Scammers have targeted NHS workers with more than 40,000 scam emails during the COVID-19 outbreak, according to new government figures.

Data from NHS Digital, obtained by the Parliament Street think tank under a Freedom of Information request, has revealed that revealed that doctors, nurses and support staff received a total of 43,108 scam emails since the start of the crisis in March.

The figures show that staff received 21,188 malicious emails at the start of the crisis, including spam and phishing emails sent to the official NHSmail reporting address.

The rate of scam emails has been steadily decreasing since the beginning of the crisis, with 8,085 reports in April, 5,883 in May and 6,468 in June, followed by 1,484 in the first half of July.

In June, NHS Digital said that more than a hundred NHSmail mailboxes were compromised. These were used to send malicious emails to external recipients. The phishing incident took place between 30 May and 1 June, compromising 113 mailboxes, according to the data.

In Merseyside, more than 45 different fake websites, emails and sender addresses were blocked. St Helens and Knowsley Hospitals NHS Trust issued a warning to staff about how phishing attacks have been used by criminals targeting changes to bank accounts that staff members have their salaries paid into, by impersonating employees in emails to HR and payroll.

In Birmingham, staff at Hockley Medical Practice issued a warning text message to thousands of patients amid fears of a potential cyber attack on patient records.
Commenting on the findings, Chris Ross, senior vice president at Barracuda Networks, said: “The NHS continues to play a critical role in the fight against COVID-19, yet unfortunately no organisation is safe from opportunistic cyber criminals, who will stop at nothing to steal confidential patient data.

“The wealth of personal and financial data stored in NHS inboxes is a goldmine to potential hackers, who will use email scams to trick doctors, nurses, and frontline workers inadvertently handing over private information.”

He added that recent research revealed that there has been a spike in cyber criminals using official email domains, such as Gmail and Yahoo, to bypass inbox defences and trick users into revealing personal details by impersonating a colleague, manager, or trusted partner.

“This is why it is essential that organisations, especially those that manage significant quantities of sensitive information invest in inbox defence software which leverages artificial intelligence to identify unusual senders and requests,” Ross concluded.

Share Story: