Everyone is at risk for falling for online scams. The stakes are even higher when patient data is involved. Even our own company, which specializes in healthcare technology, is a target for cyber criminals and one of our own employees was recently targeted by text-based phishing, known as “smishing.” Here are the steps she took to proactively reduce security risks.
Smishing by establishing trust through a known identity
A few months ago, Monica* was settling in as a new director at Pixel Health when she received a text message that appeared to be from Pixel Health’s CEO, Michael Feld. (*Employee’s name changed for privacy purposes.)
“Hi Monica, I’m in a conference right now, can’t talk on the phone, but let me know if you got my text. Thanks Michael Feld.”
Monica had no reason to believe it wasn’t Michael, although he hadn’t reached out by text before. She responded that she received his text, and Michael replied, “Okay, I have an urgent task for you. Are you available?”
Conveying urgency and making emotional requests with smishing
Michael then asked Monica to help. “I just need to get gift cards for women going through cancer at the hospital. I can’t do that right now because of my busy schedule.”
Michael was asking for $600 worth of gift cards and this urgent purchase request raised a red flag for Monica. She paused and decided to call the CEO’s direct line to confirm if he was sending the text messages. But when she reached him on the phone, he said, “Monica, I can’t talk right now, I’m in a meeting.”
While Michael’s unavailability coincidentally matched the initial text in the smishing conversation, Monica was patient. She reached out to other co-workers to find out more about the request. She learned that her instincts not to buy anything were correct, and she blocked the number from her phone.
Finding personal data online enables smishing
“A smishing attack like this is becoming more prevalent as technology has changed the way we operate,” said John Garcia, Security Analyst at Pixel Health. “People often respond to text messages more quickly than emails—and they often have their mobile device nearby.”
“Attackers can be sophisticated,” he added. “They use social engineering reconnaissance techniques to gather personal data, such a post on LinkedIn announcing someone’s a new position. It’s fairly easy for someone to find the executives at an organization and impersonate them for these types of attacks.”
Once a smishing attacker has identified the person’s name, their phone number and an executive, they can either use a burner phone or spoof a phone number to text the targeted employee through SMS or a through a messaging application.
“A smishing attack may involve an urgent request from a leader, hiring manager or even human resources (HR). They may ask for a purchase, send a link to a malicious website or ask someone to download software to their computer—and employees often feel compelled to help right away,” explained John.
Creating cybersecurity awareness and training healthcare companies
While any company can be a target, healthcare companies are particularly vulnerable.
“With HIPAA, patient data is the biggest thing a healthcare company needs to protect. Ransomware not only affects patient data—it can also impact daily operations,” said John. “If a doctor or a clinician cannot access the information they need, then they can’t serve patients, which results in financial loss and loss of reputation.”
Creating awareness through training is considered the first step for defending an organization from the constant onslaught of phishing/smishing attempts. Employees should know the basics, such as:
- Do not reply to or call unknown numbers.
- Do not click on links in a message directing you to a website (go to the website directly instead).
- Do not open attachments if you cannot confirm the sender first.
- Call a company or person directly from a known, reliable number, not a number provided in an email or text message.
To support these efforts, Pixel Health offers the KnowBe4® solution, which provides customizable, targeted training to keep employees up to date on best practices in cybersecurity. Learn more about how our team can help reduce your security risks—and keep your employees and data safe.