Royal Bank of Scotland owner targeted by 100 million cyber-attacks per month, MSPs told

NatWest bank – which owns the Royal Bank of Scotland – is in a “continuous arms race” to protect customers from more than 100 million cyber-attacks every month, a committee has been told.

Chris Ulliot, head of cyber security at NatWest, said millions of cybercriminals try to break through the bank’s defences regularly.

The company blocks around a third of all the emails it receives because “they are believed to be the start of an attack” against its staff, members of the Scottish Parliament's Criminal Justice Committee heard.

Ulliot said: “The result of that is that we have to make huge ongoing investments and [we’re] very fortunate as bank, I have resources that I can use to defend against that, but it’s hundreds of people, millions of pounds a year defending the bank and our customers’ money. But I am very alive to the fact that when I look to my customers and to other organisations across Scotland, they may not be able to make that scale of investment.”

Experts said the rise in cybercrime is “staggering” and urged the government to do more to fix the crisis.

In 2020 Police Scotland reported 7,710 cyber incidents, but that more than doubled in 2024, reaching 18,280. And Assistant Chief Constable Stuart Houston insisted the “underreporting is massive”, with the full number likely to be much higher.

Experts warned of the threat posed by AI, with fraudsters using the technology to “change their appearance in real time” in video calls or create fake documents that look “very realistic”.

Ulliot said: “The advances in technology are really enabling what were traditional crimes but in very new and very convincing ways, and that presents a set of problems that we are essentially in  a continuous arms race trying to protect the bank and our customers.”

The meeting comes at the back of a string of high-profile attacks across the UK. Three major British retailers were hit by cyber incidents earlier this month, costing millions in revenue, and last week two Scottish councils saw their school networks compromised.

Jude McCorry urged the government to increase its investment on cybersecurity, warning Scotland doesn’t have appropriate resilience in place.

She said: “If we had a level of two Sepa [Scottish Environment Protection Agency] attacks at the same time, we don’t have the people that we need to manage something like that. If we had four councils attacked in the last few weeks, we don’t have the people in any of the organisations that we need to do [manage] that.”

In 2020, Sepa had thousands of digital files stolen following a cyber-attack. It is considered one of Scotland’s worst cyber incidents ever.

McCorry continued: “We can’t depend on law enforcement down south to help us when there’s two attacks going on with Co-op and Marks & Spencer. We need to be able to stand on our own two feet up here and to be able to support these organisations when these attacks are happening.”

She pointed to officials setting up an umbrella cybersecurity organisation for councils to come together to overcome their tight budgets.

She said: “We’ve seen the councils announce budgetary cuts for everything in the last few months. There’s going to be millions probably added on now for the clean up operation after the cyber-attack in West Lothian, so it will have to be us as residents that will have to pay that or government.”

“Investment has to be there. There's a project going on with the local government digital office around trying to build an SOC [security operations centre] and cyber capability for all of the councils to come together, rather than people operating on separate budgets. That’s a real good way to go.

“If you read the report on the Sepa attack, a lot of people said ‘Sepa needs a SOC’. It’s very difficult for us to say that all public sector organisations should have security centres. There’s no budget there to do that… government need to get on board with what’s working, what technology is working, what support is working, testing the resilience… all that has to be mandated from a government perspective.”