In one of my past articles, I briefly mentioned phishing as a tool hackers use to gain access into organizations. Because of recent hacking events, I thought it would be wise to expound.
A recent phishing scam was sent to customers of JP Morgan Chase. An email impersonating the bank asked recipients to click on a link that (unbeknownst to the recipient) directed them to a fake bank website where they were asked to provide sensitive information.
Phishing has many different faces. Sometimes cybercriminals trick recipients into opening an attachment that loads harmful malware onto their system. Other times, they trick recipients into providing sensitive personal information (such as usernames and passwords) directly via bogus online forms.
The most successful phishing emails (because they look legitimate) appear as though they originated from reputable companies like BestBuy, Amazon, USPS, DHL, and PayPal....or JP Morgan Chase.
The scenario with JP Morgan Chase could just as easily happened in your organization. All a hacker needs is motivation. Creating a fake email address and sending the email is the easy part.
What is their motivation in healthcare? Patient data, of course! The FBI recently warned that EHR charts sell for $50 a piece on the black market. If a hacker could create a phishing email convincing enough to be clicked on by you or one of your colleagues, that click may start a chain reaction of risk leading to a large-scale breach.
Here are some very tricky phishing scenarios I've seen in my own email.
- Your friend sends you an email, telling you he's in a foreign country and
desperately needs money. (Your true friend's email contact list was probably
hijacked.)
- An online retailer emails you to let you know an item you purchased online
cannot be shipped to you because your credit card was expired, or your billing
address wasn't correct, etc. (If you click on the provided link, it takes
you to a spoofed website and asks for updated payment/shipping information.)
- The IRS emails you to let you know you are eligible to receive a tax refund.
It then requests that you submit a tax refund request or tax form. (The IRS
would never require you to send your tax form via email.)
- Your bank is conducting a routine security procedure and requests you verify
your account by emailing them back with your information. (This scam is especially
effective if you happen to be a customer of the particular bank portrayed
in the email.)
- A trusted retailer says your computer has been infected! In order to avoid
losing your data, you have to download an anti-virus attachment or follow
a provided link (Using the scare tactic, this email is especially potent after
a large-scale hack.)
- An email stating that your EZPass (or similar) did not work at the tollbooth
and you owe a toll. Please click here to pay your toll. (So many cities have
toll roads now that it is easy to believe.)
It's often difficult to distinguish a fake email from a verified one; however, most have subtle "phishy" hints.
Here are some ways you can recognize a phishing email:
- Requesting sensitive information: Chances are if you receive an unsolicited
email from an organization that provides a link and asks you to provide sensitive
information, it's a scam.
- Odd domain emails: Don't just check the name of the person sending you
the email. Check their email address by hovering your mouse over the "from"
address. Make sure no alterations (like additional numbers or letters) have
been made. For example: michelle@paypal.com
vs. michelle@paypal2.com.
- Grammar errors: Possibly the easiest way to recognize a "scammy" email
is bad grammar. An email from a legitimate organization will be well written.
- Unsolicited attachments: Typically, authentic institutions don't randomly
send you attachments, but instead direct you to download documents or files
on their own website. High-risk attachment file types include .exe, .scr,
.pdf, and .zip.
- Links don't match URLs: Just because a link says it's going to send you
to one place, doesn't mean it's going to. If the link text isn't identical
to the URL displayed as the cursor hovers over the link, that's a good sign
you will be taken to a site you don't want to visit.
If you receive a phishing email:
- Don't click on any links, open attachments, or expand any included pictures
- Don't reply to the sender
- Forward the e-mail to spam@uce.gov
- Delete the email from your computer
- If you do legitimate business with a company mentioned in the phishing
email, call their nationally published telephone line (not the number listed
in the email) and ask if they would like you to forward the email so they
may take further action.
- If the email appears to originate from one of your credit card companies,
call the telephone number on the back of your credit card (not the number
listed in the email). Their customer service agent will be able to tell you
whether or not the email was legitimate.
As part of your adherence to HIPAA, all workforce members should be trained periodically (I recommend quarterly and never longer than annually) on phishing. I recommend sending monthly memos, or display a poster outlining the telltale signs of a phishing attempt. Maybe you can even distribute this article to all your staff members.
It doesn't matter if you have the most secure security system in the world. It only takes one untrained or inattentive employee to be fooled by a phishing attack and give away the patient data you've worked so hard to protect.
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Reach him at tod@securitymetrics.com. To learn more about SecurityMetrics, visit www.securitymetrics.com