Ethical phishing in the NHS

An image of Ethical Phishing NHS, News, Ethical phishing in the NHS

What proportion of NHS staff is susceptible to phishing attacks? A proactive group of English trusts asked Gemserv to help them find out how many of their employees would expose their system credentials to hackers. Andy Green, CISO of Gemserv, reveals all.

We have all become used to receiving emails that claim our bank details have been compromised, or a postal delivery has been held up. If we just click a link and enter a few details, we can get the account released, or the package on its way.

Most of us recognise that these emails come from hackers and ignore them. But what if we were at work and an email arrived from our head of department, asking us to log-in to a portal and sort out a problem? Or a flyer arrived from a conference that we’d been to, inviting us to enter a couple of details in order to download a report?

Would we click then? Recently, a proactive group of NHS trusts asked us to run an ethical phishing exercise to find out how susceptible their staff might be to this kind of approach, which is increasingly being used by hackers to obtain valuable details. Did they fall for it?

Phishing and the threat to the NHS  

Well… before we get to that, it might be useful to recap on what phishing is and why it matters. Phishing is a form of cybercrime, in which a target or several targets are contacted by email, telephone or text message, and lured into handing over useful information.

There’s a common misconception that what hackers are after is sensitive personal data or financial details; but that doesn’t have to be the case. What criminals who target companies, government departments and public services want is user credentials; details that will allow them to get into systems and then move around a network.

That’s because the nature of cybercrime has changed. Back in the day, hackers wanted to steal information. Now, they want to stop organisations having access to it – so they can charge a ransom to get systems up and running again.

Unfortunately, that makes healthcare vulnerable. In September last year, police launched a ‘negligent homicide’ investigation after a ransomware attack disrupted emergency care at Dusseldorf University Hospital in Germany – and a patient died as she was being transferred to another unit.

Toughening targets  

There are technology solutions that can be deployed to try and stop phishing emails. There are security gateways and email filters. However, we did some work for a FTSE company recently and they were getting 40,000 malicious or spam emails a day.

Even though they were catching 99% of them, 400 were getting in. Which is where ethical phishing comes in. The purpose of exercises like the one we have just run for an NHS region is two-fold: first, to make people less susceptible to opening these emails, and second to make people more likely to report them.

The FBI estimates the average hacker spends 149 days in a network before they do anything. If malicious emails are reported, it’s possible to stop them, to track the hacker across the network, and to reduce the potential harm that they can do.

So, how does Gemserv conduct an ethical phishing exercise? We use the same kind of techniques that hackers do. We don’t use a template. We don’t put out the ‘your bank account has been compromised’ or ‘your parcel is held up’ emails that people have got wise to.

We sit down and we look at an organisation with a criminal’s eyes. We think about who is most likely to be targeted – which people have influence or privileged access. For example, executives are targets, because they have authority and an email that comes from them is likely to be acted on; and IT administrators are targets, because they have more systems access than ordinary users.

Then, we identify individuals within those groups, and set out to find out useful things about them. We have a look at their professional profiles. We read their social media. If they have been tweeting about a conference, we might use that to create a spear phishing campaign that targets them and their contacts.

Then, we craft an email that uses the kind of influencing factors that hackers use – authority, urgency, the implication that bad consequences that will follow if that link is not clicked. And then we send that email to an organisation or to a group of individuals within it.

Education, education, education

We crafted a number of emails for the group of NHS trusts that we are working with and they picked two to send. The first email has been sent to the first two trusts and around 2,000 people.  

And now is the moment to reveal that… the results were catastrophic. A third of the people who received these emails, at all levels of those two organisations, opened them. If they were real phishing emails, hundreds of details would have been compromised.

The good news is that effective ethical phishing exercises don’t just catch people. They help to put them on their guard against further attacks. If somebody clicks on one of our emails, they are taken to a portal, that is mocked up to look like the portal or the conference site or whatever it is pretending to be.

If they enter their details, they are taken to some training about cyber security, and then back to the original email, where we show them all the “red flags” that could have spotted. Education of this kind is very effective.

We can prove that by re-running these campaigns over a matter of months, susceptibility can be reduced from very high percentages of users to low ones. One reason for that is that this resonates with people.

We might all think we can spot a dodgy email, but we don’t want to see our bank account emptied or the pictures of our children held to ransom. People are keen on ethical phishing because they can use what they have learned in their personal lives to stop this happening.


Ethical phishing delivers value to them as well as their organisations; which in this case means the NHS and the services and patients it needs to keep safe.    

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of Ethical Phishing NHS, News, Ethical phishing in the NHS

Luke Conrad

Technology & Marketing Enthusiast

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...