Practice Tip of the Week: A Scam Directed at Nurses
Monday, June 24, 2019
Posted by: Roy Muyinza
By: Ellen Martin, PhD, RN, CPHQ
Director of Practice, Texas Nurses Association
A member recently received a rather odd letter stating that she had received a bequest of $2 million, allegedly from a former patient. The letter came addressed to her personally. She sent it to TNA, noting that it appeared to be a scam with the added twist of being specific to the nursing profession.
How did the nurse know this was a scam? The letterhead appears to be from Ontario, but the envelope was postmarked from Baltimore, MD. The awkward wording of the letter was another clue:
“Our late client indicated that you took care of him with great compassion that propelled him to recover faster than the doctors anticipated. When he recovered and was ready to be discharged, he secretly collected your name and address since he intended to astonish you with a great compensation as this.”
When she searched the street address and law firm in the letterhead, Crawford Law, she found a legitimate looking site, but soon saw a number of red flags indicating the firm was fictitious.
As hackers get more specific and try new tactics, nurses need to be vigilant both at work and at home. While most people imagine a hacker as someone who uses computer software to get information, human interaction is one of the more common ways to obtain personal information.
Attackers use deception to manipulate people into taking an action that violates information security principles, such as clicking on a link, replying to an email, or divulging confidential or personal information that may be used for fraudulent purposes. Because this type of attack relies on human nature instead of software technology, it is called “social engineering” and is one of the biggest security threats facing health care organizations and patients.
Social engineers tend to be charming and are able to trick people into thinking they work at the organization or another organization with oversight, such as a government agency. Especially in large organizations, when staff get a request from someone they don’t recognize, they may not question it.
Human nature in the workplace drives us to be helpful, to trust those we interact with, to avoid looking incompetent, and to keep processes running smoothly—all traits that social engineers take advantage of.
The first step to protecting yourself is awareness. Question new faces in the workplace, or calls from people you don’t know. If they say they work for another company, ask to call them back and call the main line for the company to verify the person is who they say they are. Phishing attacks are also quite common and use email, social media or texting.
Phishing emails are often sent over unsecured public wi-fi. The example below uses many of the social engineering techniques such as attention getting, with a subject line in all capitals. The ESSENTIAL subject line sounds urgent. With time pressure, a person is more likely to reply immediately. It is human nature to respond quickly to an urgent email from the boss, but the email address indicated this was a bogus email.
Never click links or open attachments from emails unless you can verify the sender. Remember that legitimate organizations like the IRS will never ask for personal information over the phone or via email. And when providing patient information over the phone, verify the requester’s identity, why the request was placed, and whether they are authorized to view the information.
Above all, remember to take your time and question any requests—whether in person, by email or on the phone—from people you do not personally know.