NHS Phishing Attacks

Over 100 Internal Email Accounts Hijacked

In a statement, NHS Digital has revealed an incident in which 113 internal email accounts were compromised and used to send malicious communication outside of the health service.

Occurring between Saturday May 30th and Monday June 1st, this NHS phishing attack affected just 0.008% of the 1.41 million accounts in the network.

A Global Phishing Campaign

A spokesperson for NHS Digital has stated: “There is currently no evidence to suggest that patient records have been accessed.

“We are working closely with the National Cyber Security Centre, who are investigating a widespread phishing campaign against a broad range of organisations across the UK.  This has affected a very small proportion of NHS email accounts.”

The statement also noted that the issue is being thoroughly investigated, and that precautions, such as vulnerable or affected accounts changing their passwords, are being taken with immediate effect.

Credential Harvesting

Despite a significant amount of targeted phishing campaigns exploiting the current Covid-19 pandemic, the UK health service has stated that this NHS Phishing Attack is not part of a targeted cyber-attack, but rather “a global phishing campaign designed to cast a wide net”.

With the Nation Cyber Security Centre (NCSC) confirming that this NHS phishing attack is part of a global credential-harvesting phishing campaign that is affecting a variety of organisations across the UK, all NHSmail accounts will continue to be closely monitored.

Protecting Against Phishing Attacks

Though all phishing attacks should be treated with the due concern, it is worth noting that in the last twelve months, NHSmail accounts have seen a 94% decrease in received phishing emails following a range of steps taken that follow NCSC guidelines; emphasising once again the importance of proactive phishing defence.

Along with the NCSC’s recommendations, which included turning off legacy authentication protocols when using Office 365, a strong password policy, and multi-factor authentication (MFA), there are plenty of steps that can be taken to help protect your organisation from phishing attacks. To find out more about methods recognising phishing attacks and improving your information security check out our latest piece: 4 Ways of Recognising Phishing Attacks in 2020.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Data Protection Act Enforcers

Who Enforces the Data Protection Act?

Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: June 12th 2020

InfoSec Round-Up: June 12th 2020 - Hut Six

Tax Refund Scams, Zoom Encryption and Fake Ransomware Decryptor – Infosec Round-Up, June 12th, 2020

How to improve your password security

How Secure is Your Password Process?

How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.

Data Protection Act Updates to Coverage

Who Does the Data Protection Act Apply To?

Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security

InfoSec Round-Up: June 5th 2020

InfoSec Round-Up: June 5th 2020 - Hut Six

REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing – Infosec Round-Up, June 5th 2020

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.

InfoSec Round-Up: May 29th 2020

InfoSec Round-Up: May 29th 2020 - Hut Six

GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.