NHS staff reported a wave of malicious emails at the height of the UK’s Covid-19 crisis in March and April 2020, according to Freedom of Information (FoI) data obtained by the Parliament Street think tank from NHS Digital.
The data revealed that 21,188 malicious emails were reported to the official NHSmail reporting address between 1 and 31 March 2020, and 8,085 during April, before beginning to taper off, with 5,883 reports in May, 6,468 in June, and 1,484 in the first two weeks of July.
Because the data comes from those emails that were reported, the true scale of email attacks on the NHS is almost certainly much higher.
Of particular concern, reported Parliament Street, were a number of payroll attacks in which NHS staff were lured to click on a malicious link to verify their personal details and receive their salaries. At one point, it said, the St Helens and Knowsley Teaching Hospitals NHS Trust on Merseyside took the step of warning staff of scam emails impersonating employees in emails to HR and payroll departments asking to have their bank account details changed.
Absolute Software vice-president Andy Harcup said: “With many healthcare workers and back office support staff dispersed due to lockdown and social distancing restrictions, it’s no surprise that malicious hackers are seeking to cash-in on the Covid-19 crisis.
“Increasingly, we’re seeing a variety of sophisticated attacks targeting email inboxes of people working from home, often using personal devices that fraudsters believe are poorly protected.
“These figures are a reminder of the risks posed to the NHS by malicious cyber criminals and it’s essential that IT chiefs ensure the entire fleet of mobile devices in use are completely secure, with encryption turned on and the ability to wipe or freeze laptops in the event of theft or loss.”
Chris Ross, Barracuda Networks international senior vice-president, described the data stored in the average NHSmail inbox as a goldmine for cyber criminals who were more than willing to exploit stressed and overworked clinical staff to inadvertently hand over their own or patient data.
“Our recent research revealed that there has been a spike in cyber criminals using official email domains, such as Gmail and Yahoo, to bypass inbox defences and trick users into revealing personal details by impersonating a colleague, manager, or trusted partner.
“This is why it is essential that organisations, especially those that manage significant quantities of sensitive information, invest in inbox defence software which leverages artificial intelligence to identify unusual senders and requests,” he said.
Ross added that the NHS had done an excellent job in addressing its cyber security weaknesses in the wake of the devastating WannaCry incident three years ago, but said it was important that this newfound resilience was maintained.
Back in June, NHS Digital reported that more than 100 of its NHSmail accounts were compromised and used to send malicious emails to external recipients.
NHS Digital has been contacted for comment.