Fraud alert: payment diversion fraud

Details from our local counter fraud specialist in response to reports of payment diversion where staff are targeted rather than Payroll…

Summary and background

The staff member receives an email with a false incentive such as logging into ESR to accept a pay rise. The email contains a link to a website, which appears the same as the NHS ESR login page. The fake page allows the fraudster to collect the staff member’s username and password. From here, the fraudster can access the staff member’s ESR account and change the bank account details.

The fraudsters can also change the ESR contact details for the victim. If Payroll sent a confirmation email to the contact details on ESR they could be contacting the fraudster who would acknowledge the bank account changes. Alternatively, the fraudster may have ascertained nhs.net login accounts using the phishing attacks.

If a victim uses the same password for their ESR account as their email, the fraudster will have access to the victim’s email. This may be used to verify changes to other accounts, such as online shopping sites. The additional information may also assist a fraudster in opening a new financial and retail account in the victim’s name. Email accounts may also provide ways for a fraudster to find other information, such as:

• online copies of utility bills to prove an address
• copies of passports, which could be used for providing identification for online bank accounts.

The fraudster will also be able to access further information on the victim, such as:

• National Insurance number
• Date of birth
• Address
• Email address
• Phone numbers and emergency contact details.

For a line manager, an attacker would also have access to a limited set of personal information on subordinates.

The Met Police (Cyber Team), National Investigation Service, National ESR team, NHS Digital and financial institution counter fraud teams are still investigating the ESR Salary Diversion Fraud and future prevention methods.

Examples of phishing emails (what to look out for)

Example email 1
This notice is to inform all employee & staff of the current general upgrade of our server. This upgrade would help the organization to offer all eligible staff & employee their benefits, promotion and increment. All staff are hereby directed to re-validate their details in order to effect the new salary payment plan and increase in salary for the month of February through the new year 2020. Kindly click on the link NEWPAY to re-validate your payment information and also apply for salary increment and promotion. We sincerely apologise for all inconveniences that this may cause you.

Example email 2
All staff and employee are expected to verify their Data for the Month of February salary and staff benefits payment, Please kindly Click SecurePayroll and complete the required directive, failure to comply with this directive will lead to ommision of payment

The two email scams shown above are recent examples of phishing emails. They highlight how easy it is for fraudsters to create email addresses. The email addresses are changing all the time. Blocking known email addresses will not stop NHS staff from being targeted now or in the future. As a result, all staff should remain vigilant at all times.

Further advice and guidance

If you think you may have been targeted or have any concerns, please contact Eleni Gill our Lead Counter Fraud Manager on 07827 308906.