NHS ESR Spear Phishing Campaign
NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.
Summary
NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.
Threat details
Users have received emails that claim to be from their Human Resources (HR) service, but are sent from accounts outside the NHS. These emails typically say that the user's salary has been increased and invite them to click a link to access related documents. When the user clicks on the link they are directed to a fake NHS ESR login page, which appears exactly the same as the actual login page except that it does not offer smartcard login.
The malicious emails are customised for each organisation they are sent to. They typically contain the organisation's logo and the phishing links include their website domain within the URL.
Remediation steps
| Type | Step |
|---|---|
|
Organisations are advised to block the following domain and email addresses on their local infrastructure:
Logs should be consulted to determine whether any users have accessed linkourschool[.]com. Affected account passwords should be reset and affected users advised to reset their passwords on ESR. Users should be advised to forward suspicious or spam emails as an attachment to [email protected] - step-by-step instructions can be found here. A robust program of education and awareness training should also be delivered to ensure that users don't open attachments or follow links within unsolicited emails. |
Last edited: 14 February 2020 2:49 pm