Payment Diversion Fraud

Payment Diversion Fraud involves fraudsters creating false invoices or false request for payment, or the diversion of payments in order to defraud you or your organisation.

Social engineering is a significant part of the Payment Diversion Fraud process where cyber criminals pose as trusted and recognised entities and use a sense of authority and urgency to manipulate individuals and employees into making a bank transfer or providing confidential information.

One of the main types of Payment Diversion Fraud in the NHS usually targets staff within an organisation’s finance and procurement departments. An email which appears to come from a known supplier is sent by the cyber-criminal to a member of staff. The email will request that future payments for products or services are made to a new bank account and will give a reason for the account change. The new account will be under the control of the cybercriminal and any funds paid into it will be lost.

In the year to September 2020 there were 61 attempts of Payment Diversion Fraud against the NHS of which 9 were successful resulting in losses of £1.5 million.

In July 2020, an NHS Trust was defrauded of £375,000 by fraudsters impersonating a construction company that had recently undertaken work for them. The Trust received a spoofed email (two letters had been switched in the domain part of the email) purporting to be the office manager of the construction company and stating that the company’s account details had changed. This led to three payments being made into two different bank accounts.

A recently identified Salary Diversion Fraud attack on the NHS involved cyber criminals sending a phishing email to target a staff member directly as opposed to the organisation’s payroll department. The attack can be broken down into the three stages of the cyber fraud lifecycle.

Cyber-attack phase

A malicious phishing email was received by an NHS employee indicating that something in their Electronic Staff Record (ESR) account required their attention, in other cases emails have included a false incentive such as a notification of a pay rise. The sender’s email address appeared to be genuine, however they were mimicking a genuine colleagues email address who they knew. The email contained a link to a website which appeared to be the genuine NHS ESR log on page. However, the link directed the staff member to a malicious website where, what appeared to be a genuine ESR logon page had been created. When the staff member entered their log on details, believing they are using the genuine ESR website, the malicious website allowed the fraudster to obtain the staff member’s username and password.

Data exploitation phase

Once access to the staff member’s ESR account was obtained, the cybercriminal was able to access personal information relating to the staff member, such as their national insurance number, date of birth, home address, email address, phone numbers and emergency contact details.

Cash out phase

Having accessed the staff members ESR account, the cybercriminal was able to change the bank account details, diverting the employee’s salary into an account controlled by the criminal before the crime could be detected and stopped.

Responding to Payment Diversion Fraud

If you believe you might have revealed sensitive information about your organisation, report it to the appropriate people within the organisation, including network administrators. They can be alert for any suspicious or unusual activity.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.

How to protect yourself
Useful Resources

Be suspicious of unsolicited email messages which should always be checked to verify accuracy.
Don’t click on the links or attachments in suspicious emails, and never respond to unsolicited emails that ask for your personal or financial details.
Be vigilant of email addresses that appear to be from NHS organisation however are slightly altered.
Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person's authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Always verify details of any new / amended payment instructions verbally by using details held on file, and not on the instruction. Fraudsters can spoof email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
If you are suspicious about a request made by phone, ask the caller if you can call them back on a trusted number. Fraudsters will attempt to pressure you into making mistakes — take the pressure off by taking control of the situation.
Look carefully at every invoice and compare it to previous invoices received that you know to be genuine, particularly the bank account details, wording used and the company logo.
Watch for other signs of identity theft.

Mandate fraud

Was this page helpful?

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Thanks for the feedback!