peshkov - stock.adobe.com

FBI Warns Public About Phishing Attacks Against Plastic Surgery Offices, Patients

Cybercriminals have been targeting plastic surgery offices, providers, and patients with phishing attacks to deploy malware and harvest sensitive information, the FBI warned.

The Federal Bureau of Investigation (FBI) issued a public service announcement to alert the public about cybercriminals who have been targeting plastic surgery offices, surgeons, and their patients with phishing attacks.

The alert did not identify how frequent these attacks have been but noted that cybercriminals have been observed using social engineering to harvest personally identifiable information and medical records, including sensitive photographs.

Specifically, the criminals use technology to spoof phone numbers and email addresses in order to execute phishing attacks and deploy malware within plastic surgery offices. Next, they harvest sensitive information and photographs and use social media and social engineering tactics to enhance the harvested information.

If successful, the cybercriminals use the data to extort victims for cryptocurrency, the FBI noted.

“Cybercriminals contact plastic surgeons and their patients via social media accounts, emails, text messages, or messaging apps, and ask for payment to prevent sharing of their ePHI,” the alert continued.

“To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims' friends, family, or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made.”

The FBI encouraged potential victims to protect themselves by reviewing social media privacy settings to enhance privacy, audit friend lists, and only accept friend requests from people they know. In addition, the FBI emphasized the importance of two-factor authentication and complex passwords.

Lastly, the FBI requested that victims report suspicious activity to the Bureau and inform them of the name of the person who contacted the victim, the method of communication used, and the wallet addresses or bank account numbers used for extortion payments.

Dig Deeper on Cybersecurity strategies