18 October 2023 – The Federal Bureau of Investigation (FBI) has issued a public service announcement to warn the public about cybercriminals targeting plastic surgery offices, surgeons and their patients with phishing attacks.
The alert did not specify the frequency of these attacks, but noted that cybercriminals have been observed using social engineering to obtain personally identifiable information and medical records, including sensitive photographs.
Specifically, criminals are using technology to spoof phone numbers and email addresses to conduct phishing attacks and deploy malware in plastic surgery offices. They then harvest sensitive information and photographs and use social media and social engineering tactics to enhance the information they have gathered.
If successful, the cybercriminals use the data to extort victims for cryptocurrency, the FBI said.
“Cybercriminals contact plastic surgeons and their patients through social media accounts, emails, text messages, or messaging apps and demand payment to prevent the disclosure of their ePHI,” the alert continued.
“To pressure victims into making extortion payments, cybercriminals share the sensitive ePHI with victims’ friends, family, or colleagues and create public-facing websites with the data. Cybercriminals tell victims that they will only remove and stop sharing their ePHI if an extortion payment is made.”
The FBI encouraged potential victims to protect themselves by reviewing social media privacy settings to increase privacy, reviewing friend lists and only accepting friend requests from people they know. The FBI also stressed the importance of two-factor authentication and complex passwords.
Finally, the FBI urged victims to report suspicious activity to the FBI, including the name of the person contacting the victim, the method of communication used, and any wallet addresses or bank account numbers used for extortion payments.