A Freedom of Information (FOI) request revealed that over 43,000 National Health Service (NHS) staff have had phishing emails slip through the cracks and into their inboxes in the past few months, as they battle to save patients infected with COVID-19. Think tank Parliament Street asked NHS Digital for data on spam and phishing emails for the time period from March through July 14th.
A spokesperson confirmed to Infosecurity Magazine that the 43k figure includes only user reports of malicious and scam messages in their inbox, so the actual total is likely much higher. If that number is correct, it looks like NHS Digital mail filters currently allowing a significant volume of phishing threats to reach user inboxes at a time when the health service is under extreme strain due to the pandemic.
The FOI request revealed a total of 43,108 reports of phishing emails made by its users including doctors, nurses and other NHS staff during the period. The vast majority came from March (21,188) at the height of the crisis, with fewer reports in April (8085), May (5883) and June (6468), and just 1484 in the first half of July.
COVID-19 related cybersecurity threats have been a major issue all throughout 2020. It's also a known fact that the healthcare industry has been a prime target for cybercriminals for years now. Healthcare records include personal, medical, and financial information, which is particularly lucrative on the dark web. The email inbox is an important first line of defense against cyber attacks.
Although the 43,108 individuals who actually reported the emails are unlikely to have fallen for the scams, it leaves the question of how many attacks went unreported that were successful. NHS Digital revealed in June that 113 known NHS inboxes were compromised in such attacks, though the end result wasn't clear.
In some cases, employee finances have been targeted in the attacks: one NHS trust in the northwest warned that criminals impersonated employees in emails to HR and Payroll staff (a very common tactic), with the goal of getting them to change their banking account numbers and collecting the data.
Neil Bennett, CISO at NHS Digital, said the increase in reporting showed that NHS staff were "taking seriously their responsibilities to keep information safe".
Bennett said: "This is an unprecedented time for the NHS, including the cybersecurity and IT teams who are continuing to work hard in all NHS organisations to keep patient data and systems secure to support the delivery of safe patient care.
"As part of NHS Digital's cybersecurity operations, we collaborate with all areas of the system to ensure they are aware of potential threats. This includes highlighting the need for staff to report suspicious emails by raising awareness through our Keep I.T. Confidential campaign."
According to ZDNet, Bennett also said that NHS Digital had published additional advice and guidance for NHS staff around cybersecurity best practices while working remotely. Hopefully that includes a healthy dose of new-school security awareness training. Users that go through training and simulated phishing on a regular basis are better prepared for when (not if) a malicious phishing email reaches their Inbox. This training helps users understand the need for vigilance when interacting with potentially harmful emails and educates them on how to identify suspicious or malicious content that may be the starting point for an attack.