Phishing schemes are becoming sneakier in targeting doctors

A new round of e-mail scams looks like legitimate messages from trusted sources. How can physicians avoid becoming victims?

By — Posted Jan. 25, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A faculty physician at the University of California, San Francisco, Medical Center received an e-mail last fall appearing to be from the hospital's information technology staff. The e-mail requested the doctor's login information in order to perform routine security upgrades to the system. Because it seemed like an ordinary request, the physician sent the information.

But that e-mail wasn't from his hospital's IT administrators. It was from a scammer, and by responding, the physician had unwittingly exposed the personal information of more than 600 of his patients.

This type of scam has become so common it's earned its own nickname: "spearphishing." Like phishing, this scam is carried out via a fictitious e-mail that looks legitimate. But unlike phishing, in which missives are sent to as many e-mail accounts as possible, spearphishing targets a specific population by posing as someone with whom the e-mail recipient routinely conducts business and exchanges information.

Scammers are getting craftier, experts say. Instead of getting an e-mail with an attachment from a bank you never do business with or a magazine to which you've never subscribed, the spearphishers are sending e-mail that looks like it comes from your employer, your insurance company or someone else with whom you do business.

"The best way to convert data to cash is ID theft," said Tom Cross, manager for X-Force Advanced Research, IBM's data theft research team. Medical records provide a comprehensive portfolio for individual identification, and that can be sold, he said.

How spearphishing works

The scams generally unfold in one of two ways. The scammer sends a legitimate-looking e-mail requesting information such as credentials, login information or account information, then uses that to gain access to your files, accounts or records.

Or the e-mail may include a link to a Web site that looks like the real thing, but clicking on it plants a virus on your computer. Or worse, clicking the link downloads software that provides the hacker with remote access to your computer or network.

Rod Rasmussen, president and chief technology officer of the security firm Internet Identity, based in Tacoma, Wash., said once scammers gain access to your computer, they can watch everything you do, including logging into financial accounts or accessing patient information.

One recent phishing case was carried out by scammers who posed as the Centers for Disease Control and Prevention and sent e-mails to patients and doctors claiming everyone had to register at an online H1N1 vaccine database. A link in the e-mail took unsuspecting recipients to a Web site that looked as if it was operated by the CDC. A warning issued later by the real CDC indicated hackers were likely sending malicious software downloads to victims' computers.

The way the phony UCSF and CDC attacks were carried out is becoming all too common, said Rick Howard, director of security intelligence at VeriSign iDefense, a cyber intelligence research firm. The scammers are growing more sophisticated by creating e-mails and Web sites that are increasingly realistic looking, he said. No one has done an exact count or study on how far spearphishing has spread, but those within the security industry say it's pervasive.

Many times scams directed at physicians are facilitated by disgruntled employees who can identify parties that commonly reach the practice by e-mail, such as hospitals, contracted insurers, billing clearinghouses and technology vendors, Howard said.

What can you do to protect yourself?

Telling the difference between e-mail from a legitimate site and a fraudulent one can be difficult, said Robert Siciliano, an identity theft consultant and CEO of, which sells anti-virus and security software. But there are some red flags, as well as some safeguards.

An obvious first sign is if the e-mail comes from a company with which you have no business, such as a bank where you don't have an account asking for account information. Recent phishing scams have appeared to be from social networking sites such as Facebook or online retailers such as eBay or Amazon.

If the e-mail appears to be from a familiar company or institution, close examination of the e-mail addresses or URLs can sometimes reveal clues of a scam, Siciliano said. For example, an e-mail appearing to be from Bank of America could contain a URL for Bank of Americas, with an "s."

But even if you think it's legitimate, you should never click on a link sent through an e-mail, Siciliano said. Instead, bookmark commonly visited sites, and use that link whenever you receive an e-mail requesting you click through.

Jorge Rey, director of information security and compliance for the Miami-based accounting firm of Kaufman, Rossin & Co., said calling to verify the source named in the e-mail is also a good idea. Even if it's a source to whom you have provided personal information before and someone who routinely e-mails you, don't send the information via e-mail.

Rey said another red flag is an e-mail attachment that contains the extension ".exe." The extension is used for an executable file, which could contain a virus. But it's never a good idea to download files sent via e-mail regardless of the extension, he said, because many hackers have the ability to change the file extensions to something not as obvious.

If your system is exposed to a virus, the scammers will likely gain access to patient lists and use those to target your patients. Doctors should make it a habit to remind patients the practice will never ask for personal information via e-mail, experts say.

Physicians should also make their employees aware of possible scams, especially those staff members who routinely communicate with insurers and financial institutions.

Organizations need to instill in people that falling for one of these scams is nothing to be ashamed of; otherwise they might be afraid to report the incident, Rey said. The damage can usually be minimized when immediate action has been taken, he said.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn