Phishing Attacks: How to spot a fake or scam NHS email

Fake emails, known as phishing emails are consistently on the rise. In fact, it’s now estimated that 3.4 billion phishing emails are sent out each day and, with that rate of delivery, it’s no wonder that people are clicking on them. In this article, we’ll help you to spot a fake NHS email and prevent any malicious activity through your accounts.

What is a phishing attack?

Phishing is a type of cyber security attack, most commonly delivered via email. Phishing emails aim to trick the recipient into either clicking on a malicious link or revealing sensitive information about themselves. This is often done using urgent and impulsive messaging, convincing the victim that their account may be blocked or lost if they don’t input their credit card details immediately. Or, alternatively, they can win a big cash prize if they submit their information within a specified time frame.

The aim of these emails is to get the victim to act impulsively, clicking or sharing information before they realise it’s too late. Once the information is uploaded, the cybercriminal then either releases a virus onto the users’ system or copies their information, giving them access to other accounts and financial opportunities. Before they notice a mistake has been made, the damage has already been done.

To achieve this, hackers must deliver phishing emails to appear like reputable brands and companies. The more realistic they appear, the more likely someone is going to comply with what they are asking, so often the emails are very hard to differentiate from the real thing.

how to spot a fake nhs email

What do phishing attacks look like?

Some of the most popular phishing scams include Outlook login attempts, calling for the user to reset their password; PayPal warnings that your account will close unless the card details are confirmed; and HM Revenue tax refunds, prompting the user to click a link to claim back an amount of money usually worth hundreds of pounds.

However, following the recent coronavirus pandemic, a new phishing email has quickly begun to rise to the top of the list: the NHS scam.

NHS phishing attacks

The NHS phishing attack – sometimes delivered via SMS through the same method, known as smishing – focuses on the Covid-19 pandemic and uses this to manipulate the victim. The detail varies between informing the user of updated coronavirus restrictions, prompting them to click a link; requesting confirmation of vaccination status, again prompting a link to be clicked; or offering a digital vaccination passport, once again, providing a link to be clicked.

If this link is clicked, then any number of things can happen. The user may be transferred to a fake webpage where they input their personal information, including passwords; or, more dangerously, a virus may be transferred onto their device to give the hacker access to all their accounts, watching their keystrokes and monitoring everything they do online.

How to spot a fake NHS email  

Unfortunately, these phishing attacks are very hard to differentiate from the real thing, and by using the coronavirus pandemic, they play on people’s emotions and impulsive behaviours.

If you have received an email that you suspect might be from a malicious account, there are a number of things you can do to remain secure:

  • Hover over the link – this will reveal the true source of the link and enable you to confirm whether it is a genuine NHS website or not
  • Check for any spelling or grammatical errors – often the organisation name will be very similar to the real thing, so watch out for extra or missing letters or language that doesn’t sound correct
  • Visit the website independently, from a separate browser or device – this will allow you to determine if the message you are being sent is legitimate
  • Watch out for a sense of urgency within the message – if the content is telling you that you must act immediately, it’s likely they’re trying to get you to act without thinking
  • Never forward or share the email – doing so may accidentally cause others to become victims of the scam as well

The most important thing to remember is that if you are even in the tiniest bit of doubt about an email, the safest thing to do is take your time and investigate the matter carefully. Once you have determined an email is phishing, delete it from your inbox and if possible, report it to a security team within your organisation.

Get in touch

If you’d like to find out more about how you can protect yourself or your organisation from phishing, Boxphish has the tools to help. At Boxphish, we are passionate about providing our users with the skills needed to identify and avoid cyber-attacks, reducing risk and protecting both the individual and the organisation.

We use interactive training and real-world attack simulations to educate and train our users, with phishing simulations delivered directly to your inbox and courses tailored to individual needs and industries. Our training is extremely easy to use and does not eat into valuable work hours for your employees. Click here to view our phishing training and book your demo today. 

Want to know more about Boxphish?

Download our service overview

See our platform in action

Fill out the form below and a member of the team will be in touch to arrange a 20-minute demo

Boxphish get a demo product section