27,958 suspected phishing emails targeting the NHSmail email service, designed to lure the recipient into handing over confidential data.

Additionally, health workers reported 109,491 suspected spam emails throughout the year.

The data shows that January 2020 was the highest month for combined phishing and spam emails - before the pandemic took hold - with 29,355 in total, made up of 4,895 phishing attempts and 24,460 spam reports.

The next highest month was the peak of UK lockdown restrictions in March, with 28,855 emails reported. But this was the peak month for potentially more damaging phishing - 5,749 phishing attacks and 23,106 spam reports.

The period from April to December saw a steady decline in the number of suspicious emails reported to NHS Digital, decreasing from 11,068 in April, down to a yearly-low of 4,382 in December.


Our security awareness training helps staff understand their working environment, giving them the confidence to speak up when something doesn’t look right.

Read more here.


Despite these lower figures though, in June 2020, NHS Digital revealed that more than a hundred NHSmail mailboxes had been compromised and were sending malicious emails to external recipients.

Employees should follow their organisational guidance, where available, on how to report suspicious emails.

The National Cyber Security Centre (NCSC) has published advice on how to spot and deal with suspicious emails, and readers are reminded that these can be reported to the NCSC by using the Suspicious Email Reporting Service (SERS) and suspicious text messages to Short Code 7726.

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.