Skip to content ↓ | Skip to navigation ↓

Ofwat, the water services regulator for England and Wales, has revealed that it has received over 20,000 spam and phishing emails so far this year.

The Water Services Regulation Authority (better known as Ofwat) which is the government department responsible for regulating the privatised water and sewage industry in England and Wales, said it had received 21,486 malicious emails so far this year – with 5,149 classified as phishing attacks.

At first glance that sounds pretty bad for such a short period of time, especially when you consider that Ofwat only employs 266 people. But is it?

Dig a little deeper into the story published in Computing and you discover that Ofwat says that it successfully blocked all 21,486 of the malicious emails.

In other words, the number could have been 10 or even 100 times larger and it wouldn’t really have been much of an issue. After all, who really cares just how much email your servers are receiving (within reason!) if your security solution running at the email gateway is correcting junking before they bother any users?

If anything, I find the claim that 100% of all spam and phishing emails were blocked a little too good to be true.

Ofwat’s email statistics were uncovered following a Freedom of Information (FOI) request by the Parliament Street think tank. My hunch is that when asked to reveal how many phishing emails and spam emails they had received, they simply went to their email gateway logs and collected the data from their anti-spam filter.

That would, of course, tell you how many spam and phishing emails it had correctly detected and blocked. But it wouldn’t tell you how much malicious email the anti-spam filter had missed, and had successfully waltzed its way through to a user’s inbox.

Knowing how much unwanted email has been successfully detected and blocked at the gateway might help you try to determine if there is a trend, but it doesn’t tell you how much is getting through.

And it is the malicious emails that make it through to the user which are, of course, the biggest concern. Are we really to believe that no-one at Ofwat has received a spam message or phishing email in their inbox so far this year? I would find that extraordinary if true.

Understanding the true level of the problem is important, of course, as it helps organisations determine whether they are putting enough resources into cybersecurity, and whether existing measures are working successfully.

And it’s particularly important when the public faces headlines from the NCSC about the need to secure smart cities, and defend critical public services – such as water – from the threat of cyber attack.

In that context it might be easy for the general public in England and Wales to worry about the tens of thousands of malicious emails they hear are flooding into the water regulator. But don’t forget that Ofwat doesn’t actually control any water systems – it just regulates the water industry.

Of course, a malicious hacker who managed to penetrate Ofwat’s computer network and pose as an Ofwat employee might be able to then send malicious emails to companies which work in the industry, which might have access to such critical systems. But that is one further step removed.

In short, I’m not sure whether we should be pleased or not about the statistics gathered from Ofwat’s response to the FOI request, as it feels like we’re not getting a clear picture of what is really going on. The stats make a nice headline, but don’t really tell us anything.

The Parliament Street think tank has made headlines with its FOI requests in the past. For instance, earlier this year it revealed through a similar FOI request that NHS staff had been sent 137,476 unwanted emails (27,958 classified as phishing emails, and 109,491 suspected of being spam) during 2020.

With the NHS in England employing over one million people, I have to be skeptical as to whether those figures – just like those derived from Ofwat – are truly representative of the scale of the problem.

It is important for us to understand the scale of the problem facing national bodies such as Ofwat and the NHS, but simple counts of blocked emails muddy the waters.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc

PCI Checklist