Skip to main content

NHS ESR Spear Phishing Campaign

NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.


Threat details

Users have received emails that claim to be from their Human Resources (HR) service, but are sent from accounts outside the NHS. These emails typically say that the user's salary has been increased and invite them to click a link to access related documents. When the user clicks on the link they are directed to a fake NHS ESR login page, which appears exactly the same as the actual login page except that it does not offer smartcard login.

The malicious emails are customised for each organisation they are sent to. They typically contain the organisation's logo and the phishing links include their website domain within the URL.


Remediation steps

Type Step

Organisations are advised to block the following domain and email addresses on their local infrastructure:

  • linkourschool[.]com
  • karnishpuoma1@gmail[.]com
  • belton@alwaysmoney[.]com
  • lisa@belvito[.]com

Logs should be consulted to determine whether any users have accessed linkourschool[.]com. Affected account passwords should be reset and affected users advised to reset their passwords on ESR.

Users should be advised to forward suspicious or spam emails as an attachment to spamreports@nhs.net - step-by-step instructions can be found here. A robust program of education and awareness training should also be delivered to ensure that users don't open attachments or follow links within unsolicited emails.


Last edited: 14 February 2020 2:49 pm