Social engineering is a significant part of the Payment Diversion Fraud process where cyber criminals pose as trusted and recognised entities and use a sense of authority and urgency to manipulate individuals and employees into making a bank transfer or providing confidential information.
One of the main types of Payment Diversion Fraud in the NHS usually targets staff within an organisation’s finance and procurement departments. An email which appears to come from a known supplier is sent by the cyber-criminal to a member of staff. The email will request that future payments for products or services are made to a new bank account and will give a reason for the account change. The new account will be under the control of the cybercriminal and any funds paid into it will be lost.
In the year to September 2020 there were 61 attempts of Payment Diversion Fraud against the NHS of which 9 were successful resulting in losses of £1.5 million.
In July 2020, an NHS Trust was defrauded of £375,000 by fraudsters impersonating a construction company that had recently undertaken work for them. The Trust received a spoofed email (two letters had been switched in the domain part of the email) purporting to be the office manager of the construction company and stating that the company’s account details had changed. This led to three payments being made into two different bank accounts.
A recently identified Salary Diversion Fraud attack on the NHS involved cyber criminals sending a phishing email to target a staff member directly as opposed to the organisation’s payroll department. The attack can be broken down into the three stages of the cyber fraud lifecycle.
Responding to Payment Diversion Fraud
- If you believe you might have revealed sensitive information about your organisation, report it to the appropriate people within the organisation, including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Be suspicious of unsolicited email messages which should always be checked to verify accuracy.
- Don’t click on the links or attachments in suspicious emails, and never respond to unsolicited emails that ask for your personal or financial details.
- Be vigilant of email addresses that appear to be from NHS organisation however are slightly altered.
- Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
- Always verify details of any new / amended payment instructions verbally by using details held on file, and not on the instruction. Fraudsters can spoof email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
- If you are suspicious about a request made by phone, ask the caller if you can call them back on a trusted number. Fraudsters will attempt to pressure you into making mistakes — take the pressure off by taking control of the situation.
- Look carefully at every invoice and compare it to previous invoices received that you know to be genuine, particularly the bank account details, wording used and the company logo.
- Watch for other signs of identity theft.