NHS Phishing Attacks
Over 100 Internal Email Accounts Hijacked
In a statement, NHS Digital has revealed an incident in which 113 internal email accounts were compromised and used to send malicious communication outside of the health service.
Occurring between Saturday May 30th and Monday June 1st, this NHS phishing attack affected just 0.008% of the 1.41 million accounts in the network.
A Global Phishing Campaign
A spokesperson for NHS Digital has stated: “There is currently no evidence to suggest that patient records have been accessed.
“We are working closely with the National Cyber Security Centre, who are investigating a widespread phishing campaign against a broad range of organisations across the UK. This has affected a very small proportion of NHS email accounts.”
The statement also noted that the issue is being thoroughly investigated, and that precautions, such as vulnerable or affected accounts changing their passwords, are being taken with immediate effect.
Despite a significant amount of targeted phishing campaigns exploiting the current Covid-19 pandemic, the UK health service has stated that this NHS Phishing Attack is not part of a targeted cyber-attack, but rather “a global phishing campaign designed to cast a wide net”.
With the Nation Cyber Security Centre (NCSC) confirming that this NHS phishing attack is part of a global credential-harvesting phishing campaign that is affecting a variety of organisations across the UK, all NHSmail accounts will continue to be closely monitored.
Protecting Against Phishing Attacks
Though all phishing attacks should be treated with the due concern, it is worth noting that in the last twelve months, NHSmail accounts have seen a 94% decrease in received phishing emails following a range of steps taken that follow NCSC guidelines; emphasising once again the importance of proactive phishing defence.
Along with the NCSC’s recommendations, which included turning off legacy authentication protocols when using Office 365, a strong password policy, and multi-factor authentication (MFA), there are plenty of steps that can be taken to help protect your organisation from phishing attacks. To find out more about methods recognising phishing attacks and improving your information security check out our latest piece: 4 Ways of Recognising Phishing Attacks in 2020.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.
Tax Refund Scams, Zoom Encryption and Fake Ransomware Decryptor – Infosec Round-Up, June 12th, 2020
How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.
Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security
REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing – Infosec Round-Up, June 5th 2020
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020
How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.
Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.