Phishing for a Physician – A Spreading Concern

Cybercriminals have been diligently working these days to obtain personal information from unsuspecting physicians as they go about the business of practicing medicine. Physicians and other medical staff are prime targets of these attacks due to their compensation and the wealth of information publicly available on them.

Cybercriminals work hard to know who you are and where you work so they can customize their attacks. This information is then used to target individuals with an email ploy known as spear phishing. These emails carry a viral PDF attachment or Web link and usually request your username, password, date of birth, and other information that they can use to access confidential or protected information systems.

Recently several physicians at the medical center received emails that falsely gave the appearance they had been sent by the hospital or university IT staff asking them to provide their User ID and password information. Subjects like ‘Urgent: Important Security Information,’ ‘Final Warning Notice,’ and ‘Your Pay Increase’ are used to get physicians to respond. Physicians who provided account credentials inadvertently allowed cybercriminals to access and change their information in the university payroll system to redirect their direct deposit paychecks to a temporary bank account.

It is often challenging to distinguish fraudulent from legitimate email, but if you follow Rule #1 and NEVER submit any personal information like passwords via links in emails, you will stay safe from these attacks. Neither medical campus staff nor other legitimate companies will ask for this information via an email.

It is wise to watch out for emails that require immediate action, have unfamiliar or misspelled sender names, and are too good to be true. In some cases, emails appear to come from legitimate sources, but the sender’s address may be slightly off.

Even if it appears legitimate, it is best not to click on a link within the email. When in doubt, always verify the email with a phone call to a number other than what is in the email or contact your information security team at