NHS targeted with over 40,000 phishing emails during Covid-19 outbreak

August 12, 2020
Parliament Street header image

NHS staff have been hit with a total 43,108 scam emails during Covid-19 outbreak, according to official figures.

The data from NHS Digital, obtained by the Parliament Street think tank under Freedom of Information (FOI) legislation, revealed that doctors, nurses and support staff reported a staggering 21,188 malicious emails at the start of the crisis in March, including spam and phishing attacks to [email protected], the official NHSmail reporting address.

In April there were 8,085 reports, in May 5,883 and 6,468 in June, followed by 1,484 in the first half of July.

In June, NHS Digital said that more than a hundred NHSmail mailboxes were compromised through which malicious emails were sent to external recipients recently. The phishing incident took place between 30 May and 1 June, compromising 113 mailboxes.

In Merseyside, more than 45 different fake websites, emails and sender addresses were blocked which is concerning as it is known that there are many more fake coronavirus phishing emails still in circulation.

St Helens and Knowsley Hospitals NHS Trust issued a warning to staff about how phishing attacks have been used by criminals targeting changes to bank accounts that staff members have their salaries paid into, by impersonating employees in emails to HR and Payroll.

In Birmingham, staff at Hockley Medical Practice, Birmingham, issued a warning text message to thousands of patients amid fears of a potential cyber attack on patient records.

Cyber expert Andy Harcup, VP, Absolute Software said: “With many healthcare workers and back office support staff dispersed due to lockdown and social distancing restrictions, it’s no surprise that malicious hackers are seeking to cash-in on the Covid-19 crisis. Increasingly, we’re seeing a variety on sophisticated attacks targeting email inboxes of people working from home, often using personal devices that fraudsters believe are poorly protected.

Harcup continued, “These figures are a reminder of the risks posed to the NHS by malicious cyber criminals and it’s essential that IT chiefs ensure the entire fleet of mobile devices in use are completely secure, with encryption turned on and the ability to wipe or freeze laptops in the event of theft or loss.”

Additionally, Chris Ross, SVP International, Barracuda Networks said: “The NHS continues to play a critical role in the fight against Covid-19, yet unfortunately no organisation is safe from opportunistic cyber criminals, who will stop at nothing to steal confidential patient data.

“The wealth of personal and financial data stored in NHS inboxes is a goldmine to potential hackers, who will use email scams to trick doctors, nurses, and frontline workers inadvertently handing over private information.

Ross continued, “Our recent research revealed that there has been a spike in cyber criminals using official email domains, such as Gmail and Yahoo, to bypass inbox defences and trick users into revealing personal details by impersonating a colleague, manager, or trusted partner. This is why it is essential that organisations, especially those that manage significant quantities of sensitive information, invest in inbox defence software which leverages artificial intelligence to identify unusual senders and requests.”