Often, we see phishing schemes being perpetrated by hackers seeking to steal information. Rarely do we discover a scheme that is essentially an elaborate marketing tactic.

Healthcare Info Security reports that the Department of Health and Human Services (HHS) sent a warning to organizations in the healthcare system, alerting them to an unusual phishing attempt.

Phishing, as we’ve previously written about, is a scam that uses seemingly legitimate links to take you somewhere you didn’t intend to go. This can be done by subtly changing a URL address, which is exactly what was done in this case.

The Scam

Per the HHS, this phishing email campaign masquerades as a message regarding HIPAA compliance audits from the HHS’ Office for Civil Rights (OCR). This email features a fake HHS letterhead and a signature from the OCR Director, Jocelyn Samuels. The only giveaway that this isn’t an official government email is the web address it directs you to, which for most will likely appear perfectly fine.

This email targets employees that work for organizations who fall under HIPAA regulations. The email itself asks recipients to click a link for “possible inclusion in the HIPAA privacy, security, and breach notification rules compliance audit program.”

The odd thing here is that rather than steal data, the link through the email directs viewers to a cybersecurity company’s website. They want to trick you, then have you purchase their services. Maybe not the best tactic!

This form of marketing phishing has crossed a dangerous line. By relying on essentially forged documents – the signature and letterhead – to get healthcare professionals onto their site, the perpetrating company has risked undermining the trustworthiness of this kind of communication from government agencies.

Protect Yourself

The simplest way to protect yourself is to carefully check all incoming links – even if they appear to come from valid sources.

For example, the email in this attack comes from the “[email protected]” address, and directs people to “http://www.hhs-gov.us.” The official address is “[email protected],” and “www.hhs.gov.” This kind of subtle switch is a classic trick of phishing schemes and one which will likely fail to stand out to most viewers.

By hovering over the link within the email, the URL should pop up, allowing you to determine if it is correct or not. If you’re not sure, use an internet search to find the correct address of the website you’re trying to go to.

While this phishing attempt is more annoying than anything, it opens the door to attacks that might really hurt in the long run. Check every link before you click, and if you’re suspicious of an email, forward it on to your IT Department.