Dangers of promoting emails on your website
Are you fully aware of the risks to both the surgery, the site and Patient Information by openly advertising the surgery email address on the site?
Remember, it is likely that that email addresses that you wish to promote could:
- Be used as the login for a clinical systems.
- Be used as the login for accessing submissions via the website. This includes Patient Identifiable Data/Special Category Data.
- Be used as the User Account which communicates submissions from the website.
- Contain Patient Identifiable Data/Special Category Data within the Folders, Sent Items, Inbox, Outbox etc.
- Be accessed from a device which is likely to have access to clinical systems
So this email can be the gateway to lots of Patient Identifiable Data/Special Category Data as well as key systems if a hacker has gained access to monitor a device.
And yes you can get infected without having admin permissions on your computer as hackers will install an extension into your browser.
What is "Email Address Harvesting"?
At the root of the evil in misusing people's emails is the act of email address harvesting. Malicious internet users, such as spammer and scammers, create simple programs that scour the Internet looking for anything that resembles an email address. These harvesting bots then "scrape" the email address from your website and report back to a database. Here, it's stored along with all the other addresses found.
One option is to hide the email behind a button, however the bots continue to get smarter and the email address will be harvested.
How your Email Address Might Be Used
Once your email address has innocently been included on your website and then scraped up and added to the database, it can be used in many ways. Spammers and scammers bulk send emails to their new lists containing spam offers, illegitimate products and so-called "phishing" scams, disguising themselves as a patient or supplier - asking you to open a document or insert your password into a form - and bingo you have virus installed or you have given access to PID.
And yes you can get infected without having admin permissions on your computer as hackers will install an extension into your browser.
The most common is a 'Keylogger' and does not need admin permissions to install as it is associated with your browser. This simply sends the hacker every action that you perform on your keyboard. Passwords and all!
Online security companies regularly report news stories where harvested e-mails are being used by hackers and scammers for profitable gains. They sell them to each other to use in different malicious campaigns.
How to Avoid Your Email Address Being Harvested
As you can see, the threat of email harvesting is very real which is why a number of jurisdictions around the globe have made it illegal in the first place. The methods used by spammers are become increasingly ingenious and automated. It's only a matter of time before one gets through to your computer or website and you're subjected to an attack that slips through the net.
It should come as no surprise that a contact web form is one of the best ways to make it easy for people to contact you via your site without exposing yourself to the risk of spam as they help prevent the automated robots deployed by hackers.
Hackers impersonating a patient.
Hackers find it easier to attack personal accounts, this means they have access to send an email to you from what appears to be a regular patient.
This is great news for the hackers, as not only have they discovered the email in the contact list for the surgery, they see all the private conversations between the surgery.
Also, the reception team are more likely to trust any email from a ‘patient’. The possibilities for constructing an attack become endless.
