Ethical phishing in the NHS

What proportion of NHS staff is susceptible to phishing attacks? A proactive group of English trusts asked Gemserv to help them find out how many of their employees would expose their system credentials to hackers. Andy Green, CISO of Gemserv, reveals all.

We have all become used to receiving emails that claim our bank details have been compromised, or a postal delivery has been held up. If we just click a link and enter a few details, we can get the account released, or the package on its way.

Most of us recognise that these emails come from hackers and ignore them. But what if we were at work and an email arrived from our head of department, asking us to log-in to a portal and sort out a problem? Or a flyer arrived from a conference that we’d been to, inviting us to enter a couple of details in order to download a report?

Would we click then? Recently, a proactive group of NHS trusts asked us to run an ethical phishing exercise to find out how susceptible their staff might be to this kind of approach, which is increasingly being used by hackers to obtain valuable details. Did they fall for it?

Phishing and the threat to the NHS  

Well… before we get to that, it might be useful to recap on what phishing is and why it matters. Phishing is a form of cybercrime, in which a target or several targets are contacted by email, telephone or text message, and lured into handing over useful information.

There’s a common misconception that what hackers are after is sensitive personal data or financial details; but that doesn’t have to be the case. What criminals who target companies, government departments and public services want is user credentials; details that will allow them to get into systems and then move around a network.

That’s because the nature of cybercrime has changed. Back in the day, hackers wanted to steal information. Now, they want to stop organisations having access to it – so they can charge a ransom to get systems up and running again.

Unfortunately, that makes healthcare vulnerable. In September last year, police launched a ‘negligent homicide’ investigation after a ransomware attack disrupted emergency care at Dusseldorf University Hospital in Germany – and a patient died as she was being transferred to another unit.

Toughening targets  

There are technology solutions that can be deployed to try and stop phishing emails. There are security gateways and email filters. However, we did some work for a FTSE company recently and they were getting 40,000 malicious or spam emails a day.

Even though they were catching 99% of them, 400 were getting in. Which is where ethical phishing comes in. The purpose of exercises like the one we have just run for an NHS region is two-fold: first, to make people less susceptible to opening these emails, and second to make people more likely to report them.

The FBI estimates the average hacker spends 149 days in a network before they do anything. If malicious emails are reported, it’s possible to stop them, to track the hacker across the network, and to reduce the potential harm that they can do.

So, how does Gemserv conduct an ethical phishing exercise? We use the same kind of techniques that hackers do. We don’t use a template. We don’t put out the ‘your bank account has been compromised’ or ‘your parcel is held up’ emails that people have got wise to.

We sit down and we look at an organisation with a criminal’s eyes. We think about who is most likely to be targeted – which people have influence or privileged access. For example, executives are targets, because they have authority and an email that comes from them is likely to be acted on; and IT administrators are targets, because they have more systems access than ordinary users.

Then, we identify individuals within those groups, and set out to find out useful things about them. We have a look at their professional profiles. We read their social media. If they have been tweeting about a conference, we might use that to create a spear phishing campaign that targets them and their contacts.

Then, we craft an email that uses the kind of influencing factors that hackers use – authority, urgency, the implication that bad consequences that will follow if that link is not clicked. And then we send that email to an organisation or to a group of individuals within it.

Education, education, education

We crafted a number of emails for the group of NHS trusts that we are working with and they picked two to send. The first email has been sent to the first two trusts and around 2,000 people.  

And now is the moment to reveal that… the results were catastrophic. A third of the people who received these emails, at all levels of those two organisations, opened them. If they were real phishing emails, hundreds of details would have been compromised.

The good news is that effective ethical phishing exercises don’t just catch people. They help to put them on their guard against further attacks. If somebody clicks on one of our emails, they are taken to a portal, that is mocked up to look like the portal or the conference site or whatever it is pretending to be.

If they enter their details, they are taken to some training about cyber security, and then back to the original email, where we show them all the “red flags” that could have spotted. Education of this kind is very effective.

We can prove that by re-running these campaigns over a matter of months, susceptibility can be reduced from very high percentages of users to low ones. One reason for that is that this resonates with people.

We might all think we can spot a dodgy email, but we don’t want to see our bank account emptied or the pictures of our children held to ransom. People are keen on ethical phishing because they can use what they have learned in their personal lives to stop this happening.

READ MORE:

Ethical phishing delivers value to them as well as their organisations; which in this case means the NHS and the services and patients it needs to keep safe.    

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Luke Conrad

Technology & Marketing Enthusiast

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...