News Feature | August 5, 2015

What You Need To Know To Avoid Phishing Attacks

Christine Kern

By Christine Kern, contributing writer

NitlovePOS Malware Uses Phishing Attacks To Target POS Terminals

How to be proactive in the fight against data breaches.

With experts predicting the likely rise of ransomware and phishing cyberattacks against healthcare in 2015, the industry needs to be proactive in the fight against breaches. Experian’s 2015 Data Breach Industry Forecast called healthcare “a vulnerable and attractive target for cybercriminals.” Furthermore, as Health IT Outcomes reported, health data is increasingly being targeted by cyber criminals as a valuable resource and healthcare providers need to step up security in response.

Here are some helpful tips to help prevent sensitive protected health information (PHI) and other data from being compromised.

  • Report phishing scams to US-CERT. According to the United States Computer Emergency Readiness Team, “Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.” These techniques can include phishing emails that include links to fraudulent websites, solicit personal information, or contain malicious code. Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive, allowing the cybercriminals to hold the information hostage until payment is made to unlock it.
  • Don’t open suspect emails claiming to be from a financial institution, the IRS, the FDIC, or other official looking emails if you are not expecting them. Common phishing phrases include “verify your account;” “Dear Valued Customer;” “within the next 48 hours;” “click this link;” “open this attachment;” among others.
  • Spoofed websites: Phishing attacks that direct a user to fraudulent websites that mimic real sites are the most common attack methods currently being used. As Venafi explains, “It is challenging to identify this type of brand misrepresentation without scanning the internet on a periodic basis. In fact, only 30 percent of victims discover the breach themselves — most are notified by external third parties.” Do not provide any personal information (log in, account information, date of birth, social security number) via email, text, or social messages.
  • Spear phishing: This attack is distinct from phishing in its targeted and customized nature and usually involves research by the attacker. For example, a spear phishing email may appear to come from within an organization, perhaps from its IT department. Spear phishing, according to Verizon’s 2014 Data Breach Investigations Report, is one of the most commonly used tactics in cyber-espionage. Don’t be afraid to verify the legitimacy of requests or sources. Follow up with a direct email or phone call to the source (not by hitting reply to sender) to verify that the email is not fraudulent.
  • Spoofing: Tool kits are available that allow you to alter, or spoof, the phone number your call originated from. A quick search on a company’s website can provide a hacker with a commonly used office phone number. This can give hackers credibility by calling you from a recognizable number. Consequently, when the hacker poses as IT support and asks for your password credentials to service your account, you may be more willing to provide that information. Be informed regarding your organization’s policies and procedures regarding access to data as well as key and certificate authenticity, and participate in up-to-date training sessions.
  • One Common attack Vector: The common attack vector in the recent healthcare breaches has been keys and certificates, which are actually designed to create trust and assurance; when they are used against you, it creates a scenario in which it is difficult to know what can and cannot be trusted. Scanning the entire internet to identify spoofed websites or rogue certificates in a monumental task, and revocation lists have been proven to be easily defeated.