January 2, 2019
Welcome to the 2nd installment in our series on Cybersecurity. I’m your blog host and physician practice technologist, Michael Patrick. In our first blog in this series we covered social engineering… how to keep your practice safe from smooth talkers trying to talk their way into sensitive areas of your practice. Today our topic is phishing which is like the digital version of social engineering.
Phishing attacks are a combination of social engineering and forgery to influence victims. The attacker’s immediate goal is gaining personal information or influencing users to carry out some action. Ultimately, they are trying to infiltrate an organization to gain access to network resources, sensitive data, or carry out other nefarious plans. Unfortunately, these attacks are becoming increasingly common. According to a report by Wombat Security, 76% or organizations reported some form of attempted phishing attack in 2017.
Attacks generally happen via email (although text message, telephone, and social media attacks also occur) attempting to influence the victim to reveal usernames and/or passwords to a variety of resources. All of these are predicated on the victim taking action on an email they received. Forgery comes in because the communications appear to be from a legitimate source, but with the goal of stealing user’s information, clearly this is not the case.
Phishing attacks are manifested in essentially two forms. The first are malicious attachments. These attachments either install ransomware (or other malware) onto the device or direct the user to what they think is a website where they will divulge login credentials. In this case the recipient downloads and opens the attachment, and the attack has begun. In the second form of attack, the victims are directed via link to a website where they are directed to enter their username and password for some service (email, online banking, etc.), or some other information. Once the recipient has entered their information, some form of error message typically appears, prompting the user to think nothing has happened. In fact, this sensitive information has been sent to the attacker.
Every IT professional imaginable would be thrilled to hear of a tool that eliminates these types of attack. I’ve got some bad news for you – it’s not possible. With an overwhelming majority of organizations reporting attempted phishing, it is critical to understand proper responses to these types of attacks. When this happens, how will your organization respond?
Here are 4 strategies your organization can use to prevent being a victim of phishing:
A few details can help derail a phishing attack before it has a chance to get off the ground. When you receive an email from an unfamiliar sender, use caution. Don’t assume authenticity because you are stressed and have an inbox full of items that require action. Hover over the email address, not just the display name. The source of the email should match the organization the sender is claiming to be with. For example, if a message appears to come from Bank of America, but actually comes from a yahoo.com email address, it is not legitimate. If they don’t match, don’t open the email!
Always check a link before clicking on an untrusted email. The first step is to hover over the link without clicking it. Does it lead where it is supposed to? Although the text of the link may appear to point to a legitimate site, the real destination will appear in a box at the bottom of your browser window. If they don’t match, don’t follow the link.
Before you download an attachment, stop and ask yourself, “Should this email have an attachment?” If, in the context of the conversation, or previous communications with the sender, attachments are unusual, be very suspicious. This may even require contacting the sender via alternative methods to verify whether they really sent the attachment.
Other indications that a message may be a phishing attempt include urgent or threatening language, such as “Act now before your account is suspended.” Poor spelling, grammar and generic salutations, such as “valued customer” instead of your name are also likely. Remember, very few legitimate organizations will ask for any sort of personal information by email so any such requests are likely to be phishing attempts.
Phishing messages can come from trusted sources too, typically after a phishing attack has compromised their email account. If anything about a message seems out of the ordinary, alert your IT department. If you’re sure it’s a phishing attempt, delete the email. If someone in your organization has clicked a link in a suspected phishing message (and especially if they have entered any information), they should immediately change their password and notify their IT department.
In the end, the best prevention for phishing attacks and in-person social engineering scams is educating your staff on the tools and strategies they can use to recognize fraudulent communications. Exercising caution and a healthy amount of skepticism will keep your organization safe.
Many practices could use a little more help in the IT department. We’d love to help you out with all your IT needs. Feel free to email me @ firstname.lastname@example.org. Again, I’m Michael Patrick, your physician practice technologist. Stay on the lookout for our final blog in the series on Disaster Recover… what to do when it all goes wrong. Until then, like, share and/or comment on this post!