What Is Phishing And Why Does It Affect Healthcare Organisations?

You might have heard the term “phishing” in relation to cyber security attacks, but do you understand what it means and why it’s important to be vigilant for such attacks? We’re going to explain what phishing is and why it’s so dangerous. We’ll also look at why healthcare organisations in the UK need to be alert to it.

What is phishing?

As the name suggests, phishing is actually not dissimilar from the act of fishing. Essentially, scammers are trying to “fish” for your information – or your business’ information. 

They do this by sending fake emails or text messages and in some cases even making phone calls to try and trick you into visiting a website or clicking on a link that will allow them to access your data. 

If you suspect that you have received a phishing email, text message or phone call, it’s essential that you report it to the National Cyber Security Centre (NCSC). This will ensure that the phishing attempt is investigated and that any scam websites are taken down as quickly as possible. 

What can happen if you are a victim of phishing?

Often, phishing attacks are a gateway to other cyber crimes, like ransomware attacks or account takeovers. In some cases, the scammers use phishing to gather personal information or bank details which they then use to commit fraud. 

For businesses or other organisations that hold sensitive information, a phishing attack can allow scammers to get hold of customer or client data. This can be disastrous for your reputation, not to mention cause problems for your customers or users. 

There are a lot of different ways in which phishing attacks can present in your emails or messages, so you need to be vigilant both with your personal accounts and any business or work-related accounts. 

How can you spot a phishing scam?

There are a number of signs you can look out for in communications that might indicate they are phishing scams. Among the most common are messages that create a false sense of urgency and poor spelling or grammar in the email or text message. 

If there is a link in any email you receive, make sure it is from a trusted sender before you click on it. These links can often download the likes of ransomware onto your machine, giving criminals access to the data saved there. The same applies to emails with attachments. Make sure you really trust the sender before downloading or opening them. 

Top tips include making sure you verify the sender of any email you receive. So, do you know the organisation the email has supposedly come from? Were you expecting to receive any communication from them? Can you check the domain name the email comes from to ensure it matches that of the business that’s sending it?

Also keep an eye out for misspellings in links or email addresses, such as where an “O” has been replaced with a “0”. This is a subtle difference, but is a surefire sign that the email address isn’t an official one.

Why is this particularly relevant for healthcare organisations?

A new phishing scam has recently been identified which involves scammers pretending to be from the Home Office to target organisations that are UK sponsor licence holders and who have access to the UK’s Sponsor Management System (SMS). 

Given that almost 20 per cent of the UK’s healthcare workforce come from overseas, it’s highly likely that many healthcare organisations are UK sponsor licence holders. This phishing campaign is designed to steal SMS log in details. 

It does so by directing people to a fake log in page – one that looks very convincing. This means it’s essential that you take extra care if you or a member of your team receives an email claiming to be from the Home Office about SMS. In particular, people are being asked to log into their accounts to ensure uninterrupted access to the system after an upgrade. 

Once the scammers have your SMS log in details, they can either use this to extort your organisation, or to carry out other scams. These include making fake job offers to those seeking work in the UK and asking them for tens of thousands in fees to issue a visa (which never materialises).

The Home Office website regularly updates its information about the scams that are related to the operations of this branch of government. 

If it’s been a while since you last ran cyber security training with your team, it could be worth having a refresher. Don’t forget that your IT support provider will also be able to provide advice and carry out a range of testing to protect you and your organisation from cyber crime.