Chat with us, powered by LiveChat

Phishing Attacks – How to Protect & Prepare

This is the first blog in a new cybersecurity series focusing on ways to protect your organizations’ data from unauthorized access and safeguarding your personal ePHI. 

In life there are very few events that feel more personally invasive than being robbed. Whether it be a break-in, stolen purse/wallet and or a hacked email account, the victim is frequently left with a feeling of distrust and humility. Typically, while replaying the events associated with the robbery, the victim will realize the security oversight that left them vulnerable, “If I had done X or Y to safeguard myself or property, would this have happened?!”

In the remainder of this blog wewill review the “How To’s” on the very relevant and ongoing threat of phishing attacks. By definition, Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Modern day phishing attacks pose a serious risk to your virtual security, both in the workplace and at home. As these professional scam artists become increasingly savvy and sophisticated, it is important for all consumers to understand their risks and vulnerabilities.

To provide a real-life phishing example, view the email below. If you received this in your inbox would you open it and follow the instructions? The hook is American Express and the bait is the HTM attachment – later in this blog we will highlight many of the tell-tale signs this sloppy scammer included in their attempt to fool the recipient.

How To – Protect Yourself

Much like the saying, “The best defense is a good offense,” learning and adopting strong safety techniques is a smart decision for everyone. A great first step in building your security settings is installing a proper firewall with enabled content-filtering. Typically, by paying an annual subscription fee to your firewall manufacturer, you will receive safeguarding tactics to help block phishing attacks and reduce the risk of downloadable malware. However, no matter how secure the firewall, it only takes one untrained employee to compromise previously secured data. 

So, what are the tell-tale signs than an email is fraudulent or falls under the phishing category? Ranging from elementary to most sophisticated, here’s a list of what to look out for when checking your inbox:

  • Identifying Spelling or Grammatical Mistakes
  • Senders Email Domain Does Not Match the Name of their Organization
    • For example: email@domain.com <- domain name is domain.com.
    • Frequently the displayed name is forged to look legitimate (e.g. using a mainstream consumer brand like Amazon, American Express, Visa, FedEx, USPS, etc.) The goal is to receive emails from anyone who clicks the reply-button in hopes of fooling the victim into using their form.
    • TIP: Click on the sender’s email address to expand their actual domain name. If the domain name matches, that is further an indication the email address is real. If it is way off, then it is obviously phishing/spam email and should be deleted and reported to your internal HIPAA Compliance Officer or IT Department with a visible warning NOT TO OPEN.  
  • Salutation is a Generic Term Instead of your Actual Name
    • Fake examples include: Dear Sir/Madame, Hello, Friend, Member, Patient, etc.
  • Asking for Existing Login Credentials
    • Companies and people typically send attachments in emails. If the sender is sending a secured email, they would NEVER ask for any existing login credentials, rather ask you to create new account and password (if legitimate.) 
    • TIP:  Use a secured password vault like Keypass or Last Login to store unique passwords for all your sites (banking, work, personal apps like Facebook, etc.) This allows users to utilize different passwords for each site, unique to each login. 
  • Legitimate Companies Will Not Send an Email to Change Your Password and/or Never Request Sensitive Information Via Email
    • Ever notice we are made aware of password changes AFTER logging into a system? Passwords are always requested to be changed once logged in.  If anyone sends you a notice to change your password – BE SUSPECT.  
  • From: Field Actually Shows Someone You Know
    • Go beyond the “From” field and examine the entire email before taking any action! Some hackers will download all the email addresses in a previous victim’s mailbox and collect their contacts. In this especially sophisticated approach, the recipient has a greater likelihood of being fooled as it appears the email is being sent from a known contact.

This is the same email shown above with some of the fraudulent signs called-out:

How To – Avoid Falling Victim

  • Turn off Unused Email Services
    • Phishing attacks typically will use IMAP or POP3 to run scripts to quickly enumerate contacts and copy data. The technical term scripting refers to a series of commands you send to another computer. 
    • To turn off your unused email services, download all emails (including sub folders) using IMAP (email protocol.) View the image below for an example of how to disable the send/receive on Office365 Exchange server.
  • Complete Your HIPAA Security Risk Analysis with HIPAA One
    • Know where the holes in your boat are located, in other words – prepare for an attack instead of scrambling during an attack. Preparedness could be the difference between having to report a breach or not.
    • If your organization receives an audit notice following compromised records from a phishing attack, a Risk Analysis will be the first thing requested.
  • Turn On Email, File and ePHI Data-Logging
    • Verify file and email access logging is turned on so in the event of a phishing attack, your organization can quantitatively determine if ePHI was breached.
  • Always Be Skeptical When Receiving Emails
    • Take extra time and look for the signs listed above. It is unfortunate but true that we must stay vigilant and error on the side of caution. Phishing is an evolving trend that is not going away.
  • A Well-Trained Workforce
    • Any and all new employee/annual training should include cybersecurity best practices and provide direction on how to spot email attacks. Make employees aware of HR’s Sanction Policy and incident reporting should someone click on a phishing email.
    • TIP – Designate someone within your organization to forward “DO NOT OPEN” emails when necessary and explain to employees why the email is fraudulent. Additionally, hold meetings, put posters up in break rooms and remind people repeatedly to be suspicious and careful.
    • TIP – Launch periodic simulated phishing attacks. Any valid online training program will include the option to simulate these attacks where victims are required to take a cybersecurity training (this should follow your HR Sanction Policy.)
  • Complete Your HIPAA Security Risk Analysis with HIPAA One
    • Know where the holes in your boat are located, in other words – prepare for an attack instead of scrambling during an attack. Preparedness could be the difference between having to report a breach or not.
    • If your organization receives an audit notice following compromised records from a phishing attack, a Risk Analysis will be the first thing requested.

Additional questions about phishing attacks or want to speak with us about starting a HIPAA Security Risk Analysis!? Please get in touch. We’d love to start the conversation.

Speak Your Mind

*