A faculty physician at the University of California, San Francisco, Medical
Center received an e-mail last fall appearing to be from the hospital's
information technology staff. The e-mail requested the doctor's login
information in order to perform routine security upgrades to the system.
Because it seemed like an ordinary request, the physician sent the
information.
But that e-mail wasn't from his hospital's IT administrators. It was from a
scammer, and by responding, the physician had unwittingly exposed the
personal information of more than 600 of his patients.
This type of scam has become so common it's earned its own nickname:
"spearphishing." Like phishing, this scam is carried out via a fictitious
e-mail that looks legitimate. But unlike phishing, in which missives are
sent to as many e-mail accounts as possible, spearphishing targets a
specific population by posing as someone with whom the e-mail recipient
routinely conducts business and exchanges information.
Scammers are getting craftier, experts say. Instead of getting an e-mail
with an attachment from a bank you never do business with or a magazine to
which you've never subscribed, the spearphishers are sending e-mail that
looks like it comes from your employer, your insurance company or someone
else with whom you do business.
"The best way to convert data to cash is ID theft," said Tom Cross, manager
for X-Force Advanced Research, IBM's data theft research team. Medical
records provide a comprehensive portfolio for individual identification,
and that can be sold, he said.
How spearphishing works
The scams generally unfold in one of two ways. The scammer sends a
legitimate-looking e-mail requesting information such as credentials, login
information or account information, then uses that to gain access to your
files, accounts or records.
Or the e-mail may include a link to a Web site that looks like the real
thing, but clicking on it plants a virus on your computer. Or worse,
clicking the link downloads software that provides the hacker with remote
access to your computer or network.
Rod Rasmussen, president and chief technology officer of the security firm
Internet Identity, based in Tacoma, Wash., said once scammers gain access
to your computer, they can watch everything you do, including logging into
financial accounts or accessing patient information.
One recent phishing case was carried out by scammers who posed as the
Centers for Disease Control and Prevention and sent e-mails to patients and
doctors claiming everyone had to register at an online H1N1 vaccine
database. A link in the e-mail took unsuspecting recipients to a Web site
that looked as if it was operated by the CDC. A warning issued later by the
real CDC indicated hackers were likely sending malicious software downloads
to victims' computers.
The way the phony UCSF and CDC attacks were carried out is becoming all too
common, said Rick Howard, director of security intelligence at VeriSign
iDefense, a cyber intelligence research firm. The scammers are growing more
sophisticated by creating e-mails and Web sites that are increasingly
realistic looking, he said. No one has done an exact count or study on how
far spearphishing has spread, but those within the security industry say
it's pervasive.
Many times scams directed at physicians are facilitated by disgruntled
employees who can identify parties that commonly reach the practice by
e-mail, such as hospitals, contracted insurers, billing clearinghouses and
technology vendors, Howard said.
What can you do to protect yourself?
Telling the difference between e-mail from a legitimate site and a
fraudulent one can be difficult, said Robert Siciliano, an identity theft
consultant and CEO of IDTheftSecurity.com, which sells anti-virus and
security software. But there are some red flags, as well as some
safeguards.
An obvious first sign is if the e-mail comes from a company with which you
have no business, such as a bank where you don't have an account asking for
account information. Recent phishing scams have appeared to be from social
networking sites such as Facebook or online retailers such as eBay or
Amazon.
If the e-mail appears to be from a familiar company or institution, close
examination of the e-mail addresses or URLs can sometimes reveal clues of a
scam, Siciliano said. For example, an e-mail appearing to be from Bank of
America could contain a URL for Bank of Americas, with an "s."
But even if you think it's legitimate, you should never click on a link
sent through an e-mail, Siciliano said. Instead, bookmark commonly visited
sites, and use that link whenever you receive an e-mail requesting you
click through.
Jorge Rey, director of information security and compliance for the
Miami-based accounting firm of Kaufman, Rossin & Co., said calling to
verify the source named in the e-mail is also a good idea. Even if it's a
source to whom you have provided personal information before and someone
who routinely e-mails you, don't send the information via e-mail.
Rey said another red flag is an e-mail attachment that contains the
extension ".exe." The extension is used for an executable file, which could
contain a virus. But it's never a good idea to download files sent via
e-mail regardless of the extension, he said, because many hackers have the
ability to change the file extensions to something not as obvious.
If your system is exposed to a virus, the scammers will likely gain access
to patient lists and use those to target your patients. Doctors should make
it a habit to remind patients the practice will never ask for personal
information via e-mail, experts say.
Physicians should also make their employees aware of possible scams,
especially those staff members who routinely communicate with insurers and
financial institutions.
Organizations need to instill in people that falling for one of these scams
is nothing to be ashamed of; otherwise they might be afraid to report the
incident, Rey said. The damage can usually be minimized when immediate
action has been taken, he said.
The full and original article can be found here:
http://www.ama-assn.org/amednews/2010/01/25/bil20125.htm
