Consumer Law

Doctors Targeted By Spearphishing Scam

Scammers are relentless. It's easy to see why when you consider the size of the playground they have to work with and scores of potential victims. The internet gives them almost instant access to millions of people and their computers.

And they're wily, too. A special type of scamming technique shows just how clever they can be - and how careful you have to be.


Spearphishing is a special technique used by scammers to get personal information from specific people, like doctors and other professionals, or customers of a particular bank or business. It's very similar to "phishing." Usually, phishing is when scammers send out an email to millions of people randomly and try to get the recipients to divulge personal information. Computer passwords, bank accounts numbers, and social security numbers are good examples.

Spearphishing has the same goal: To get personal information that can be used or sold. Spearphishing is a bit more sophisticated than regular phishing, though. Instead of sending emails to millions of people, spearphishing targets specific types of people, such as the employees of a specific bank or business. Even doctors.

Doctors Aren't Immune

Not long ago, a physician and faculty member at a university medical center got an email from, he thought, the medical center's information technology (IT) department. The email asked for his computer login information as part of an "upgrade" to the center's computer. He sent the information as requested.

The information didn't go to the IT people, though. It went to a scammer, who not only gained access to the doctor's personal information on that computer, but also the personal information of hundreds of his patients. A goldmine of information for identity thieves.

Anyone or any organization dealing with customers, clients, or patients is a potential target. The scammers want the wealth of information in your computer files: Customer names, addresses, credit card numbers, etc.

Varied Tactics

The email message asking for personal information is by far the most common form of spearphishing and phishing. There are other methods, such as:

  • An email containing a hyperlink or web site address directing you to enter information there. The address is fake, of course, and is used to collect, store, and distribute the victims' personal information all over the internet
  • An attachment in the email (or a hyperlink) that, once opened by the email recipient, releases a virus on your computer that collects or even destroys your information. Or, the file downloads software to your computer allowing the scammers to access your computer
  • The email asks you to call a "customer support" center where you're asked to give out passwords, user id's and account numbers, etc., to avoid having an account "closed" or blocked for some reason

Know What To Do

There are all kinds of things you can do to protect your personal and business computers, such as:

  • Make sure your computers have a quality and up-to-date antivirus program
  • Don't open or respond to suspicious emails. If you don't recognize the sender, delete the message. Use the "spam filter" or "junk mail" feature on your email account to automatically delete unwanted emails
  • Don't open files or attachments sent via email unless you're 100% sure it came from a trusted person. Before you open a hyperlink, look at it carefully for little spelling mistakes that may indicate a hoax or fraud ( is NOT the same as
  • Instead of using a hyperlink in an email, use the web address stored in your favorites or bookmarks, or run a search on the internet to confirm the business' real address
  • Remember, legitimate businesses and companies rarely, if ever, ask for personal information via email
  • Make sure your employees know about spearphishing and phishing and follow these tips while using work-related computers

The internet saves time and helps everyone, especially businesses, be more efficient. It can also be a dangerous place to work and play. Take the time to make sure your personal information and that of your customers and clients is secure.

Questions For Your Attorney

  • Is there any way I can make sure my workers don't answer spearphishing emails?
  • Can my bank refuse to reimburse me for money taken from my business account by a scammer?
  • Can a patient sue me or my medical practice if scammers gain access to her information though a spearphishing attack? What if the breach happened because one of my staff ignored company policy about email use?
Have a consumer fraud question?
Get answers from local attorneys.
It's free and easy.
Ask a Lawyer

Get Professional Help

Find a Consumer Fraud lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you