Email & Phishing Scamshigh

The Pharmacy Email Breach

A small independent pharmacy had its email account compromised and criminals used it to request fraudulent prescription payments from NHS contacts.

Independent pharmacy (UK)·2022·2 min read

Attack Chain

  1. 1
    Phishing email captures owner's email password
  2. 2
    Inbox monitored silently for two weeks
  3. 3
    Fraudulent invoices sent to NHS contacts
  4. 4
    Supplier fraud also conducted via same access

Background

An independent pharmacy in a market town used a single shared email account for all communications — supplier orders, NHS correspondence, staff messages, and customer queries. The email account had no two-factor authentication and used a password set when the business was established five years earlier.

The Attack

The pharmacy's email password was obtained through a phishing email that the owner clicked while distracted. Criminals monitored incoming emails for two weeks, learning the pharmacy's suppliers, NHS contacts, and payment patterns. They then sent fraudulent invoices to NHS payment contacts requesting payment to a new bank account, impersonating the pharmacy.

Response

The NHS payment team noticed a change in bank details and called the pharmacy to verify, discovering the fraud before any NHS funds were transferred. However, the owner discovered the criminals had also used the email access to order £4,200 of medicines from a supplier, billed to the pharmacy.

Outcome

No NHS funds were lost due to the phone verification. The pharmacy faced a £4,200 supplier invoice for goods delivered to a fake address. The email account breach also exposed prescription data for several customers, requiring an ICO notification.

Key Takeaways

  1. Enable two-factor authentication on your business email account as a priority — it is the single most effective security measure for small businesses
  2. Never use a shared email account — individuals should have their own accounts so you can identify when one is compromised
  3. Suppliers and partners should call to verify any request to change bank details, however the request arrives
  4. A breach of your email account means criminals can read everything — change all linked account passwords immediately
  5. Patient or customer data breaches must be reported to the ICO within 72 hours — know this requirement before it happens

How to Prevent This

All guides
beginnerfeatured

Turn on two-factor authentication for your business email today

If there is one security measure every small business should implement before anything else, it is two-factor authentication on business email. Business email accounts are valuable targets because they contain payment instructions, client relationships, supplier details, and confidential records. A compromised business email can be used to commit invoice fraud, impersonate you to clients, access linked accounts, and monitor your communications. For Microsoft 365 (Outlook): Admin centre → Users → Active users → Multi-factor authentication. For Google Workspace (Gmail): Admin console → Security → 2-step verification. If you use a personal Gmail or Outlook account for business, log into your account settings and enable 2-Step Verification right now. When staff have separate business email accounts, ensure all of them have 2FA enabled — a member of staff's account can be just as valuable as the owner's. The pharmacy incident in 2022 began with a single compromised email account that wasn't protected.

See: The Pharmacy Email BreachSmall Business Security
email compromisepharmacyNHS fraudsupplier frauddata breach

More in Email & Phishing Scams

2022high

The Fake HMRC Tax Refund Email

2 min readEmail & Phishing Scams
2021medium

The Royal Mail Missed Parcel Text Scam

2 min readEmail & Phishing Scams
2022medium

The Fake PayPal "Your Account Is Limited" Email

2 min readEmail & Phishing Scams