Skip to main content

Phishing: Top tips for Canadian physicians

A cat sitting on a window ledge next to a woman sitting at a desk, working on a laptop.

You get an email from the College of Family Physicians of Canada about a debit invoice on your account. In order to see the details, you are asked to download the statement in the email.

Or you get an email from the Canadian Medical Protective Association about paying your fees before you lose your malpractice coverage. You’re asked to click on the link to find out more.

The emails sound urgent. But in fact, these are attacks called “phishing,” and cybercriminals are counting on you to click on links or download attachments as instructed.

When they’re successful, cybercriminals can gain access to not only your bank account, but all kinds of personal information. For example, they could get access to your patients’ health information, encrypt the files and then demand a ransom to restore them to you. (This is called a ransomware attack.) These types of privacy breaches are on the rise, with the majority resulting from people clicking links in emails or downloading infected files.

While it’s critical to have robust security technology to prevent cyberattacks, the first and best line of defence is education for individuals. Here are some essential things physicians should know about phishing and how to prevent it.

What is phishing?

Phishing is when a cybercriminal pretends to be a reputable company or organization and sends individuals an unsolicited email, social media post or instant message designed to trick the victim into revealing sensitive information or installing malicious software on their computer.

These emails could look like they’re from the government, social media sites, your financial institution, IT administrator, your provincial or territorial medical association, or your provincial college of physicians and surgeons.

The goal is to get you to click on a link, download malware or reveal sensitive information like usernames and passwords, account information or credit card details.

Tip: Ensure you always back up your files to an external source (either a physical device like a USB hard drive, or a cloud-based service). If your computer is breached and your files get encrypted/corrupted, you can simply buy a new computer and use the backed-up files. 

How do you spot a phishing attack?

The first line of defence is this: Never click on a link or download an attachment that you were not expecting, even if it appears to come from a legitimate source.

Here are two things you can do to identify a phishing attack:

Look at the sender’s email address: You can spot a fake sender email address by looking at the domain name (the part after @). Most companies use the same domain name for web addresses and emails — for example, www.md.ca and jane.doe@md.ca. Hover your mouse over the sender’s name to display the email address, and check whether the domain name is the same as the company’s.

Scrutinize the link in the email: The hyperlink might look harmless (e.g., “See your full statement”), but hover over it to display the URL — it might be a fake website.

Other red flags to watch for:

  • Typos and unprofessional design. Emails from legitimate companies and organizations are written, edited and proofread by professionals before they’re deployed.
  • Requests for urgent action. The email contains threats about restricting your access to accounts or some other major issue to create a sense of alarm or urgency. Contact the company directly if you’re concerned about your account.
  • Requests for account information. Any request to update your account information, including requests for financial information, should be deleted — even if it looks like it’s from your bank, investment company or the government.

What are some the top phishing subject lines?

Phishing subject lines tend to appear urgent, induce fear or appeal to your curiosity. Some of the most common lures include:

  • Change of password required immediately
  • Please see your invoice attached
  • Unusual sign-in activity
  • Your scanned document is ready
  • Urgent action required
  • Your package has shipped — shipping receipt attached

Subject lines may also reflect something current in the news, such as COVID-19, vaccines, vaccine passports, test results, etc.

What happens if you click on a phishing link?

If you click on a link or download an attachment from a phishing email, you may unwittingly install malware, which is malicious software that disrupts, damages or gives cybercriminals unauthorized access to a computer system. Through phishing attacks, hackers can steal your credentials, damage your computer and infiltrate the rest of the network.

What should you do if you’ve already clicked on a phishing link?

So you’ve opened the email and mindlessly clicked on the link or downloaded the attachment before realizing it was fraudulent. What next?

  • Immediately disconnect your device from the Internet to prevent the malware from infecting other devices on your network.
  • Scan your computer for malware or take it to a computer professional to be scanned.
  • Change your passwords on all your accounts and activate two-factor authentication wherever possible.   

To learn more about phishing, see the Canadian government’s site here: https://www.getcybersafe.gc.ca/en/phishing

The above information should not be construed as offering specific financial, investment, foreign or domestic taxation, legal, accounting or similar professional advice nor is it intended to replace the advice of independent tax, accounting or legal professionals.