From the start of the COVID-19 health crisis in March to the first half of July, doctors, nurses and healthcare support staff in the NHS have been hit by a total of 43,108 phishing emails. Obtained from a Freedom of Information request to NHS Digital, this data reveals how the healthcare sector represents the preferred target of malicious actors. Together with last month’s article on ransomware, this piece aims to warn hospitals and health centres, analysing the most common cyber threat during the pandemic: phishing emails.
“They can smell your fear!”
Social engineering is “the science of using social interaction as a means to persuade an individual or an organisation to comply with a specific request from an attacker where either the social interaction, the persuasion or the request involves a computer-related entity”. Phishing attacks tend to rely heavily on these kinds of techniques.
In the first months of the COVID-19 pandemic, phishing was reported to have increased by 600%. Although taking various forms, phishing attacks share the common purpose of convincing individuals to give access to information – in most cases personal data – providing fraudulent opportunities both in the cyber and in the real world.
Over 43,000 emails
Since the data obtained from NHS Digital only covers emails that were reported to the official NHS mail reporting address (firstname.lastname@example.org), it is possible that the number of attempted phishing attacks to the NHS is actually higher. The FOI request revealed that the vast majority of these emails came at the beginning of the crisis in March (over 20,000), decreasing in April (over 8,000) and May (over 5,000) while rising again in June (over 6,000). Nonetheless, it is unlikely that all affected individuals have fallen for the scams.
As an example, an NHS north-western trust has recently issued warnings to staff members about a phishing attack targeting bank accounts of staff members. By impersonating HR and Payroll, malicious actors asked employees to click on links to verify their account details and ensure they received their payment.
Additionally, in June, 113 mailboxes on the NHS mail network have been compromised through widespread credential-harvesting phishing attacks across the UK. An NHS Digital spokesperson reported that there was “no evidence to suggest that patient records have been accessed”.
3 easy tips to avoid scams
The experience of the NHS is a warning to all organisations, and there are three easy tips to all organisations can follow to support their employees and avoid being victims of email scams:
- Do not click on links, do not download files, do not open attachments in emails from unknown senders. Emails from unknown senders are especially dangerous, staff members should be trained to open attachments only when they are expecting emails. By simply hovering over a link with the cursor of your mouse, without clicking, you can always check where it leads you.
- Look out for the “S” in “HTTPS”. By encrypting traffic between a browser and a website, “HTTPS” is the standard protocol for secure communication over a computer network. When the protocol of the link you receive in an email is “HTTP”, the website is unsecure. Be careful: a website that uses a secure HTTPS protocol and appears to be legitimate is not automatically safe! Tip #1 always applies.
- Check the grammar, scammers have no time for grammar. Misspellings are usually a distinctive character of phishing emails. Staff should be vigilant and look out for out-of-context messages or simply anything that looks suspicious. For example, why should your bank refer to you with a general “Dear Customer” when they are asking you for sensitive information?
According to Cybersecurity Ventures, cybercrime will soon replace traditional crime in terms of both numbers and costs. Having increased from $3 trillion in 2015, by 2021 cybercrime is estimated to cost the world $6 trillion annually. As COVID-19 continues to spread panic across the world, phishing attacks continue being on the rise, especially those targeting the healthcare sectors.
Falling for a scam can be considered “human error”, yet members of staff are also the greatest resource in the hands of employers in the fight against cyberthreats. By providing awareness-raising training in live lectures, videos and interactive material, our Trilateral Data Protection and Cyber Risk Team has developed and tested a methodology for addressing key security issues that do not discriminate on the level of technical expertise of the audience.