Cyber threats target NHS staff

Urgent message from NHS SBS

There have been two ESR alerts that NHS SBS wanted to bring to your attention; alerts 1257 and 1243. Both of these are regarding the recent incidents of phishing emails, targeting NHS employees in order to steal Electronic Staff Record (ESR) credentials and redirect pay to accounts controlled by the ‘threat actor’ (someone who conducts malicious activities against enterprises).

Users have received emails that claim to be from their Human Resources (HR) service, but are sent from accounts outside the NHS. These emails typically say that the ‘user’s salary has been increased’ and invite them to click a link to access related documents. When the user clicks on the link they are directed to a fake NHS ESR login page. This looks exactly the same as the actual login page except that it does not offer smartcard login.

The malicious emails are customised for each organisation they are sent to. They typically contain the organisation’s logo and the phishing links include their website domain within the URL (web address).

Example email subject lines:

• August Salary Details
• Salary Raise Confirmation
• Salary Review Letter
• Update Bank Details

Could you please bring this information to the attention of your staff in order to try to reduce the incidence of this type of fraud.

If you have any queries regarding this message please contact Payroll.

This message was received from NHS SBS.