NHS Phishing Attacks

Over 100 Internal Email Accounts Hijacked

In a statement, NHS Digital has revealed an incident in which 113 internal email accounts were compromised and used to send malicious communication outside of the health service.

Occurring between Saturday May 30th and Monday June 1st, this NHS phishing attack affected just 0.008% of the 1.41 million accounts in the network.

A Global Phishing Campaign

A spokesperson for NHS Digital has stated: “There is currently no evidence to suggest that patient records have been accessed.

“We are working closely with the National Cyber Security Centre, who are investigating a widespread phishing campaign against a broad range of organisations across the UK.  This has affected a very small proportion of NHS email accounts.”

The statement also noted that the issue is being thoroughly investigated, and that precautions, such as vulnerable or affected accounts changing their passwords, are being taken with immediate effect.

Credential Harvesting

Despite a significant amount of targeted phishing campaigns exploiting the current Covid-19 pandemic, the UK health service has stated that this NHS Phishing Attack is not part of a targeted cyber-attack, but rather “a global phishing campaign designed to cast a wide net”.

With the Nation Cyber Security Centre (NCSC) confirming that this NHS phishing attack is part of a global credential-harvesting phishing campaign that is affecting a variety of organisations across the UK, all NHSmail accounts will continue to be closely monitored.

Protecting Against Phishing Attacks

Though all phishing attacks should be treated with the due concern, it is worth noting that in the last twelve months, NHSmail accounts have seen a 94% decrease in received phishing emails following a range of steps taken that follow NCSC guidelines; emphasising once again the importance of proactive phishing defence.

Along with the NCSC’s recommendations, which included turning off legacy authentication protocols when using Office 365, a strong password policy, and multi-factor authentication (MFA), there are plenty of steps that can be taken to help protect your organisation from phishing attacks. To find out more about methods recognising phishing attacks and improving your information security check out our latest piece: 4 Ways of Recognising Phishing Attacks in 2020.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

Data Protection Act Enforcers

Who Enforces the Data Protection Act?

Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.

How to improve your password security

How Secure is Your Password Process?

How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.

Data Protection Act Updates to Coverage

Who Does the Data Protection Act Apply To?

Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.