This is the second issue of MIAA’s dedicated, regular series of frauds, scams and cyber-crime alerts related to the COVID-19 emergency. Please read this alert carefully and share it as widely as possible. This special alert series is intended to provide up-to-date information on scams and fraud threats, in whatever form, currently in circulation to help prevent NHS staff and organisations from falling victim.

Government text message scam On 30 March 2020, it was reported by Sky News and BBC News that fraudsters are attempting to use ‘smishing’ scams to exploit the COVID-19 situation. Individuals are understood to be receiving text messages from criminals impersonating the government (and banks or other trusted organisations), offering payments related to the Coronavirus outbreak or claiming to be issuing fines, with the malicious intention of obtaining personal or financial information or money.

On 24 March, the government began sending official text messages (SMS) to people urging them to stay at home as part of the measures to help combat the virus.

Within hours, a number of fake versions of the message began to circulate on social media, including one that told people that they had been fined for breaking the rules. This fake SMS message told the recipient that their movements had been monitored through their phone and that they must pay a fine or face a more severe penalty.

Another fake government SMS message informed the recipient that ‘it has come to our attention that you have been out of the house more than once. Due to this irresponsible behaviour, we are issuing a formal warning and a £250 fine’. Similar fake messages have been reported from ‘HMRC’, targeting the self-employed,

and from the ‘Local Authority’ offering residents the opportunity to claim £458 of Coronavirus aid by clicking on a link.

Action(s) to take: Individuals should be aware that, as of 8 April 2020, the Government has issued only one official text message (SMS) - all other messages will be fake. Individuals are advised not to respond to text messages or click on links contained in text messages from unknown sources. It is also unlikely that UK Government texts will request recipients to respond.

8 April 2020

www.miaa.nhs.uk @MIAANHS MIAA MIAA

ACTION REQUIREDMIAA recommends this alert is distributed to:

NHS STAFFfor

ACTION & AWARENESS

For further information or to report NHS Fraud contact:Ruth BarkerAnti-Fraud Specialist

07584 774 763

Ruth.barker@miaa.nhs.uk Ruth.Barker12@nhs.net

Coronavirus scams update

Coronavirus Special Edition

Information Alert 2 MIAA Anti-Fraud & Cyber Security Teams

No

Scams

If you are concerned that you are a victim of a cyber-crime or want to know how to improve your organisation’s cyber resilience, contact:Tony Cobain Assistant Director (Informatics)

07770 971 006 Tony.Cobain@miaa.nhs.uk

‘Helping hand’ door step scam On 3 April 2020, it was reported by BBC News that a 92 year old woman living in Oldham was tricked by thieves into believing that her neighbour had died of coronavirus so that they could raid her home. They knocked on her door, lied about the death and offered to clean her house, but instead they stole a purse, money and jewellery.

Action(s) to take: Be wary of all strangers who knock at the door. Do not open the door or allow them in to your home. The Local Government Association (LGA) advises anyone who is stuck without food or medical supplies, or lonely due to self-isolation, and who does not have any family or friends or neighbours that they know in the area, to contact their local council in the first instance. All official charity workers should carry appropriate ID. If in any doubt, individuals are advised to contact the relevant charity via their central telephone number to verify the identity of the individual or, if possible, a friend or neighbour to provide assistance.

Ransomware On 4 April 2020, Interpol issued a global warning that hospitals and medical services have become targets of ransomware attacks, designed to lock them out of their critical systems in an attempt to extort payments. Intended victims are understood to be receiving emails falsely claiming to contain government agency advice or information regarding coronavirus that encourage the recipient to click on an infected link or attachment.

Action(s) to take: Health organisations should ensure that their hardware and software are regularly kept up-to-date and that their essential files are backed up and stored separately from their main systems. Email systems should be secured to protect them from spam that could be infected. All systems and mobile devices should have the most up-to-date anti-virus software installed and running at all times. Strong and unique passwords should be used for all systems, and updated on a regular basis. Any concerns regarding health bodies’ cyber security provisions should be referred to MIAA’s Assistant Director (Informatics) - see page 1 for contact details.

Individuals should only open emails or download software and/or applications from trusted sources. Do not click on links or open attachments in emails that are not expected, or that come from an unknown sender. In particular, be suspicious of anything with an urgent tone that invites you to open an attachment or click on a link. Look out for poor grammar and spelling errors and emails that begin impersonally with ‘Dear Sir’ or ‘Dear Customer’. If in any doubt, phone the genuine company or person via an established or known number to verify. Above all, take your time and think before you click.

Supplies theft On 30 March 2020, it was reported by BBC News that a man dressed in doctor’s scrubs and wearing a stethoscope had attempted to gain entry to Bradford Royal Infirmary before running away after being challenged by a security guard for ID. It was speculated that the man was possibly attempting to steal supplies, or possibly drugs, and it was reported that there had already been thefts of surgical gowns, masks, protective equipment and sanitisers before the incident occurred.

On 8 April 2020, it was reported by Sky News that a man has been jailed for three months for stealing face masks from King’s College Hospital in London. Lerun Hussain, 34, was caught by security staff on 5 April stealing three surgical face masks, and subsequently arrested by the Police after being detained. He pleaded guilty to theft on 7 April at Croydon Magistrates’ Court.

Action(s) to take: With the influx of additional personnel to the NHS, don’t be afraid to challenge unfamiliar faces for their ID badges, particularly individuals in sensitive areas or around store rooms containing vital equipment, food or medical supplies. Challenging times can mean individuals may resort to desperate measures to get what they need. Health organisations are advised to review the robustness of their arrangements for the storage of supplies, including surgical gowns, masks, protective equipment and sanitisers, to mitigate against the increased risk of theft.

Whilst this period of uncertainty has witnessed an increase in Coronavirus-related fraud scams and threats, it is appropriate to acknowledge that vigilance against non-Coronavirus-related fraud scams and threats remains equally important as all fraudsters look to exploit the crisis.

HR and payroll bank mandate fraud incidents A health organisation and a payroll provider in the North West have recently fallen victim to phishing attacks by criminals targeting changes to bank accounts that staff members have their salaries paid into. In both incidents, HR and Payroll received emails from fraudsters pretending to be employees, requesting that the bank account details that their salary was paid into be changed. On both occasions, appropriate checks - in line with existing fraud prevention guidance - were not properly carried out by the organisations in question and the fraudulent bank account changes were actioned.

Action(s) to take: Health organisations, in conjunction with payroll providers, should run audit logs of bank account changes to identify any staff whose bank details have been changed to check this back with staff that the change was authorised by them and not the fraudster. Relevant staff who require sight of the appropriate fraud prevention guidance in this area should contact their Anti-Fraud Specialist.

Agreement of Balances code email scam A health organisation has recently reported receiving emails from a fraudster inviting the recipient to click on a link to access documents. The email address of the sender had been ‘socially engineered’ to display the Agreement of Balances (AoB) code ‘RFQ’ which is not part of the AoB contact list.

Action(s) to take: Individuals are advised to be aware of ‘social engineering’ techniques used by fraudsters to make fake emails look genuine, including the use of AoB codes in the sender email address, email signature and branding.

Fraud targeting via Social Media It has been reported that fraudsters may be harvesting information from social media in order to target people for fraud. A payroll officer recently reported receiving an email requesting a change to Direct Debit details from a fraudster. The recipient identified the fraudulent email because of anomalies in both the email sender’s address and the content of the email. The individual was targeted via their LinkedIn account; the sender of the e-mail viewed their profile the day before sending the fraudulent request.

There is currently a chain message circulating on Facebook where recipients are invited to answer a series of questions about themselves such as ‘What was your favourite teacher’s name?’ or ‘Who was your childhood best friend?’ and then forward the post on for their friends to answer. People should be warned that these types of questions are the same questions that are asked as security questions when setting up bank accounts and credit card accounts. Hackers are setting these posts up as “get to know each other better” games but their malicious intention is to harvest personal data and information that can later be used for fraudulent purposes, such as hacking individual’s accounts or opening new lines of credit in their name.

Action(s) to take: Individuals should be aware that the information that is added to LinkedIn and other social media accounts can be used by fraudsters to target them and their organisation. Individuals are advised to redact their accounts and/or adjust their privacy settings and

remain vigilant. Individuals are advised to refrain from posting personal information on chain messages that may later be used by fraudsters for unscrupulous purposes.

Other actions to take:

1. Report all suspicious and spam emails as an attachment to spamreports@nhs.net (click here for step-by-step instructions). Also, report any coronavirus-related attempted scams to your Anti-Fraud Specialist. All successful phishing attempts should be reported to Action Fraud at https://www.actionfraud.police.uk or on 0300 123 2040.

2. To report any concerns or suspicions of fraud, bribery or corruption, please contact your Anti-Fraud Specialist (see page 1 for contact details). You can also contact the national NHS Fraud and Corruption Reporting Line on 0800 028 40 60 or online at https://cfa.nhs.uk/reportfraud

To stay up-to-date on the latest coronavirus scams, please visit:

l MIAA - https://www.miaa.nhs.uk/insights/fraud-alerts-news

l Action Fraud (National Fraud Intelligence Bureau) - https://www.actionfraud.police.uk/news

l Chartered Trading Standards Institute (CTSI) - https://www.tradingstandards.uk/news-policy/news-room

Other Useful Documents:

l HFMA: Identifying malicious e-mails - Eight red flags to help identify malicious e-mails - https://www.hfma.org.uk/publications/details/identifying-malicious-emails

l ACCA: A warning be vigilant - coronavirus scams - Examples of scams and how to reduce your risk - https://i.emlfiles4.com/cmpdoc/2/5/6/6/2/files/660004_coronavirus-scams.pdf

l National Cyber Security Centre: Home working: preparing your organisation and staff - Advice on preparing for an increase in home working and