• Fraudsters emailed NHS organisations’ finance departments pretending to be CEOs
  • Scam was unsuccessful in all five cases reported and no money thought to be lost

Fraudsters tried to steal the salaries of four NHS chief executives during the last financial year by impersonating them in emails, HSJ can reveal.

Scammers parading as a CEO also attempted to swindle a trust out of money by requesting a rapid payment to a new bank account.

The cases of “CEO email fraud”  — where criminals pretending to be a director or chief executive email an organisation’s finance department and ask for money to be transferred to a new bank account — hit four trusts and one commissioning support unit. They were reported to the NHS Counter Fraud Authority in the 2018-19 financial year.

No charges were brought in any of the five cases reported to the NHSCFA. The body is not aware of any money lost through the scams.

However, an NHSCFA spokeswoman said: “If the member of staff unthinkingly does as their ‘boss’ has instructed, they will find that they have sent NHS money to a fraudster’s account.”

The spokeswoman said this type of fraud has been an ongoing issue for several years. It is not known how many attempts go unrecorded.

She added NHSCFA had sent guidance to all NHS directors of finance and local counter fraud specialists. She also pointed HSJ towards a circular concerning mandate fraud.

The attempts were referenced in the authority’s latest annual report and accounts, which mentioned “CEO email fraud.”

The annual report also lists two successful criminal case results. In one case, the NHSCFA was able to return £131,000 to Epsom and St Helier University Hospitals Trust, after a former renal technical department manager submitted invoices for maintenance work that was unnecessary, overpriced or non-existent. 

In the other case, NHSCFA investigators helped expose fraudsters who cheated the NHS out of roughly £73,000 by submitting fake timesheets to an unknowing medical recruitment agency. All seven members of the group received prison sentences.

A third case is awaiting trial, according to the spokeswoman.

The NHSCFA was established by the Department of Health and Social Care in November 2017. It replaced NHS Protect, which was part of the NHS Business Services Authority.

The statutory body aims to reduce losses to fraud in the NHS by over £100m per year. It estimates the NHS loses £1.27bn to fraud each year.

So far this financial year, the NHSCFA has submitted investigation files on 20 subjects to the Crown Prosecution Service. No formal charges have yet been laid.