Wide-cast phishing and targeted spear phishing attacks are far from new threats to the healthcare industry. Unfortunately, the COVID-19 pandemic has given the malicious attackers behind these campaigns a new vector from which to strike. The current medical crisis provides an opportunity for these attackers to prey upon users’ fears, need for new information, and potentially unfamiliar working conditions to compromise healthcare organizations’ systems and data.


While there is no limit to the variety of content that can be used to trick your users into compromising their access to your systems and data, the following types of messages should be regarded with extra scrutiny at this time:


  • Authoritative Sources – Many phishing messages will allege to be from government or international organizations such as the Centers for Disease Control (CDC) or World Health Organization (WHO) and claim to offer new information or resources on COVID-19.
  • Healthcare Partners – Messages that appear to be from other covered entities, business associates, insurance providers can also claim to offer new information or will request the user provide information about how their organization is handling COVID-19 issues.
  • Your Organization – Many attackers will spoof the account of an internal user in the hopes that other users will be more open with confidential information and more likely to follow malicious instructions.


Ensuring that your workforce is aware of these threats as well as trained on the steps they need to take in the event that they receive a suspected phishing message are more critical for the security of your organization than ever. We suggest reviewing the following with your users:


  • Be wary of messages sent by unfamiliar sources. Extra attention should be paid to the origin of the message they receive. If they do not normally receive messages from an external source such as a government agency or an internal source such as a member of the executive team, it is unlikely (though not impossible) that they would now.
  • Know how internal notifications are being handled. If your organization is going to be communicating information about the pandemic to its workforce, specify how this information will be distributed (i.e., intranet posting, e-mail, public notice, etc.)
  • Avoid clickable links and attachments. Many malicious attacks require the user to open a file or follow a link to a compromised website. As always, users should not trust unexpected attachments or login pages.
  • Be sure to report suspicious messages. Ensure that your users know how to contact IT when they receive a potential phishing message, whether that be a call to the Help Desk, forwarding to a specific address used to review these messages, or even a “Report Message” button in their email client.
  • This goes beyond email. Remind your users that phishing attacks can also be carried out over the phone and through social media.


With an educated workforce, backed up by strong technical controls restricting spam and malicious software, your organization will be better protected against phishing attacks both now and in the future.


Please don’t hesitate to reach out if you have questions about this alert or any other security or compliance related issue.  We are here to help!