As cyberattacks escalate against U.S. hospitals and health systems, the method known as “smishing” has gained popularity among hackers seeking to bypass information technology (IT) defenses.
Smishing, a variant of phishing (where fraudulent emails are used to steal personal data), involves sending deceptive text messages. According to a report from the Department of Health and Human Services (HHS) in August 2023, smishing tricks recipients into clicking links that either divulge private information or download malicious software onto their smartphones.
If you’ve received urgent texts claiming a UPS package couldn’t be delivered or warning of IRS issues with a link to click, you’ve encountered attempted smishing. This tactic exploits the sense of urgency or importance, pushing recipients to act without due caution, as explained by Ian McShane, vice president of strategy at Arctic Wolf.
Previously, SMS messages were considered secure due to difficulties in spoofing phone numbers. However, hackers now manipulate this trust, even mimicking banks to request sensitive information like bank card numbers.
Dr. Anthony Blash, an associate professor at Belmont University, highlights that smishing capitalizes on the perceived trustworthiness of text messages compared to emails. He warns that spoofed text headers can appear legitimate, tricking recipients with alarming messages about billing issues or test results, directing them to fake portals.
Healthcare employees are also targeted, especially with increased remote work access. Unlike email, which can be appended with warnings, texts lack such safeguards. David Aguero, PharmD, from St. Jude Children’s Research Hospital, stresses secure communication methods like institution apps or intranets over standard SMS.
To counter smishing, experts advise never clicking embedded links in texts, verifying claims directly through official channels like calling UPS or banks. Healthcare remains a prime target due to valuable data, with IBM reporting healthcare data breaches costing an average of $10.93 million in 2023.
Dr. Blash notes healthcare’s vulnerability compared to finance, attributing it to varying security standards. Erich Kron, a security advocate, warns of evolving smishing techniques, potentially incorporating AI to craft more convincing messages.
Health systems must educate staff and patients to report suspicious texts and avoid clicking links, promoting a culture of cybersecurity awareness. Mr. Kron emphasizes holistic cybersecurity approaches, integrating personal and professional security practices to enhance overall protection.
As threats persist, vigilance and proactive cybersecurity measures are essential for safeguarding healthcare institutions against evolving smishing and other cyber threats.