Phishing is the name of a method which entices you to give up your personal or financial information to people or organizations masquerading as a legitimate source.  The bait is the request from a source you are familiar with, but is in fact, a replication or a phony.  Phishing attacks may occur to your personal account, or they may involve your medical organization.  In any event, knowing how to recognize them and not take the bait is the key to preventing a successful phishing attack.

Phishing attacks try to obtain valuable information from you such as your:

  • Credit card number
  • Bank account number
  • Social security number
  • Online account logins and passwords

The pilfered information is used to steal your money or in the case of your organization, carry out identity theft or introduce malware into your information systems.

Phishing attacks are carried out primarily in two main ways.  First, attackers use phishing emails which look very similar to what you normally see in your daily e-mails.  Second, attackers use links to websites that look similar to other organizations, companies, and/or banks that you visit frequently.  Phishing e-mails and websites have the following characteristics:

  • They all ask for you to provide personal information. Most legitimate organizations, and including all banks, will not ask you to provide personal information whether it be your credit card number or your login password.
  • There is usually a sense of urgency. The phishing emails request immediate action and they use this technique to get you to bite quickly.  This is the same technique you see on TV ads for a product whereby your quick response for “acting right now”, will get you a discount or a second item at half price.  Or the e-mail will be emotional and pull at your “heart strings” in order to entice you to act.
  • Most phishing emails have a generic “hello” for the greeting. The e-mail does not use your name since it is the same phishing e-mail sent to millions.
  • The e-mails may contain attachments which are most likely malware and the moment you click on it, you invite malware (malicious code) into your system which will begin to destroy or copy your hard drive and its contents.
  • The e-mails may also contain a phony link to a phony website. The link is masked so what you see looks correct, but the actual hyperlink is set up to go to the phony site. Hover your mouse over the link to see what is truly behind it.
  • Many times, the e-mails contain poor grammar. Remember, hackers come at all levels with some that are very good at what they do, and others with poor writing skills.
  • Legitimate websites use Secure Sockets Layer (SSL) for protecting the information you enter into the site; look for https:// instead of http:// in the URL. The added “s” means the site is secured.

Phishing attacks have increased over the years as hackers have gotten smarter and more clever.  However, there are preventive steps you or your staff can take to survive the attacks with little to no damage.  Consider the following:

  • Your IT department should consider installing robust spam filters which can identify these e-mails and send them to the spam folder instead.
  • If the e-mail looks suspicious, don’t trust it. Instead, pick up the phone and call the organization to determine if they sent the e-mail in question.
  • If the link looks suspicious, don’t click on it. Instead, manually type the organizations real URL into your browser and provide the information after you have confirmed it was the organization that contacted you.
  • Your IT department should consider adopting a URL scanner which will check the authenticity of any website you visit.
  • If your organization uses Internet Explorer, ask your IT department to turn on the SmartScreen filter which will help you discover if a website is a phishing site.
  • Unlike your browser at home, your organization determines what browser you will use at work, and it is most likely a newer browser which is supported with patches by the manufacturer. Nonetheless, your IT department could consider installing a security toolbar to alert you when visiting known phishing sites.

 

While the above technical steps will help minimize the effects of a phishing attack or help avoid them altogether, the ultimate defense lies with the user or employees themselves.  It is the human factor that contributes to the large cases of successful phishing attacks since employees are ultimately tricked to open the link and/or respond to the e-mail.  However, the more your workforce is educated regarding phishing, the more likely they will recognize an attack when it occurs.  Some organizations have conducted “phishing simulations” to determine how many individuals will fall prey to the fake phishing attack.  Afterwards, those individuals are provided additional training.  This can be a great way to provide training and practice recognizing phishing attacks, but organizations need to make sure no punitive action is taken.  Instead, consider an organization wide contest such that the department with the lowest number of tricked employees wins some prize or recognition.

Phishing attacks will continue and become more elaborate.  The best defense is to employ technical safeguards to help detect them as well as to train your staff how to recognize them and not take the bait.

Happy HIPAA trekking!