Beware wages scam


The Trust are making staff aware of a recent scam that has targeted members of NHS Trusts and their wages.

An email, purporting to be from HR, was customised with the Trust in question’s logo to make it look genuine. A link, within the email, directed staff to a hoax ESR log-in webpage.

Criminals relied on staff attempting to log-in using the fake link which, instead of providing the unknowing staff access to their ESR account, was allowing the criminals to capture the staff member’s log-in and password details.

Once the log-in details had been received by the fraudsters it allowed them to access the staff member’s ESR account and change the bank details meaning that the salary was diverted into the criminal’s account and not that of the NHS member of staff.

Advice to NHS staff about malicious phishing emails: 

  • Payroll, HR and ESR teams will never email NHS employees and ask them to log in to ESR by clicking on a link.
  • Should employees receive an email of this nature purporting to be from payroll, HR or ESR teams asking to update their ESR details, they should never respond and/or give out their personal details.
  • NHS employees should never click on any suspicious looking links as this can provide verification of their active e-mail address and may facilitate the targeting of further malicious emails.
  • NHS employees should be vigilant of email addresses that appear to be from their NHS organisation however are slightly altered, email addresses that are not recognised, or that use public domains (such as
  • If in doubt, verify the authenticity of the email by contacting the sender through your normal means of communication.
  • Do not reply or call any number on the email.
  • NHS employees should be advised to change their ESR passwords on a regular basis and closely monitor their bank account statements to make sure that funds have not been diverted.
  • Use a separate password for your work account and never reveal your password to anyone.
  • Create a strong and memorable password by using three random words. Avoid using predictable passwords such as dates, family and pet names.
  • Enable and use two-factor authentication (2FA) by using the NHS CRS smartcard if this is possible. Doing this makes it harder for criminals to access your online accounts, even if they know your password.
  • NHS employees who believe they have been a victim of this type of fraud should carry out a credit history check, which would help identify if loans, mortgages or any other type of credit have been taken out in their name.

Staff  should contact their Local Counter Fraud Specialist (LCFS) Gareth Robins or Mark Kinsella on 0121 232 8781 if they believe they have been a victim of cyber-enabled payment diversion fraud.



Leave a Comment
Name (required)
Email Address (required, never displayed)
Enter a message

(all comments are moderated - your submission will be posted on approval.)