Phishing scams and social engineering awareness

Social engineering is the art of manipulating people into handing over confidential information. Email phishing is one of the most common forms of social engineering, and healthcare is a popular target.

Most phishing campaigns come in the form of email and are created by people who design fake websites that look just like a trusted organisation – complete with branded email templates. They’re designed to trick you into clicking a link and presenting you with a log in page.

As an example of how easy it can be to be deceived, below we’ve spelt Pinnacle correctly, and then again using a capital I rather than an lowercase L. Can you spot the difference?
PinnacIe/Pinnacle.

More sophisticated campaigns can target specific people, by gathering intelligence on the person then tailoring their campaigns to suit. This can be done by gaining a copy of your credentials, installing malicious software and disclosing other types of confidential information.

It’s easy to be fooled

Scammers are very good at what they do. They will combine a variety of different methods to have the best chance at success - from well-crafted spelling mistakes to links that direct you to fake websites, and everything in between. They will even sit and watch your conversations for months on end to learn who and how you talk to people.

The latest scam involves .xlsm files. Please do not open a .xlsm file someone sends to you - even if you're sure it's really them. There's not a single legitimate reason to send a .xlsm file. 

Phishing scams will continue to be commonplace and can affect any of us – even the most keen eyed individual could easily be deceived when faced with a busy inbox full of emails to read and action.

We encourage you to be really aware of this activity, and discuss it as a practice team. Watch for the signs and acknowledge it can – and will – happen to the best of us. Reporting anything suspicious immediately will help.

What to do if you think you’ve been targeted

• Please contact the practice systems support team (updated 23.11.23) immediately and let them know your concerns. Time matters significantly in resolving and containing the fall out from a scam. They will alert the appropriate people at Pinnacle, and work with your practice to help investigate and resolve the issue. This includes checking for any potential privacy breach that may need to be notified to the Office of the Privacy Commissioner.
• Contact your IT provider, providing as many details as you can.
• DO NOT forward the email any further. Send a screen shot of the email, and await instructions from your IT specialist on next steps.
• Remember, never open a .xlsm file someone sends to you - even if you're sure you know the sender.

For more tips for staff on staying safe online check out this advice (PDF) from the UK's National Cyber Security Centre.