Phishing schemes are becoming sneakier in targeting doctors
■ A new round of e-mail scams looks like legitimate messages from trusted sources. How can physicians avoid becoming victims?
A faculty physician at the University of California, San Francisco, Medical Center received an e-mail last fall appearing to be from the hospital's information technology staff. The e-mail requested the doctor's login information in order to perform routine security upgrades to the system. Because it seemed like an ordinary request, the physician sent the information.
But that e-mail wasn't from his hospital's IT administrators. It was from a scammer, and by responding, the physician had unwittingly exposed the personal information of more than 600 of his patients.
This type of scam has become so common it's earned its own nickname: "spearphishing." Like phishing, this scam is carried out via a fictitious e-mail that looks legitimate. But unlike phishing, in which missives are sent to as many e-mail accounts as possible, spearphishing targets a specific population by posing as someone with whom the e-mail recipient routinely conducts business and exchanges information.
Scammers are getting craftier, experts say. Instead of getting an e-mail with an attachment from a bank you never do business with or a magazine to which you've never subscribed, the spearphishers are sending e-mail that looks like it comes from your employer, your insurance company or someone else with whom you do business.
"The best way to convert data to cash is ID theft," said Tom Cross, manager for X-Force Advanced Research, IBM's data theft research team. Medical records provide a comprehensive portfolio for individual identification, and that can be sold, he said.
How spearphishing works
The scams generally unfold in one of two ways. The scammer sends a legitimate-looking e-mail requesting information such as credentials, login information or account information, then uses that to gain access to your files, accounts or records.
Or the e-mail may include a link to a Web site that looks like the real thing, but clicking on it plants a virus on your computer. Or worse, clicking the link downloads software that provides the hacker with remote access to your computer or network.
Rod Rasmussen, president and chief technology officer of the security firm Internet Identity, based in Tacoma, Wash., said once scammers gain access to your computer, they can watch everything you do, including logging into financial accounts or accessing patient information.
One recent phishing case was carried out by scammers who posed as the Centers for Disease Control and Prevention and sent e-mails to patients and doctors claiming everyone had to register at an online H1N1 vaccine database. A link in the e-mail took unsuspecting recipients to a Web site that looked as if it was operated by the CDC. A warning issued later by the real CDC indicated hackers were likely sending malicious software downloads to victims' computers.
The way the phony UCSF and CDC attacks were carried out is becoming all too common, said Rick Howard, director of security intelligence at VeriSign iDefense, a cyber intelligence research firm. The scammers are growing more sophisticated by creating e-mails and Web sites that are increasingly realistic looking, he said. No one has done an exact count or study on how far spearphishing has spread, but those within the security industry say it's pervasive.
Many times scams directed at physicians are facilitated by disgruntled employees who can identify parties that commonly reach the practice by e-mail, such as hospitals, contracted insurers, billing clearinghouses and technology vendors, Howard said.
What can you do to protect yourself?
Telling the difference between e-mail from a legitimate site and a fraudulent one can be difficult, said Robert Siciliano, an identity theft consultant and CEO of IDTheftSecurity.com, which sells anti-virus and security software. But there are some red flags, as well as some safeguards.
An obvious first sign is if the e-mail comes from a company with which you have no business, such as a bank where you don't have an account asking for account information. Recent phishing scams have appeared to be from social networking sites such as Facebook or online retailers such as eBay or Amazon.
If the e-mail appears to be from a familiar company or institution, close examination of the e-mail addresses or URLs can sometimes reveal clues of a scam, Siciliano said. For example, an e-mail appearing to be from Bank of America could contain a URL for Bank of Americas, with an "s."
But even if you think it's legitimate, you should never click on a link sent through an e-mail, Siciliano said. Instead, bookmark commonly visited sites, and use that link whenever you receive an e-mail requesting you click through.
Jorge Rey, director of information security and compliance for the Miami-based accounting firm of Kaufman, Rossin & Co., said calling to verify the source named in the e-mail is also a good idea. Even if it's a source to whom you have provided personal information before and someone who routinely e-mails you, don't send the information via e-mail.
Rey said another red flag is an e-mail attachment that contains the extension ".exe." The extension is used for an executable file, which could contain a virus. But it's never a good idea to download files sent via e-mail regardless of the extension, he said, because many hackers have the ability to change the file extensions to something not as obvious.
If your system is exposed to a virus, the scammers will likely gain access to patient lists and use those to target your patients. Doctors should make it a habit to remind patients the practice will never ask for personal information via e-mail, experts say.
Physicians should also make their employees aware of possible scams, especially those staff members who routinely communicate with insurers and financial institutions.
Organizations need to instill in people that falling for one of these scams is nothing to be ashamed of; otherwise they might be afraid to report the incident, Rey said. The damage can usually be minimized when immediate action has been taken, he said.