The FBI also warns that cybercriminals are using this stolen data to extort victims, threatening to release it to the public or to the victims’ employers or families.
Cybercriminals are using phishing emails and text messages to gain access to plastic surgery offices’ networks and steal sensitive data, such as patient records, photos and financial information, the FBI warns.
Once they have this data, they threaten to release it to the public or to the victims’ employers or families unless they receive a ransom payment in cryptocurrency.
The FBI says that cybercriminals are using a three-phase approach to carry out this scam:
1: Data Harvesting
Cybercriminals use phishing emails and text messages to trick plastic surgery offices into clicking on malicious links or opening attachments. Once a victim clicks on a malicious link or opens an attachment, malware is installed on their computer. This malware allows cybercriminals to steal sensitive data, such as patient records and financial information.
2: Data Enhancement
Cybercriminals use open-source information, such as social media profiles, to “enhance” the stolen data. This means that they gather additional information about the victims, such as their employment history, photos, family members, and friends. Cybercriminals then use this enhanced data to make their extortion threats more credible.
3: Extortion
Cybercriminals contact plastic surgeons and their patients via social media, email, text messages, or messaging apps to demand ransom payments. They threaten to release the victims’ sensitive data to the public or to their employers or families unless they pay a ransom in cryptocurrency.
Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, a San Francisco, Calif.-based leader in data security posture management argued the data security practises and capabilities of plastic surgery clinics stating that most regular doctor’s offices face the challenge of needing to share this information to safeguard lives, but lack the security capabilities to ensure data protection and monitor for unauthorized access or suspicious activity.
“Cybercriminals are focused on monetizing access to data through either impacts to the availability of lifesaving data, or increasingly the threat of releasing sensitive and sometimes embarrassing data to the public,“ said Claude. “Nation states may use similar tactics to coerce users to perform activities in their interests. Medical records, especially some forms of plastic surgery, have become obvious targets as a result.“
FBI’s Recommendations
The FBI recommends that plastic surgery offices and patients take the following steps to protect themselves from this scam:
- Be suspicious of unsolicited emails and text messages, especially those that ask for personal information or financial data.
- Do not click on links in emails or text messages from unknown senders.
- Use strong passwords and enable multi-factor authentication on all accounts.
- Keep software up to date on all devices.
- Back up data regularly.
Here are some additional tips to protect yourself from this scam:
- Be careful about what information you share online, especially on social media.
- Be careful about who you give your contact information to.
- Be aware of the signs of phishing emails and text messages.
- If you receive an email or text message that seems suspicious, do not click on any links or open any attachments.
- If you are unsure about whether an email or text message is legitimate, contact the sender directly.
If you are a plastic surgery office or patient and you believe you may have been the victim of this scam, you should report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.