Experts Continue to Warn About Recognizing and Reporting Phishing

October is Cybersecurity Awareness Month

The National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency invite you to celebrate Cybersecurity Awareness Month 2022 this October as we raise awareness about the importance of cybersecurity and ensure that all individuals and organizations have the information and tools they need to be safer and more secure online. “Do Your Part. #BeCyberSmart.”

Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance in October of 2004. It was launched in an effort to help Americans to be safe in the rapidly growing Internet. Since its inception, the month has only grown more important as our lives become increasingly digitized. We are only one of many industry participants who are taking this month to educate our community on the importance of cybersecurity.

As always, follow our posts this month and hear what the healthcare security experts have to say. We start with recognizing and reporting phishing.

Brian Kenyon, Chief Strategy Officer, Island
Twitter: @island_io

The healthcare sector is frequently targeted by phishing attacks simply because they host a wealth of sensitive patient and provider information. As threat actors evolve their strategies to enter these systems, healthcare security teams must do the same to safeguard critical information. An enterprise browser with security built in by design can be a powerful tool for recognizing even the most subtle of phishing schemes. An enterprise browser can block malicious content and warn users if they visit a suspicious website. It can prevent them from using their credentials outside of known, trusted applications and provide critical visibility to the incident response team for investigation. By engaging a web browser specifically designed the enterprise, these organizations can better mitigate and defend against phishing attacks.

David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Twitter: @DavidSFinn

Phishing is one of the leading causes of data breaches, some say 90%. If you get an email or text message that asks you to click on a link or open an attachment, ask yourself this question: Do I have an account with the company or do I know the person who contacted me? If the answer is “no,” it could well be a phishing scam. If the answer is “yes,” contact the company or person using a phone number or website you know is real – – not from the email/text. Links and attachments might install dangerous malware.

Elaine Lee, Principal Data Scientist, Mimecast
Twitter: @Mimecast

Hospital and healthcare systems are some of the world’s most trusted brands — and yet, they are among the most attacked by brand impersonators. To defend against phishing-borne threats, healthcare employees must always double-check before sharing sensitive information across the network as phishing emails will often have an email address or domain name that is slightly different than the purported sender’s actual address.

Providers also store vast quantities of extremely valuable medical and personal information so they must always be suspicious of key anomalies within email language such as poor grammar and spelling. Many phishing campaigns originate in countries where English is not the first language, and phishing emails often contain irregularities that are a clear sign of malicious activity. Most importantly, employees should avoid clicking on links or opening attachments unless they’re legitimate. Finally, users should always be cautious when an email requires you to follow a link for more information. As a precaution, users should hover over any link included in the email to see review the address it directs to. In a phishing email, the address will often have nothing to do with the purported sender’s domain, which is a tell all sign that it is fake.

Nihal Titan, Vice President, Claim.MD
Twitter: @ClaimMD

Phishing attacks have evolved, becoming harder for even the most keen eye to identify. More than 80% of breaches involve humans in some way, including social attacks, errors, and misuse. Spear phishing, where bad actors craft communications for a particular person, is made relatively easy by using information freely available on social media and on company websites. Ongoing education can help employees become more cognizant of phishing attempts to reduce the threat surface such attacks represent. Beyond education, consider vendors that create and send bogus communications to staff, referring those who click on links for further education.

Gerry Blass, President & CEO, ComplyAssistant
Twitter: @ComplyAssistant

It is essential to conduct ongoing phishing tests to determine the % of employees who pass and fail. Targeted one-on-one training can follow for those who fail. Ongoing testing and training should reduce the risk of a successful cyberattack due to phishing.

T.J. Ramsey, Director, Threat Assessment Operations, Fortified Health Security
Twitter: @FortifiedHITSec

Recognizing and reporting phishing starts with Security Awareness Training, and it should include the process for reporting and notifying the helpdesk. The helpdesk should also have a clearly defined process and training for how to report and address threats. This enhances hardening of the enterprise, efficiency, and cultivates a cybersecurity culture. Recognizing phishing attempts is harder than it seems, and it takes work. When implementing threat monitoring and phishing prevention programs, organizations should start off easy at first with simple testing and ramp up the difficulty from there. Amateurs train to get it right, professionals train until they can’t get it wrong.

Thomas Graham, PhD, CISSP, MBA, Vice President and CISO, CynergisTek, a Clearwater company
Twitter: @cynergistek

One of the best ways to identify if something is a Phish or not is to ask yourself “Is this an unsolicited request?”. Another way to identify an email as Phish is by looking at the “From” address. If it is from a location other than what it pretends to be, such as pretending to be from Amazon but having a Gmail address, then this is probably a Phish. Additionally, by looking at the body of the email and seeing if there are any misspelled words or incorrect syntax utilized. Phish emails also can have redirectors included in any embedded links within the email. These can be identified by browsing over the link and seeing if they direct to an expected location, such as Amazon.com, or if they have something appended to the link, such as “aHneOlsxy.Amazon.com”. If you encounter a Phish in your organizational environment, the best practice is to establish a centralized way to report it to internal IT or IS. From there, internal IT or IS should have procedures in place to limit the reoccurrence of the Phish and communicate out to the organization if large Phishing campaigns are ongoing. This can be conducted in a variety of ways including organizational email notification, dedicated organizational IM Phish channels, Intranet notices, or a number of other ways depending on the culture of the organization.

Ray Pugh, Senior Manager, Security Operations, Expel
Twitter: @expel_io

Recognizing, and reporting, phishing scams goes beyond noticing typos and malicious links – it comes down to understanding social engineering tactics. They’re specifically designed to successfully trick even your most seasoned employees, so your best bet at preventing a costly attack is to begin with proper training. To avoid any catastrophic link-clicking, especially in a highly targeted industry such as healthcare, start by making it easy for employees to report suspicious activity. Have a system in place that makes it easy for employees to validate suspicious emails so your IT team can provide guidance. This has the added benefit of giving your security team insight into any bigger trends that can indicate a larger scale attack. Spend extra time on education for specific business units on the phishing campaigns that might target them. For example, doctors might see medical-themed lures that prey on emerging health concerns, while finance teams might encounter financial-themed campaigns, with “URGENT:INVOICES” subject lines. Invest in training so employees learn to recognize potential phishing-related red flags as soon as they land in their inbox—not after an incident has occurred.