43,000+ NHS Staff Hit With Phishing Emails Since March
A Freedom of Information (FOI) request revealed that over 43,000 National Health Service (NHS) staff have had phishing emails slip through the cracks and into their inboxes in the past few months, as they battle to save patients infected with COVID-19. Think tank Parliament Street asked NHS Digital for data on spam and phishing emails for the time period from March through July 14th.A spokesperson confirmed to Infosecurity Magazine that the 43k figure includes only user reports of malicious and scam messages in their inbox, so the actual total is likely much higher. If that number is correct, it looks like NHS Digital mail filters currently allowing a significant volume of phishing threats to reach user inboxes at a time when the health service is under extreme strain due to the pandemic.The FOI request revealed a total of 43,108 reports of phishing emails made by its users including doctors, nurses and other NHS staff during the period. The vast majority came from March (21,188) at the height of the crisis, with fewer reports in April (8085), May (5883) and June (6468), and just 1484 in the first half of July.COVID-19 related cybersecurity threats have been a major issue all throughout 2020. It’s also a known fact that the healthcare industry has been a prime target for cybercriminals for years now. Healthcare records include personal, medical, and financial information, which is particularly lucrative on the dark web. The email inbox is an important first line of defense against cyber attacks.Although the 43,108 individuals who actually reported the emails are unlikely to have fallen for the scams, it leaves the question of how many attacks went unreported that were successful. NHS Digital revealed in June that 113 known NHS inboxes were compromised in such attacks, though the end result wasn’t clear.In some cases, employee finances have been targeted in the attacks: one NHS trust in the northwest warned that criminals impersonated employees in emails to HR and Payroll staff (a very common tactic), with the goal of getting them to change their banking account numbers and collecting the data.Neil Bennett, CISO at NHS Digital, said the increase in reporting showed that NHS staff were “taking seriously their responsibilities to keep information safe”.