Cybercriminals looking for a financial “facelift” are targeting plastic surgery practices and patients.


A recent report released a few hours ago indicates that plastic surgeon offices and their patients are major targets for malicious actors, who intend to harvest PII (personally identifiable information) data.

In a recent FBI Alert (Alert Number: I-101723-PSA)Shocking revelations have emerged as threat actors have been identified as breaking into plastic surgeons’ offices in search of valuable medical records and intimate photographs of patients.

The FBI stated that:

“Once successful, cybercriminals use social engineering techniques to enhance the collected data and extort individuals for cryptocurrency.”

FBI: (Alert Number: I-101723-PSA). Image source: FBI

The FBI called this a scam, which includes three phases:

Analyzing the situation, the FBI classified this cyberattack as a scam, consisting of three phases.

The first phase involves data collection, in which bad actors use spoofing techniques to conceal their phone numbers and emails, then successfully launch a phishing attack that deploys hidden malware to the targeted plastic surgeon’s office. Once the malware has successfully infected the device belonging to the surgeon, the malicious actors then proceed to harvest electronically protected information (ePHI).

The second phase is to improve the data. Through the use of open source intelligence tools and social engineering techniques, the threat actor enhances ePHI belonging to the compromised surgeon’s patients and takes the next step: extortion.

The third notable step shows that the cybercriminal uses various means such as social media accounts, emails, SMS and other messaging applications to contact both the surgeon and the patients. An act of urgency and pressure using social engineering is placed on the surgeon and the patient, stating that if the demands are not met, the information obtained would be made public to the victim’s friends, family and colleagues (patient and surgeon). However, if the demands were met, they would terminate ePHI.


In order to protect itself, the FBI has issued the following mitigation measures.

  • Users should review their social media account privacy settings and limit visibility to information posted on their social media accounts.
  • Also check their friends lists to make sure they know them. Additionally, friend requests should only be accepted from people they know, and also implement two-factor authentication.
  • Using complex passwords to secure email, social media, financial accounts and bill payment. Additionally, a password manager should be implemented to help users secure and remember their passwords.
  • Additional auditing measures include monitoring their bank account statement, credit card reports and immediately contacting the appropriate authority as soon as suspicious activity is discovered.


The FBI also asked the public to immediately report any fraudulent activity. They must obtain information such as the name of the person to contact, indicate the method of communication (e.g. website, emails, telephones, etc.) and the method by which any financial transaction (e.g. address of wallet, bank account number, etc.) with the threat actor. was realized.

Please let us know in the comments section what you think.

Do you find this article and information useful? Show some love and support “Click here
Leave a comment