How can aesthetic practitioners protect themselves from cyber-crime and scam emails?

Should aesthetic practitioners be worried about cyber-crime and scam emails?

Cyber-attacks are the third most likely risk facing the globe after extreme weather events and natural disasters, according to the World Economic Forum Global Risks Report 2018.
And it is not just big corporates or organisations like the NHS which are being targeted – whether you are a self-employed mobile practitioner or work for a large chain of clinics, you too are at risk. The National Cyber Security Centre (NCSC) says that around one in two SMEs will experience a cyber breach (with many more being on the receiving end of scam emails), and that for micro and small business, such a breach could run up costs of around £1,400 – significantly more than the average premium for most small business cyber insurance policies.

How are aesthetic practitioners most likely to be targeted by cyber-crime?

One of the most widespread forms of cyber-crime is scam emails. Stats compiled by the NCSC show that 4.5 million malicious emails were blocked each month on average in 2017 – or 54 million in total. So, how are aesthetic practitioners most likely to be targeted by scam emails?

What are the most common scam emails that aesthetic practitioners are likely to receive?

Scam emails can take numerous forms, but the most common ones that aesthetic practitioners may come up against are ‘phishing’ and ‘virus emails’

What is ‘phishing’?

Phishing is a form of scam email where the protagonist is purporting to be someone else. The phishing email is usually presented to look like it has come from a website that the recipient already uses, such as PayPal or their bank, and will ask the recipient to take some action like click on a link to update their security information. However, the link will connect through to the scammer’s site rather than the authentic site, enabling the scammer to record and subsequently use the recipient’s personal information for fraudulent purposes, such as making online purchases. It is important to remember that your bank would never email you for your password or other sensitive information, yet every day millions of people do respond to phishing emails and become victims of this fraudulent activity.

What are ‘virus emails’?

‘Virus emails’ contain either a programme or a spy application that could for example monitor your keystrokes, and therefore the details you input into websites such as your bank website, or indeed your customer database, and then record this information. Spyware can also take snapshots of your screen, copy your emails or track your passwords. Spyware can be difficult to spot as it may be hidden within the attachment section of the email, or in the form of a funny picture or video. But for the scammer, spyware is a very effective means of obtaining personal information or patient data, particularly if the recipient forwards the email to other contacts who will in turn then also be affected.

As an aesthetic practitioner, a breach of your customer’s data could have serious financial implications if you or your clinic is fined, as well as impacting negatively on you or your clinic’s reputation. The high-profile case in October 2017 involving the hacking of a London cosmetic surgery clinic highlights the serious consequences a cyber-attack and data breach can have. Hackers were able to steal sensitive patient data including photographs of body parts of clients. The Daily Beast, a US news site, said a hacking group calling itself The Dark Overlord, had sent their reporter stolen photos of genitalia during surgery, using a surgery email address. They threatened to publicise the entire patient list with corresponding photos. “The world has never seen a medical dump of a plastic surgeon to such a degree,” they said. The case is a chilling warning about the profound fragility of data today and an important reminder of the degree of responsibility that aesthetic practitioners have for their patient’s most sensitive information.

How can aesthetic practitioners protect themselves from cyber-crime and scam emails?

It is absolutely crucial to ensure that you have anti-virus security installed on your system that will help protect you in the event of a malicious attack. You should also make sure you use different passwords for different logins to limit exposure. A strong password is ultimately the best defence against email hackers.
Prevention is always better than cure when it comes to cyber-crime, and all staff need to be aware of the signs to look out for that may indicate a breach or hacking attempt.
How can aesthetic practitioners check for the signs of cyber-crime and scam emails?

– Check the source address: if in any doubt about the authenticity of an email you have received, click on the email address and check that the actual email corresponds with the name of the sender rather than originating from a random personal email (for example Hotmail or Yahoo). If still in doubt, retrieve the original source’s contact details from their official website and contact them to find out whether the email is genuine.

– Check the greeting: if it is impersonal this could be a sign that it is not from an authentic source. Greetings such as ‘hi’ or ‘dear valued customer’ should set alarm bells ringing. Think about how that sender would normally greet you before clicking any links or opening any attachments.

– Check contact information and dates: on a scammer’s email, the usual ‘contact us’ link may not actually work if you were to click on it. In addition, it is common for a scammer to embed links to websites which are not authentic. You should not therefore click on any links within an email unless you are absolutely sure it is genuine. Scammers often forget to update dates to the current year and again, this can be an indication that the email has not come from an authentic source.

– Check the branding within the email: scammers are usually attempting to impersonate a genuine company and will often try to brand their fake emails accordingly. If you think the branding does not look quite right, for example the image quality is poor or the font or logo do not look genuine, visit the company’s website to make a comparison.

– Check the spelling and grammar: poor spelling and grammar are usually an indication that the email is not authentic and has not undergone the rigorous compliance checks required by a genuine company.

– Check the tone: scammers will attempt to persuade you to act quickly, using words like ‘official’, ‘urgent’ and ‘act now’ and promoting time-sensitive ‘offers’ designed to put pressure on you to sign up by clicking on a link. A genuine emailer will not adopt this tactic. Double check by logging into your account via another tab to see if the time-limited offer is real.

What should you do if you identify a scam email?

Remember, emails promoting offers that seem too good to be true or that look wrong, probably are wrong. If in doubt, do not open the email, reply to it, click on any links or open any attachments. And NEVER give out your bank details or update passwords using a link you are sent by email. Report a scam email to Action Fraud directly via their website: attaching a copy of the email. Action Fraud will not respond to you but they will investigate the email. Once reported you should delete the email and block the email address via your system if possible. Make sure that all staff are aware of the process.

The National Cyber Security Centre website contains more detailed information on how to defend your organisation against malicious emails that use social engineering techniques here

What should you do if you fall for scam emails?

Speed is critical when responding to a data breach, but there needs to be a balance between responding quickly and responding effectively.  In the event that you fall victim to a hacking attempt, contact your IT or systems service provider. If you have a cyber liability policy in place this will assist with any associated costs. You have a duty to notify both the Commissioner’s Office and your patients if there has been a breach of their personal data, within 72 hours of becoming aware of the breach.

A cyber and data liability policy will assist you in getting back up and running as soon as possible, by investigating where the breach came from in the first instance, dealing with the fallout from your patients and assisting with the financial costs incurred. To find out more about Hamilton Fraser Cosmetic Insurance’s cyber liability insurance visit our website here. To speak to one of our advisers call us on 0800 63 43 881 or you can email us at

Get a quote

Leave your details, we'll give you a callback to provide a quote