Scammers made off with up to £1 million of National Health Service money in the first six months of 2021, using the same tricks that have conned consumers out of their life savings.
Criminals have sent fake invoices from email addresses with similar names to genuine companies and emails pretending to be from bosses demanding money is sent to phantom suppliers, according to data released by the NHS’s counter-fraud authority under Freedom of Information laws.
They have also stolen money through hacks and fraudulent phone calls.
The figure compares to losses of up to £1.3 million for all of 2020. In that year, UK consumers were conned into sending £479 million to fraudsters using similar means, only half of which was refunded by banks.
In the same way that ordinary consumers have been targeted by scammers pretending to be from their bank or a parcel company, fraudsters targeting the NHS will pose as executives, IT support workers or bank staff to persuade workers to hand over cash or information.
Many use a scatter-gun approach, sending thousands of emails and requiring only a few to work in order to strike gold.
Fraud experts say they rely on creating a sense of urgency to get their targets to part with cash, plus a little homework. An angry email from a boss, using a similar-sounding email address, demanding a supplier is paid quickly and to a new bank account is a common ploy.
This is made easier when an organisation lists the names of its bosses and finance workers.
But if fraudsters are able to gather enough information to sound credible, they will pose as a bank and get customers to redirect funds which are often spirited away before the fraud is discovered.
Hull University Teaching Hospital Trust lost £17,900 to a doctored invoice, recovering only £6,000.
Christie NHS Foundation Trust lost £13,700 this year in one incident after a supplier’s email was hacked and funds were redirected to criminals. Less than £1,200 was recovered.
In 2019, Yeovil District Hospital NHS Foundation Trust lost £16,000 to a phishing email, but recovered about a third of the money. It insists it has tightened its controls since.
While some frauds such as credit card cloning are often covered by lenders, so-called push payment frauds such as these are a grey area, and banks will sometimes argue that customers should not be refunded if they are seen to have acted negligently in sending money.
Because of the way the data is gathered it may have captured some frauds outside of consumer scams, the authority said.