Join us at this session where we will be further exploring the role of the PCN Clinical Pharmacists.
Menu
Menu
Menu
Phishing (pronounced ‘fishing’) is a cyberattack typically done over email (but which can also be done over text message or even phone) that attempts to steal information about you, your clinic, or your patients.
This information can be usernames and passwords, contact information, patient data, account numbers, money, or other operational information. It most often will attempt to direct you to view a photo or attachment, visit a website, or fill out a form.
Learn more: Doctors of BC: Preventing a Breach
Be suspicious of any email or message that claims you must click, call, or open an attachment urgently. Often, the email will attempt to create a false sense of urgency either by offering a reward or warning of a penalty if the action is not taken. By creating a sense of urgency, you might be more likely to act quickly without first verifying that the email is legitimate.
In a clinic setting, phishers may be attempting to obtain patient information or passwords rather than your banking information. Be wary of any emails asking you to look at an attachment (like a photo or document) or fill out a form, especially if there is an attempt to create a sense of urgency. The phishers may pose either as a patient or as a professional contact.
While in a clinic setting it is not unusual to receive emails from an address or person you don’t recognize, there are contexts in which this is a red flag. If your email provider has flagged the email as an unrecognized sender or external, but it appears to be from someone from whom you have received emails before, this is an indication that this may be a case where someone is attempting to phish you by pretending to be a known and legitimate contact. Pay attention to the email addresses and any warnings that your email application may provide, as they can be indications that this email may not be legitimate.
It is easy to personalize even mass emails in this day and age – even newsletters tend to use a personalized greeting. If the message is addressed with a generic “dear sir / madam” but appears to be from a sender (either an individual or an organization) who should know your name, this should give you pause.
This used to be a common way to spot phishing tactics, but with the rise of sophisticated techniques and the use of AI-generated text, is less of a reliable indicator than it used to be. While professional organizations have writing and editing teams to ensure that their communications are free of any basic spelling or grammatical errors, many scam emails can have these types of errors as they do not have the resources to ensure they are proof-read. Be very cautious if you note any spelling or grammar errors in an email, especially when it appears to be coming from a company or organization rather than an individual.
If you receive an email or text message that you find suspicious, do not open any attachments or click on any links, as this can be all that is needed to install malicious software on your computer. If the attachment is strangely named or just seems unusual, or if the link seems odd (for example, if when you hover over it, the URL displayed in the tooltip does not match the URL that’s shown), then do not click or open it.
Almost all phishing emails will use fake or mismatched domains, which is to say the part of the email after the “@”, or for websites, what we think of as the address. For example, the domain of this website is “vancouverdivision.com”. The domain is only the last part of the email (after the “@”), or the first part of the url (before the “/”, if there is one). Here is an example of a link to this page and an email, with the domain bolded.
https://vancouverdivision.com/resource/pmh-connectivity-phishing-resources/
example@vancouverdivision.com
There are a couple of ways scammers will use fake or mismatched domains to make it appear as if their email or links are legitimate, but which are not associated with the company they are trying to impersonate and instead under their control.
Here are a few ways domains can be subtly altered to trick you into thinking it is legitimate:
Sometimes, the domain will appear almost identical except for a letter that has been swapped out, such as “0” (zero) instead of “O”, or “rn” instead of “m”. Because these look so similar, these details can be easy to miss if you are not paying close attention. For example, “vanc0uverdivision.com” and “rnicrosoft.com” are both almost visually identical to their legitimate counterparts.
Examples of these would be things like “vancuoverdivision.com”, “microsort.com”, or “doctorofbc.ca”. These can be subtle, and sometimes large organizations will buy the domains that are commonly misspelled versions of their name to ensure that users are still directed to the real legitimate site, but if you are directed to one of these or receive an email with a misspelled domain, this should be considered immediate grounds for suspicion.
In this case, the sender will create a domain that sounds legitimate, but which has no relationship to the actual organization. For example, if you were to receive an email purporting to be from Apple but which is sent by “applesecurity@gmail.com” and directs you to go to “appletechsupport.org”, this is very likely a scam, as neither the email domain or the link domain are likely to be owned and used by Apple.
If you see a fake or mismatched domain in either the sender’s email address, or in the link(s) contained within the email, this is an immediate and definitive red flag that this email is likely an attempt to scam or phish you.
The simplest way to verify the legitimacy of a suspected phishing attempt is by contacting the person or organization directly and confirming with them. Do not use any contact information provided in the suspicious communication. Instead, obtain the email address or telephone number of the person or organization from a source you trust to be legitimate. For example, if you receive an unexpected request from a patient to open an attached document, find their phone number or email in your records and contact them directly to verify whether they were in fact the legitimate sender. Doctors of BC also suggests a policy of not opening attachments or links sent from patients unless they have been directly asked to do so, and provides some templates for ensuring that this is communicated to the patient so they are aware that this policy is in place.
You can also show this message to other people at your organization if you are unsure, and see if they spot details that might help clarify whether or not this email or message is legitimate.
If you have an IT provider, show them suspicious email or message and ask them to confirm whether it is phishing, or if it is a training exercise designed to help you spot phishing attempts.
You can report spam or phishing text messages to the Canadian Anti-Fraud Center by forwarding the message to 7726, report it using their online portal, or via telephone (1-888-495-8501). The Canadian Anti-Fraud Centre is not always able to investigate every attempted phishing email, but they are more likely to investigate trends in phishing emails. For example, in 2020 around 38,000 doctors were targeted by a phishing email that was intended to appear as if it came from the College of Family Physicians. Reporting these attempts helps authorities remain aware and up to date on the latest trends in phishing and other forms of cyberattacks.
By sharing and discussing phishing attempts, you will strengthen your overall clinic cybersecurity profile. Sharing how you spotted a phishing attempt can be a valuable learning opportunity for everyone at your organization, and will help remind everyone to be careful and attentive to the small details that may indicate a phishing attempt.
Doctors of BC has guidelines for responding to a privacy breach which can be very helpful in determining your next steps. There are also resources linked below with more advice on how to deal with a phishing attack.
Commercial tools also exist to support security awareness training, cloud email protection and more:
Get In Touch
202 – 777 West Broadway, Vancouver, BC V5Z 4J7
Main Office: 604-569-2010
Fax: 604-321-5878
Site Map
Get In Touch
202 – 777 West Broadway, Vancouver, BC V5Z 4J7
Main Office: 604-569-2010
Fax: 604-321-5878
Site Map
Get In Touch
202 – 777 West Broadway, Vancouver, BC V5Z 4J7
Main Office: 604-569-2010
Fax: 604-321-5878
Site Map
Some content is only visible for members of the Vancouver Division of Family Practice. To see all the information on this and other pages, including downloadable templates, videos, and opportunities for engagement, sign in with your account: