Posts Tagged phish

Phishing Emails: One Click and That’s It!

Phishing Emails: One Click and That’s It!

Many health care entities recognize that cybersecurity threats present a substantial risk to their organization. Moreover, the HIPAA Security Rule requires health care providers to develop and implement policies and procedures to ensure the confidentiality, integrity and availability of protected health information. However, while entities aim to secure health data, a recent study of health care organizations concludes that phishing attacks still remain a major threat in the health care setting.

What is Phishing?

Phishing occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant negative impact on a number of industries, including health care.

In March of 2019, JAMA released the results of a study in which mock phishing emails were sent to employees of six U.S. hospitals over a period of almost seven years to analyze how often employees of those organizations would click on mock phishing emails. Approximately 2.9 million mock emails were sent, categorized as office related, personal or information technology emails.  Just under 422,000 of those mock emails were accessed. Those numbers reflect that 1 in 7 of the mock phishing emails was opened, demonstrating how simple it is to make health care entity’s information systems vulnerable to malware attacks.

An important finding in the study was that the more employees were exposed to mock phishing emails and educated on the consequences of exposure, the less likely they were to open subsequent phishing emails. Thus, employee training and awareness campaigns are essential to reducing the threat of exposure.

Reduce Your Organization’s Risk of Being a Victim of a Phishing Scheme

There are ways that entities can reduce their risk of becoming victims of phishing attacks, including but not limited to the following:

  • Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
  • Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
  • Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
  • Consider purchasing cyber insurance to protect your entity in the event of a malware attack.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Phishing Schemes Can Paralyze Your Medical Practice

Phishing Schemes Can Paralyze Your Medical Practice

“Phishing” occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant impact on the health care industry.

What Is “Spear Phishing”?

Spear phishing is a specific kind of phishing that customizes its attack to specific individuals. For instance, the perpetrator may study an individual’s social media profiles and send them an email that appears to be from a co-worker or organization that they belong to. Just as with normal phishing exercises, the goal is for the target individual to click on a fraudulent link or attachment that will either provide the perpetrator with personal information or provide an opportunity to introduce malware into their computer system.

How Are Phishing Schemes Impacting Health Care Entities?

The threat of phishing activities to health care entities has steadily increased. Perpetrators are learning that the types of identifying information that health care entities attain and maintain are the exact types of identifiers they need to participate in a wide range of fraudulent activity from filing false tax returns to credit card fraud. These identifiers include data that health care professionals work with daily, like date of birth, social security numbers and health plan information.

When health care professionals fall victim to these phishing schemes it can threaten their entire organization. With the widespread use of Electronic Medical Records (EMRs), compliance professionals are seeing ransomware attacks on the rise as entity administrators attempt to recover their vital data.

Reduce Your Risk

  • Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
  • Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
  • Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
  • Consider purchasing cyber insurance to protect your entity in the event of an attack.

Identify Phishing Activity

  • Often these fraudulent emails will have email links that are misspelled. For example, instead of customerservice@regionsbank.com, it may have customerservic@reggionsbank.com.  Those variations are small and often overlooked.
  • Be careful about the information that you share on social media. Try not to post personal information like your address, phone number and birth date.
  • Be suspicious about sites that attempt to redirect you to other similar looking websites.
  • If you think an email looks suspicious, contact your supervisor or HIPAA Security Officer so that it can be investigated properly.

Report Phishing Attempts

If you believe that you or someone that you know may have been the victim of a phishing attempt, there are a number of authorities that receive these reports and act to minimize their impact.

  • You may file a report with the Federal Trade Commission (FTC). Reports can be sent electronically at FTC.gov/complaint.
  • Reports can be made to APWG at reportphishing@apwg.org. This is an anti-phishing workgroup that analyzes and fights cybercrimes.
  • Always notify your IT support staff or your HIPAA Security Officer when you believe that you have received a fraudulent email so that they can investigate the email and take action to minimize the threat.

If you have questions regarding phishing and malware, or if you believe that it is time to update your entity’s policies and procedures, please consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Cyber Security:  Five Common Phish Attack Schemes

Cyber Security:  Five Common Phish Attack Schemes

Hackers only need you, that’s right just you. They are sneaky and know the general population is busy and doesn’t pay close attention to the emails they receive. Hackers know people are comfortable in their daily habits. They exploit this behavior by creating email scenarios designed to encourage a click. They need just one person to click just one time to infect their computer with malware that grants them access to the information they need to launch a more sinister attack.

“Phishing attacks are by far the most common cyber attack today, and these attacks continue to get more and more sophisticated.  Gone are the days of the ‘dear sir’ attack-now we have to worry if an email appearing to be directly from a co-worker is actually from them,” said Steven Hines, president of Threat Advice.

Because hackers are continually changing their tactics, clicking on a nefarious email or link leading to a cyber attack can happen to anyone. Recognizing the threat before it turns into a disaster is just one way we each can be more prepared. The following are five ways hackers are currently trying to access your business and personal information:

  1. Look but don’t click. If the email address or the attachment name seems “phishy,” it probably is. Are there spelling or grammatical mistakes? Companies with professional staff are not going to make these types of mistakes.
  2. Analyze the salutation and signature closely. Most legitimate businesses will use your name rather than a generic greeting like “Dear customer.” The business should provide ways to contact them in the signature. If that’s not provided, it could be a phishing attempt.
  3. Know your brands. Hackers will spoof your favorite brands and make their emails look enough like the actual brand to fool you. Is the logo color wrong? Are there additional words in the brand name? Did you sign up to receive emails from them? Don’t click any links before you examine the email to confirm the sender.
  4. Urgent or Threating – No one likes a bully. A common phishing technique is to use harassing or threating language in the subject line or email content or to create a sense of urgency to handle a fake problem. Most legitimate banks, utilities/municipalities and businesses will not ask you to provide your private information via email nor threaten you in an email.
  5. What grandma said…“If it’s too good to be true, it probably is!” Hackers will continue to send phishing emails promising riches and prosperity if you only send your social security and bank information. Why? Because unfortunately, people still take the bait.

Article contributed by Cobbs Allen. Cobbs Allen is an official Gold Partner with the Medical Association. For more information about cyber liability insurance and how it protects your business, contact Margaret Ann Pyburn.

Posted in: MVP

Leave a Comment (0) →

Four Types of Identity Fraud on the Upswing

Four Types of Identity Fraud on the Upswing

If you thought that the promising (albeit modest) drop in the total dollars stolen by identity thieves in 2015 was a harbinger of things to come, think again.

According to the just released 2017 Identity Fraud Study from Javelin Research, the number of victims of this crime—in all its permutations—climbed to a record high of 15.4 million last year. And, despite the fact that the average amount per fraud went down, the total cost topped $16 billion, also an all-time high. What does that say about efforts to rein in identity thieves?

“We’ve gotten pretty good at closing the door once the horse has left the barn,” says Al Pascual, Javelin senior vice president and head of fraud and security. But we need work when it comes to “barring the door” to begin with.

The research, funded by LifeLock, also made clear that even if you don’t maintain a large online presence, taking steps to protect your identity is a smart move. Offline consumers are less likely to experience fraud, Pascual explains. But when it happens it’s worse, because it takes more time to detect. On the other hand, if you’re highly connected, your risk is much higher than average. But you’re also likely to detect—and shut down—attempts at fraud more quickly. How do you protect yourself? “If you’re not digitally inclined, sign-up for a credit protection service,” Pascual says. “If you are, don’t use the same passwords even across retailers.”

The study, now in its 14th consecutive year, highlights a number of specific places identity fraud and theft are on the rise or particularly troubling. Here’s a look at what they are and how to protect yourself:

Card Not Present Fraud

What you need to know: Incidences of this type of fraud, where a thief uses your card number without having the actual card, rose 40 percent last year. Pascual expects those gains to continue. “We’ve gone digital because it’s convenient,” he says. “So have criminals.”

How to guard against it: Take advantage if your credit card offers ways to obscure your payment details, advises Dr. Stephen Coggeshall, Chief Analytics and Science Officer of ID Analytics. Some credit card issuers and fraud protection services will send you alerts if a charge is made and your card is not present. Do that as well. And pay attention to your credit card statements, watching, in particular, for charges you don’t understand.

New Account Fraud

What you need to know: This form of fraud, where a thief steals enough of your identifying information to open an account in your name, is on the upswing. Incidents nearly doubled from 2014 to 2015, and this year showed “almost the same degree of growth,” Pascual said. Importantly, the new accounts being opened are not just at traditional lenders, but also at alternative ones, including payday lenders and peer-to-peer lenders. Those are tougher to track.

How to guard against it: Monitoring your credit, by either taking a very consistent look at your own reports or having a service do it for you, is the key here. One advantage of some services, notes Pascual, is that they look beyond the item on your credit reports to checking and savings accounts and alternative lenders. Also, it sounds run of the mill, but open every piece of mail you get from a financial institution—even those you don’t patronize. Often, you’ll receive notice when an account is opened in your name, giving you a chance to shut it down and alert the credit bureaus.

Account Takeover Fraud

What you need to know: This type of fraud is distinguished by the fact that a criminal is essentially trying to usurp control for a pre-existing account that you’ve set up. Signs that it might be happening include receiving change of password or change of address notices that aren’t prompted by your actions. “These cases result in the highest average loss amount, and sometimes a consumer can be stuck for more of the bill,” says Pascual, explaining that it can be difficult to prove that you didn’t take the actions involving your account, such as removing or spending funds.

How to guard against it: Don’t reuse passwords across sites—particularly across financial ones. Criminals will take the password list from one breach and try those passwords at every major bank across the country to see if they can be used. Tell your financial institutions you want multiple notifications—by both text and email—if actions are taken on your account. “The idea is to make it harder for communication to be severed between you and the institutions,” says Pascual. And if two-factor authentication is available for entry to any of your financial sites, use it.

Sophisticated Phishing

What you need to know: The phishers have gotten better at their game. “We’re used to seeing phishing with poor misspelling, bad grammar, and poor formatting,” says Coggeshall. Criminals have moved beyond that. Today, corporate emails are being spoofed and employees are being sent letters from the CEO or finance department that look legitimate. In some cases, hackers take the time to learn things about you specifically, then target you with a specially crafted phish.

How to guard against it: If someone contacts you that you’re not used to hearing from and asks for any sort of financial or identifying information, a bell should go off in your head. Don’t click on the email. Don’t give out information by phone or text. Instead, back away and—if you believe it might be real—initiate the communication yourself to figure out if the need is legitimate.

LifeLock is a partner with the Medical Association, and physician members receive discounted rates on LifeLock memberships.

Posted in: MVP

Leave a Comment (0) →