How staff can help to combat fraud

Expectations of staff

There are a number of expectations of staff in relation to values, behaviours and conduct:

  • The Trust puts out a clear message that it does not, and will not, tolerate crime committed against it by anyone.
  • Staff are expected to act in accordance with the Trust’s Values & Behaviours Framework, which has been co-created with staff from across all hospital sites and staff groups via a series of face-to-face and virtual conversations. It will underpin the way in which the Trust operates and how we treat each other, both patients and colleagues.  It will be a key tool in developing a positive organisational culture.  The Trust’s, Chief People Officer, Debbie Herring, says: “This framework will be really useful to help everyone understand our expectations around how people behave which will support us to celebrate good behaviour and ensure that poor behaviour is highlighted and appropriately addressed with compassion”.
  • The Seven Principles of Public Life, known as the Nolan Principles, apply to all public office-holders, this includes NHS staff, and we are all expected to abide by them as servants of the public and stewards of public resources: 1.Selflessness 2.Integrity 3.Objectivity 4.Accountability 5.Openness 6.Honesty 7.Leadership.

 

What can I do to help?                                                                                         

We can all play a part to fight fraud; here are some key things to consider:

  • Remain vigilant! Be alert to unusual or suspicious activity and to the possibility of fraud.
  • Adhere to the Trust guidance, policies and procedures.
  • Think: are there clear rules and procedures in place that staff are aware of? Who is responsible for making sure they’re followed, and are there monitoring arrangements in place?
  • Speak up if you spot a potential weakness in a policy/ procedure.
  • Importance of appropriate segregation of duties. Risk of fraud and error declines if multiple staff are involved in different phases of a transaction.
  • Maintain scrutiny over day-to-day transactions.
  • Check any claims/ documentation/ declarations etc are accurate, both when processing and verifying.
  • Physical protection of assets and areas e.g. are locked cabinets used for small items with a high resale value (such as printer cartridges)?; Fob access to secure areas - beware of tailgating, and alert Security to unauthorised people in secure areas.
  • Wear your Trust ID, and make sure it is visible.
  • Challenge if you’re not sure, something doesn’t feel right, or you are suspicious about something you’re being asked to do eg via email or a call.
  • If something looks too good to be true, it probably is. Read the small print… are there extortionate cancellation fees if you book onto but fail to attend a ‘free’ training course?
  • Declare conflicts of interest, gifts, hospitality, sponsorship, and secondary employment in line with Trust policy. If in doubt, declare it!
  • IT/Cyber Security e.g. use strong passwords; do not share your own or use anyone else’s personal passwords; lock computers, mobiles and other devices if you are away from your desk/not in use, and do not allow unauthorised individuals access to them, including unauthorised viewing of content…is someone looking over your shoulder? Direct observational techniques as ‘shoulder surfing’ could be used to obtain such information as passwords, PINs, and sensitive data. Be aware of your surroundings!
  • Remember it is everyone’s responsibility to help fight fraud; support a culture of non-tolerance of NHS fraud.
  • Follow advice in anti-fraud communications e.g. MIAA’s Newsletters, Articles, Information Alerts; NHS Counter Fraud Authority Guidance. If you line manage staff who do not regularly access Trust emails, please ensure that anti-fraud messages are disseminated to them. 
  • Know how to, and report your concerns.
  • Complete your mandatory training ESR fraud e-learning module.
  • Please familiarise yourself with the following Trust policies:
  • Anti-Fraud, Bribery and Corruption.
  • Freedom to Speak Up.
  • Policies relating to standards of personal and business conduct which include declaring Interests, Gifts & Hospitality, Sponsorship, and Secondary Employment.

 

Cyber Fraud / Crimes

These are a particular, pervasive threat at present, where fraudsters attempt to obtain cash, personal/ business information, passwords, &/or infect computer systems with malicious software, ‘malware’, aimed at disrupting, damaging or gaining unauthorised access to systems and information.  Cyber criminals use sophisticated methods to exploit and trick people and are experts at impersonating trusted organisations and people.  They use social engineering techniques to manipulate an emotional response – for example a sense of urgency, fear, or offering an enticing deal/ bargain - to fool them into handing over confidential, sensitive or personal information, click on a malicious link or open a malicious file.

Scams via email are known as ‘phishing’; by SMS text message ‘smishing’; and via telephone ‘vishing’.  Particularly beware if you receive a call telling you it’s your bank warning of irregular activity on your account.  Banks will never call you and ask for your PIN number. 

‘Phishing’ - things to look out for: the sender’s email address and URL appear strange; the email is not addressed to you personally; there is often an element of urgency for you to actively do something like clicking a website link/ attachment or providing information; the email content and request seems unusual, often contains poor language, spelling and grammar. 

Action to take

Everyone should remain vigilant to the potential for receiving malicious contacts, both in work and personally, so please keep yourself up-to-date with the types of scams that are around.  Criminals exploit times of uncertainty, and are using the Covid-19 pandemic to target individuals and organisations (including the NHS) with fraudulent contacts.

It’s ok not to react immediately, or to challenge, or to reject, or ignore any requests!  Remember that criminals are waiting for you to let your guard down even for a moment to gain money/ information/ computer network access, so please take your time to STOP AND THINK. Verify the contact from a known genuine source, DO NOT use the details provided to you in the suspicious contact such as phone numbers, email addresses, and website links. Only criminals will try to panic you into taking immediate action; genuine contacts will understand the need to be vigilant to the risk of fraud.  Please see the Take Five website for further details: https://takefive-stopfraud.org.uk/

If you have received a suspicious email, including if you have inadvertently provided credentials, or encountered unexpected activity on clicking a link or attachment, then you must contact your Trust Information Security Team as soon as possible at:

INFORMATION.SECURITY@aintree.nhs.uk or

INFORMATION.ASSURANCE@RLBUHT.NHS.UK

It is important that this is done without delay so that IT can make an immediate assessment of the email and take appropriate defensive measures to protect staff and the Trust as soon as possible, such as blocking websites and issuing alerts to staff.  Please don’t ignore if you think you’ve clicked something you shouldn’t have – IT need to know so they can take action if necessary.  It is important, therefore, if you receive an alert from IT, or from MIAA, in relation to any type of scam that you please read and take note of the advice and guidance provided.  Any scams relating to change of supplier bank account details should be reported to the AFS.  Link to MIAA Alerts: https://www.miaa.nhs.uk/insights/fraud-alerts-news  

In addition to the above measures, if you think you may have been the victim of fraud or cybercrime and incurred a financial loss or have been hacked as a result of responding to a phishing message, you should report this to Action Fraud. If you have received a suspicious email which you’re not quite sure about, please forward it to the Suspicious Email Reporting Service (SERS): report@phishing.gov.uk. This will help to disrupt fraudsters and provide crucial national intelligence to be gathered and preventative action to be taken. Visit the Action Fraud website for further details: https://www.actionfraud.police.uk/

The Metropolitan Police Service cyber team have produced five cyber crime awareness bitesize videos covering Test & Trace, Phishing, Working From Home, Vishing, and Ransomware scams.  Please take five minutes to watch the videos at: https://vimeo.com/showcase/7526455.

Financial Support Services

The Trust has a produced an ‘Improving Your Financial Wellbeing’ guide which is available on the Staff Hub of the Trust intranet: http://rl-faq.nhs.sitekit.net/wellbeing/improving-your-financial-wellbeing.htm.  Advice is also available in the NHS staff guide to financial wellbeing: https://people.nhs.uk/guides/financial-wellbeing/?dm_t=0,0,0,0,0.