Recently, NHS organisations have seen a big rise in scam emails and pretexting attacks. Pretexting is a type of social engineering, where someone pretends to be a trusted person to trick you into sharing information or taking an action. This type of attack is not limited to online - it can take place through other forms of communication, including in person.

To protect against these threats, it is essential to stay vigilant and follow security best practices and Information Governance (IG) policies and guidelines. 

What should you do?

  • If you receive an email that is unexpected or suspicious, do not open any links or attachments. If unsure, report it to your IT Service Desk and then delete it. Never respond to it or forward it on to anyone else.
  • Always pause and verify who you’re dealing with before sharing information, and make sure you are following security best practices and Information Governance (IG) policies and guidelines. If in doubt, contact the IG Team for advice at: IG@merseycare.nhs.uk

Be email aware

  • Be suspicious of generic greetings such as "Dear sir or madam".
  • Check the sender’s email address to see if it looks legitimate.
  • Never open links or attachments from senders you don’t recognise.
  • Check the address of any links by hovering your mouse over the link (without opening it) to see if the address matches the link that was typed in the message.
  • Check for spelling mistakes and poor grammar which could indicate the email is a scam.
  • Be suspicious of emails that claim you must click, call, or open an attachment immediately. 
  • Never provide financial or sensitive personal information like usernames and passwords over email.

Good cyber security is everyone’s responsibility. There are some simple steps you can take to remain secure. One way to add extra security to your user account, is by using a passphrase.

Think Passphrase.png

Why use a passphrase?


Length matters

Passphrases are longer than passwords, requiring 17 characters or more, which makes them more secure against cyber attacks.


Passphrases are easier to remember

Passphrases can be easier to remember because they can be a series of random words or a sentence, unlike complex passwords that mix letters, numbers, and symbols.


Avoid common phrases

It is best to avoid common phrases or song lyrics in passphrases. Instead, you should use a mix of random words, which will make your passphrase stronger.

A good starting point could be to use sites such as WhatThreeWords or CorrectHorseBatteryStaple to help you select a passphrase.


Versatility

Passphrases can include spaces and punctuation, adding to their complexity and security.


Unique for each account

Just like passwords, it is important to use a unique passphrase for each account.

 

Passphrase Artwork picture.png

 

Creating your new passphrase

To update your password to a more secure passphrase, press Ctrl+Alt+Delete on your computer keyboard and choose ‘Change a password’. There will be guidance on requirements that your new passphrase will need to meet on this screen.

 

Further information and support

Additional support, including hints and tips, can also be found on the Be Cyber Savvy website managed by the Cheshire and Merseyside Heath and Care Partnership Cyber Security Group.

We thank you in advance for your support. 

Beware of Pretexting scams 

NHS organisations and staff are increasingly being targeted by pretexting scams

Pretexting is a type of social engineering attack where someone pretends to be a trusted person to trick you into sharing information or carrying out an action. These scams aren’t limited to the online world - they can also happen over the phone or in person. For example, a caller might pose as a family member or even a police officer, telling a convincing story to gain your trust and persuade you to hand over sensitive details, such as a telephone number. 

Pretexting techniques 

Attackers often use a mix of techniques to carry out pretexting scams, including: 

Phishing 

This is when someone pretends to be a person or organisation in an email to trick you into giving away information. These emails can look very real and may even seem to come from someone you know, but the email address is fake. They might also include links or attachments that, if clicked or opened, could put harmful software (malware) on your computer. 

If you think you’ve received a phishing email, call the IT Service Desk straight away on 0151 296 7777. Don’t click on any links, don’t open any attachments, and don’t reply to or forward the email.  If you have clicked any links or replied to the email, do not worry just contact the IT Service Desk immediately on 0151 296 7777

Vishing / Smishing

Vishing is when scammers call you on the phone to try and steal personal information. Smishing is the same thing but done by text message or WhatsApp. Scammers often try to rush you or make it sound urgent. 

If this happens: 

  • Block the caller or sender so they can’t contact you again. This includes blocking on messaging apps like WhatsApp; 

  • Don’t share any information right away. Instead, check if the call or text is genuine by contacting the organisation yourself, using official details from their website; 

  • If it’s your bank, use the phone number printed on your bank card.  

For vishing or smishing incidents, the IT Service Desk is unlikely to offer more help than the steps you can take yourself. There is no need to report to the IT Service Desk if you have blocked the caller or sender's number.  

Tailgating

This is when someone tries to get into a secure building by following another person through a locked door. For example, they might walk close behind you, grab the door before it closes, or say they’ve forgotten their ID badge. 

Letting someone in without proper checks can put the organisation at risk. If you think this has happened, report it straight away to reception or security. 

It is appropriate to request to see a valid ID badge. If this cannot be provided, politely explain that entry cannot be granted and direct the individual to reception for assistance. 

Further information and support  

To protect against these threats, stay vigilant and always follow cyber security best practice and Information Governance (IG) policies and guidelines. 

Before you act, stop and think: 

  • Verify who you’re dealing with. 

  • Only share information if you’re certain it’s safe. 

  • Never allow anyone to tailgate into a secure area. 

Good cyber security is everyone’s responsibility and there are some simple steps you can take to remain secure. One of the most common attempts to breach cyber security defences is the use of scam emails.  

Beware of scam emails

Scam emails are fraudulent messages that try to trick you into giving away personal, medical or financial information, or infect your device with malware to steal data. 

These emails can be very convincing and may appear to come from a legitimate source, such as a person or organisation you know when they are actually being sent from a fake address - known as ‘email spoofing’. 

Please refer to our guidance below on how to spot a scam email and report anything suspicious immediately to your IT Service Desk

 

SpamEmails.png

Read our guide on how to spot and protect yourself from scam emails

 

Further information and support

Please ensure you report anything suspicious immediately to your IT Service Desk, who can also be contacted for cyber security guidance and advice. 

Additional support, including hints and tips, can also be found on the Be Cyber Savvy website managed by the Cheshire and Merseyside Heath and Care Partnership Cyber Security Group.

We thank you in advance for your support.

 

Be Cyber Savvy!

For guidance on enhancing your cyber security and useful hints and tips, please visit the Cyber Savvy website.