The FBI is warning the public about cybercriminals who target plastic surgery offices, surgeons thereof, and patients to harvest personally identifiable information and sensitive medical records, to include sensitive photographs in some instances. Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency.
Phase 1 - Data Harvesting
Using technology to disguise their phone numbers and email addresses ("spoof"), cybercriminals use phishing to deploy malware to plastic surgery offices. Once successful, cybercriminals harvest electronically protected health information (ePHI), which includes sensitive information and photographs.
Phase 2 - Data Enhancement
Cybercriminals use open-source information, to include social media, and social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. Cybercriminals use the enhanced data as leverage for extortion in Phase 3 and may use it for other fraud schemes.
Phase 3 - Extortion
Cybercriminals contact plastic surgeons and their patients via social media accounts, emails, text messages, or messaging apps, and ask for payment to prevent sharing of their ePHI. To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims' friends, family, or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made.
Tips to Protect Yourself
- Review profile settings in your social media accounts to strengthen privacy. Preferably, make your account private and limit what can be posted by others on your profile. Audit friend lists to ensure they consist of and are visible to people you know. Only accept friend requests and follows from people you know. Enable two-factor authentication to login.
- Secure accounts (e-mail, social media, financial, bill pay) by creating unique and complex passwords for login; consider using a password manager to help you remember them.
- Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
The FBI requests victims report these fraudulent or suspicious activities to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible.
- The name of the person who contacted you.
- Method of communication used, to include websites, emails, and telephone numbers.
- The wallet address(es) or bank account number(s) for extortion payments and recipient name(s), if provided.
For additional information on how to report cryptocurrency addresses connected to fraud, please see previous Public Service Announcement published on the FBI IC3 website:
IC3 | FBI Guidance for Cryptocurrency Scam Victim