NHS reports fewer phishing emails in 2020

The NHS’ NHSmail service was bombarded with 137,476 malicious emails during the course of 2020, according to figures disclosed by NHS Digital under the Freedom of Information (FoI) Act. However, report volumes actually decreased across the year.

NHS Digital revealed that, in January 2020, 4,895 phishing emails were reported using its Phish Report button, and 24,460 other malicious email reports were received. These volumes remained high through to March, when it received reports of 5,749 phishing emails and 23,106 other malicious emails, before dropping dramatically.

In April, at the height of the pandemic’s first wave, NHS Digital received just 2,585 phishing reports and 8,483 other malicious emails. By December, as new Covid-19 variants began to wreak havoc, it received just 930 phishing reports and 3,452 other malicious emails.

Although the data – obtained by the Parliament Street think tank – may seem counterintuitive given the number of high-profile incidents targeting the healthcare sector during the Covid-19 pandemic, there are plausible scenarios that might explain this decline.

For example, it may be that given the intense pressure on the NHS, hard-pressed clinical staff simply do not have time to submit phishing reports. There may even have been a genuine decline in volumes of malicious emails – a number of cyber criminal gangs tried to curry favour during the pandemic by saying they would stop targeting healthcare organisations, although in most instances this turned out to be so much hot air.

Chris Ross, international senior vice-president at Barracuda Networks, said that whatever the true circumstances behind the data, the figures were still a reminder that cyber criminals still consider the healthcare sector fair game.

“Unfortunately, these scam emails are often incredibly realistic, lulling the victim into a false sense of security to hand over passwords, patient records and sensitive information by impersonating legitimate brands and even fellow employees,” he said.

“With the global pandemic putting a huge strain hard-working doctors, nurses, and clinical staff, it’s absolutely vital that email systems are properly protected from outsider threats, to block malicious emails before they reach the inbox.

“It is equally important for [NHS] Trusts to issue the necessary guidance about the risks associated with phishing attacks, so that staff are aware of the techniques associated used and can think twice before handing over important information to suspicious third parties,” said Ross.

Tanium’s chief IT architect for Europe, the Middle East and Africa (EMEA), Oliver Cronk, agreed: “Organisations must ensure that their employees have an adequate level of knowledge on common threats they should expect, especially with such a large amount of staff working remotely. At home, people can be faced with other distractions that they may not have in an office, causing their guard to drop on IT security.

“The technology aspect is also crucial. A key aspect of this is IT teams having awareness of what devices are connected to a corporate network. They will need to detect a phishing attack’s entry point and see how much of a system has been affected so that quick action can be taken to fix the issue. This means that even if a malicious link is clicked by an employee, there’s still a good chance that only minimal damage will be caused,” he added.