Many of us are familiar with email phishing scams. Fewer are aware that SMS (text-based) phishing scams exist – these are called Smishing. While these scams often use a brand name or common service as the hook, some target patients and healthcare organizations by masquerading as a patient, an insurance provider or healthcare entity. Here are three things you should know about healthcare smishing attacks to keep you, your patients, and your organization safe.
- Understand the impact
- Know how to spot a smishing scam
- Look for technology providers that protect you from smishing
1. Smishing is on the Rise
An official FBI 2018 Internet Crime Report revealed that both smishing and vishing (the telephone equivalent) contributed to $48+ million in cybercrime-related losses that year. And according to a 2021 Proofpoint study, SMS-based scams rose 328% within a six-month period in 2020. In their 2021 State of the Phish Report, Proofpoint shares feedback from security experts worldwide noting consequences businesses face as the result of these cybercrimes:
- 60% of organizations lose data
- 52% of organizations have credentials or accounts compromised
- 47% of businesses are infected with ransomware
- 29% are infected with malware
- 18% of organizations experience direct financial losses
The financial impact to individuals or organizations who are victims ranges from $500-$3,000,000 per event. Plus, the average forensic investigation into a phishing attack costs more than $84,000, with larger investigations running upwards of six figures.
2. Healthcare Smishing Scams are Sneaky
The first thing to know is that hackers deploy smishing scams on both individuals and organizations. Anyone using text messages may be targeted. Smishing scams are executed when a hacker sends a text message asking you to click on a link. If you click on the link in the message, you’ll be redirected to a fake website or instructed to download something from the site. If you download the link or document, malicious software installs onto your device. The malicious software may be unseen to you. However, it will be able to track everything you do.
Why Live Chat is a Healthcare Target
Use of live chat tools has become more popular in healthcare. It is convenient for the patient and provider. The downside is that live chat can expose your practice to healthcare smishing attacks. This attack is effective since many administrators don’t suspect that a text from a patient would be capable of doing harm. For example, look at this live chat exchange that appears to be from a diligent patient needing to submit an insurance card update:
“Patient” initiates the chat:
Healthcare Entity: Hello, John. How can I help you today?
Patient: You want me to send my insurance info. Can I do that?
Healthcare Entity: Sure, I can help you with that.
Patient: Okay. You can download a pic of my insurance card at www.iamahacker.com.
This innocent looking exchange asks the medical practice to visit a website to download an insurance card. In this example, the link will install tracking software that steals patient data or opens your practice to a ransomware attack.
3. Automatically Thwart Smishing Attacks
How does your patient live chat tool handle this situation? One way your chat tool vendor can help is by automatically disabling incoming links shared as part of live chat. Intrado has recently added this security feature to its patient engagement platform. Here’s how it works. All SMS messages deployed through Intrado’s HouseCalls Pro, that are coming from a patient or prospect, are scanned and URLs are removed. This action, though simple, thoughtfully guards hospitals and practices from malicious and unintended smishing attacks.
For more about Intrado’s patient engagement security practices or to learn more about Live Chat by contact us today.