Crooks are “vishing” for patient information

Health care employees tend to be caring, helpful people who will do whatever it takes to assist their patients. Criminals have learned that and are abusing that goodwill by calling Asante employees — “vishing” — and asking for private patient information they have no right to know.

These vishing fraudsters typically masquerade as a patient or an authorized caregiver. They may ask for patient information with a sense of urgency or a compelling story to explain the reason for their request.

Private information they receive from us could be used for insurance fraud, lawsuit evidence, profit by illegal patient information sales or even political espionage, among other things.

Criminals also use vishing to target employees and IT staff for passwords and system information they can use to access to Asante computers and information. It is just one of many criminal tools and tactics aimed at Asante employees, to “social engineer” (fool) them, through human interactions.

Vishing is a phone version of a phishing attack. It’s a different twist on an old routine — impersonating a person or legitimate business for profit or power. And perhaps because we’re likely to trust a human voice, vishing has been successful enough to flourish.

Vishing calls are deceptive. They may look legitimate because criminals can spoof a phone number and caller ID to appear to be from a respectable person or organization. They may appear as local calls so you will be more likely to answer. Large-scale vishing operations (robocalls) are common, but vishing attackers will use publicly available information to target you.

Five ways to recognize a vish

1. The call is unexpected.
2. The caller may want to confirm who you are before proceeding with the call.
3. The caller may claim to represent a reputable institution or company such as the IRS, Medicare, Microsoft or even an Asante computer technician or employee. An “employee” may call pretending to be a provider to obtain a co-worker’s COVID-19 results or other sensitive lab information. Never rely on your caller ID to vet the call. It’s not difficult to fake a digital phone number.
4. The caller tries to stir emotions such as greed or fear to convince you to disclose sensitive information, like credit card numbers or passwords.
5. The caller has a sense of urgency; you are asked to provide information while you’re on the call.

How to respond 

• Think before you speak! Take a moment to think, write down information about the caller without offering any of your own information, then hang up. Call back after verifying the call and its request.
• Never provide any sensitive information about yourself or Asante patients.
• Never share computer passwords or other computer system information.
• Report the incident to the ITS Service Desk at (541) 789-4141 so we have a record of any vishing trends.
• If you realize you’ve been vished and you gave out sensitive information, immediately report the incident to the ITS Service Desk. Depending upon the vish conversation, you may be required to change your password to avoid any system compromise.
• Finally, remember that criminals are always looking for new ways to social engineer the public. Who knows, Asante News soon may need to publicize the dangers of the “smish” — an SMS message (text) that tries to fool people into responding with information or click on a malicious link.

 Don’t be fooled. Protect yourself, protect others, protect Asante.