Fraudulent email

Email Scams and Hoaxes


Phishing is a particular type of email scam, whereby victims are targeted from seemingly genuine persons or services, with the aim of tricking the recipient into either providing personal details or clicking on something that will allow the attacker to do something the victim may not be aware of.

Common types targeting NHS employees will warn of a problem or imminent lockdown of their NHS net email account, or a required update to ESR. It will ask them to follow a link in the email to login and confirm or reset their settings. This link takes them to a fake website which will collect their logon details and password. With access to their email or ESR account and all the confidential information contained within, a fraudster can use their identity to commit fraud. They can also alter the bank details for future salary payments.

Never follow a link in an email – you do not know where it is taking you to. If you want to access your NHS net or ESR account online (or any other website), always access the internet via the known web address rather than following a link in an email.

Not everything is as it seems
Video shared with kind permission of the Metropolitan Police Service
With so much business being conducted online, strong cyber security is vital

Other emails contain falsely labelled attachments, which, if clicked, can download malicious software (malware) onto your computer. Be aware that scam e-mails and spoof websites can look completely authentic, but don’t be fooled. It could be a very expensive mistake.

Spear phishing is a more targeted version of this attack and is often directed at specific people or organisations as opposed to the more blanket campaigns associated with phishing.

CEO and Mandate Fraud

Some fraudsters will set up private email accounts in the names of NHS directors or managers and will then email the Finance team impersonating those directors or managers, asking for a financial transaction to be effected. Alternatively a hacked account might be used. This is known as CEO Fraud. Often the phrase: “I can’t speak right now – I am in a meeting” (or similar) is included to discourage a call-back check. Always ensure that such requests are properly and independently verified with the alleged sender and that your organisation’s Standing Financial Instructions (the financial rules governing the organisation) are always followed.

A variation on the theme is for the fraudster to impersonate a company that your organisation does business with. This could be by way of hacked or spoof email, or may be a telephone call or letter on a forged letterhead. The intention is to ask the Finance team to update the banking details for that company. If these details are changed then the next legitimate payment made to that company will be actually paid into the fraudster’s account and the money is lost. This is known as Mandate Fraud. Finance teams should have robust checking procedures whenever a change of banking details is requested.

It is easy to impersonate someone online
Video shared with kind permission of the NHSCFA

What to do if you receive a suspicious e-mail

Most potential hoaxes can be checked out in seconds simply by using the Internet. There are countless websites that will assist you in determining whether an e-mail is genuine. To locate one, type: “e mail hoax” and: “[a key word or two from the text of the mail]” into your search engine. Alternatively can be a good website for checking known hoaxes*. If you are unable to check on the Internet, refer the matter to your IT specialist who will be able to offer advice.

If you receive one – simply move it directly to your recycle bin. You can also right click the email in your inbox and under ‘junk email’ you can block the sender’s I.P. address so they cannot contact you again. If the email is received by an NHS net account you can report the email to NHS Net at [email protected]. Fraudulent email can also be reported to the National Cyber Security Centre (NCSC) at [email protected].

*The Fraud and Security Management Service take no responsibility for the accuracy of content of any external website.

More fraud information: