By now, most of us are familiar with phishing, the practice of sending emails that appear as if they are from legitimate companies that try to get recipients to divulge personal information like passwords or credit card numbers.
In August, the U.S. Department of Health and Human Services issued a report warning hospitals about a growing cyberattack trend that hackers are using to gain access to hospital and health system IT networks: smishing, or phishing via SMS (short message service) text message.
It’s an important trend to watch for any journalist covering hospitals and/or cyberattacks, which have been ramping up in health care. Some cyberattacks in the previous couple of years have caused hospitals to go on diversion (meaning they send patients elsewhere because they can’t accept them), or resulted in delays in care when clinicians couldn’t access electronic health records. Tips provided by HHS and others to prevent becoming a victim of smishing (see below) are useful for us all.
How it works — smishing and vishing
Here’s how smishing works: A hacker sends a text message asking you to click on a link. If you click, you’ll be directed to a fake website asking for personal information, according to a detailed article by cybersecurity journalist Ben Martens on SafetyDetectives.com. Alternatively, the website will try to download malicious software onto your device that will track everything you do.
Through the messages, the hackers frequently play on emotion by urging you to act on impulse and provide information quickly before something bad like a bank account closure happens.
Common smishing attacks pretend to be from trusted sources, like FedEx, saying they are trying to deliver a package and you need to click on a link to set your delivery preferences, or you won a contest and need to click on a link to provide your bank account information. These types of crimes can lead to security issues and privacy concerns, such as identity theft, HHS said.
While many users by now are aware of the dangers of clicking suspicious links in an email, “users are much more trusting of text messages,” the HHS report said, “so smishing is often lucrative to attackers phishing for credentials, banking information and private data.”
Smishing tactics can allow hackers to access usernames, passwords, credit cards and social security numbers. “While a proactive approach can prevent smishing attacks, it is also recommended for users to treat suspicious text messages with caution and implement security software to all devices,” the report said.
Another tactic is vishing, or voice fishing, which involves the use of fraudulent phone numbers and voice-altering software to trick a person into divulging sensitive information during a phone call, according to an article in HealthTech magazine. Hybrid vishing attacks, in which a hacker first communicates with someone via email and continues via phone, increased by 625% in the second quarter of 2022, HHS noted in an August 2022 report.
As one example, hackers in September 2020 participated in a vishing campaign in which they pretended to be employees of Spectrum Health in Grand Rapids, Mich., and its health plan subsidiary. The attack involved calling patients and using flattery and/or threats to pressure people into giving them member numbers and protected health information. The fake calls even “spoofed” caller ID so they appeared to be originating from a legitimate phone number belonging to the health care entity, HHS said.
Tips for hospitals — and the rest of us
To avoid these scams, HHS recommends that hospital and health system leaders encourage their employees to follow the guidelines below. These are good recommendations for journalists and anyone else receiving these messages, too.
- Beware of “urgent” text messages.
- Don’t respond to unknown numbers.
- Avoid sharing password information.
- Use antivirus or antimalware software.
- Avoid clicking in-message links, especially from numbers you don’t trust.
- Use multi-factor authentication on all of your accounts.
HHS also recommends that phone users take proactive steps to protect their work and personal devices. On an iPhone, go to “Settings,” select “Messages” and swipe the button next to “Filter unknown senders.” On an Android, go to Messages, select the three dots to open your settings, select “Block numbers and messages” and activate caller ID and spam protection. It’s also a good idea to install an antivirus app on your phone.
Don’t reply, even if the message says you can “text STOP” to avoid more messages. That tells the scammer that your number is active and can be sold to others, according to an article on smishing from AARP.
You can report spam and smishing texts by forwarding them to the number 7726 (SPAM), a fraud text reporting service operated by the Federal Trade Commission. You can also report them online at ReportFraud.ftc.gov.
- What are local hospitals and health systems in your area doing to warn employees and/or patients about these scams, and what cybersecurity measures are being implemented to help protect against them?
- Follow up with Spectrum Health or any other health systems impacted by these types of attacks to see what lessons learned they have to offer, or what additional steps have been implemented in the wake of attacks.
- Multi-Factor Authentication & Smishing – slides from HHS presentation.
- 3 Tips for Healthcare Organizations to Guard Against Vishing and Smishing – an article from HealthTech magazine.
- 11 Facts + Stats on Smishing (SMS Phishing) in 2023 – an article from SafetyDetectives.com.
- Vishing Attacks on the Rise – an August 2022 report from HHS.
- Scammers posting as Spectrum Health employees are calling patients to steal their PHI – an article from Becker’s Health IT.
- Scams & Fraud – Smishing – an article from AARP.org.