Don't Click That Link: Email Phishing Targeting EMS Agencies for Payroll and Patient Data

A paramedic finishes a 24-hour shift and signs out. There is an email from HR marked urgent. Their direct deposit information needs to be updated before the next payroll run or their check will be delayed. The link looks right and the logo looks right. They click it, enter their credentials on the page that loads, and go home.

By Monday morning someone in Nigeria has already changed the routing number on their account. The agency will not find out until employees start asking why they did not get paid.

This happens to EMS agencies right now, and most of them are not ready for it.

How to Prevent Payroll Phishing in Fire Departments

Business email compromise is the most direct threat to agency finances. Attackers impersonate chiefs, HR directors, or finance officers and send emails that look completely legitimate. The ask is always urgent and always plausible, designed to bypass the recipient's caution.

The lures fall into a few predictable categories. Direct deposit changes supposedly needed before the next cycle. Invoices for equipment that look like they came from a trusted vendor. W-2 data requests during tax season. Each of these plays on the trust-based culture of public safety. In a firehouse, when a chief says jump, you ask how high. Attackers know this.

The fix is not complicated but it requires a policy change. Any request to change payroll or banking information must be verified through a phone call to a known number. This does not mean replying to the email or calling a number in the signature block. It means calling the person at their known extension. This one step stops most payroll phishing attacks.

Protecting ePCR Patient Data from Phishing Attacks

The payroll attacks are bad, but the patient data attacks are worse. ePCR systems are cloud-based for most agencies now, which means a compromised credential can expose thousands of patient records in a single session.

An email arrives that appears to be from the ePCR vendor or a state health department. It says the recipient's certification is about to expire or their account needs to be reauthenticated. There is a link to a login page that looks exactly like the real one. The paramedic or administrator enters their username and password, and the attacker now has valid credentials for the ePCR system.

Once inside, the attacker can export patient care reports containing names, dates of birth, social security numbers, clinical narratives, and insurance information. That data has a clear market value on dark web forums. It also gives the attacker an opening for ransomware, because the threat of leaking PHI is often more effective than encrypting files.

I have written before about the risks in EMS clinical data systems, and the same principles apply here. The ePCR system is not just software. It is a clinical tool. A compromised ePCR is as dangerous as a contaminated medication in a pharmacy.

Ransomware Risks for CAD Dispatch Systems

CAD systems are a third target, and they may be the most dangerous one to hit. If an attacker locks the dispatch center, the agency cannot route resources effectively. Every minute of downtime is a minute where a call goes unanswered or a unit goes to the wrong location.

The attack vector is usually the same. An email impersonating IT support or the CAD vendor warns of a critical system update and includes a link or attachment. The staff member, afraid of causing a dispatch outage, clicks without thinking. The ransomware deploys, and the CAD system goes dark.

These attacks succeed because they weaponize the operational pressure that EMS staff operate under. A paramedic working a double shift is not going to scrutinize a sender address carefully when the email says the CAD system will go down in an hour. The urgency is manufactured, but it works.

Identifying Phishing Emails Targeting Public Safety Agencies

The warning signs are consistent across all three attack types. The sender address has a subtle misspelling. The message creates artificial urgency and pressures the recipient to act without thinking. The email asks the recipient to log in through a link rather than directing them to visit the site directly.

Training your staff to spot these signs is the first line of defense. But training alone is not enough. You also need technical controls.

Deploy phishing-resistant multi-factor authentication across all systems that handle payroll, patient data, or dispatch operations. FIDO2 hardware keys are the gold standard here. SMS codes and app-based push notifications can be intercepted by adversary-in-the-middle attacks, but a hardware key cannot.

Configure SPF, DKIM, and DMARC records for your domain to prevent attackers from spoofing your agency's email addresses. Many agencies skip this step, and it is the single most effective technical control for preventing impersonation emails from reaching inboxes.

Use email filtering tools that scan links and attachments in a sandbox before delivering them to the user. These tools catch phishing emails that would otherwise pass a basic spam filter.

Require out-of-band verification for any request involving money, credentials, or system access. If the email says to call a number, do not call that number. Look up the person's official contact information and call that.

Establish an incident response plan for compromised clinical systems. When an ePCR or CAD system is hit, it is not an IT problem. It is a patient safety problem. The response needs clinical leadership, not just the IT team.

Frequently Asked Questions

Why do scammers specifically target EMS and fire agency payroll?

These agencies have centralized payroll systems with government funding behind them, and they operate on a culture of trust and obedience to authority. Attackers use urgent requests that exploit the reluctance of staff to question a directive from a chief or HR representative.

How can we tell if an email from our ePCR vendor is real?

Check the sender's actual email address for subtle misspellings or wrong domains. Never click a login link in an email. Go directly to the vendor's website from a bookmark or type the URL yourself.

Is MFA enough to stop all phishing attacks?

MFA reduces the risk significantly, but SMS and app-based codes can be intercepted by adversary-in-the-middle attacks. For high-risk accounts like payroll administrators and system admins, FIDO2 hardware keys provide the strongest protection.

What should an employee do after clicking a phishing link?

Change the password for that account and any other accounts using the same password immediately. Notify the IT or security officer right away. Monitor the account for unauthorized activity. Rapid reporting is the only way to limit data loss.

Closing

A 15-minute security training session costs almost nothing. A HIPAA breach involving 10,000 patient records starts at half a million dollars and goes up from there. The cost of a ransomware attack that locks your CAD system for a day is measured in lives, not dollars. The phishing emails are coming. The question is whether your agency will be ready when they arrive.

-- Steven