Payment Diversion Fraud

Payment Diversion Fraud involves fraudsters creating false invoices or false request for payment, or the diversion of payments in order to defraud you or your organisation.

Social engineering is a significant part of the Payment Diversion Fraud process where cyber criminals pose as trusted and recognised entities and use a sense of authority and urgency to manipulate individuals and employees into making a bank transfer or providing confidential information.

One of the main types of Payment Diversion Fraud in the NHS usually targets staff within an organisation’s finance and procurement departments. An email which appears to come from a known supplier is sent by the cyber-criminal to a member of staff. The email will request that future payments for products or services are made to a new bank account and will give a reason for the account change. The new account will be under the control of the cybercriminal and any funds paid into it will be lost.

In the year to September 2020 there were 61 attempts of Payment Diversion Fraud against the NHS of which 9 were successful resulting in losses of £1.5 million.

In July 2020, an NHS Trust was defrauded of £375,000 by fraudsters impersonating a construction company that had recently undertaken work for them. The Trust received a spoofed email (two letters had been switched in the domain part of the email) purporting to be the office manager of the construction company and stating that the company’s account details had changed. This led to three payments being made into two different bank accounts.

A recently identified Salary Diversion Fraud attack on the NHS involved cyber criminals sending a phishing email to target a staff member directly as opposed to the organisation’s payroll department. The attack can be broken down into the three stages of the cyber fraud lifecycle.

Cyber-attack phase

A malicious phishing email was received by an NHS employee indicating that something in their Electronic Staff Record (ESR) account required their attention, in other cases emails have included a false incentive such as a notification of a pay rise. The sender’s email address appeared to be genuine, however they were mimicking a genuine colleagues email address who they knew. The email contained a link to a website which appeared to be the genuine NHS ESR log on page. However, the link directed the staff member to a malicious website where, what appeared to be a genuine ESR logon page had been created. When the staff member entered their log on details, believing they are using the genuine ESR website, the malicious website allowed the fraudster to obtain the staff member’s username and password.

Data exploitation phase

Once access to the staff member’s ESR account was obtained, the cybercriminal was able to access personal information relating to the staff member, such as their national insurance number, date of birth, home address, email address, phone numbers and emergency contact details.

Cash out phase

Having accessed the staff members ESR account, the cybercriminal was able to change the bank account details, diverting the employee’s salary into an account controlled by the criminal before the crime could be detected and stopped.

Responding to Payment Diversion Fraud

  • If you believe you might have revealed sensitive information about your organisation, report it to the appropriate people within the organisation, including network administrators. They can be alert for any suspicious or unusual activity.
  • If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!