Email Phishing and how to protect your practice against it
Welcome to the third in our web series. For today’s topic we will be talking about phishing. But not for trout. Today we are talking about email phishing. You’ll hear about a real world attack and its continued negative affect. And, as always we will give some tips on how to combat this nasty threat.
What is email phishing
Phishing is a prevalent threat. Email Phishing scams are carried out online by tech-savvy con artists and identity theft criminals. They use spam, fake websites constructed to look identical to real sites, email and instant messages to trick you into divulging sensitive information, like bank account passwords and credit card numbers, or health information. Once you take the phisher’s bait, they can use the information to create fake accounts in your name, ruin your credit, and steal your identity, or rack up medical expenses.
Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.
Email is the most common method for this as the phishers can send many messages targeting many individuals at once. These criminals send you fake emails that look legit. They ask you for information or to fill out an application with sensitive data. Sometimes it is just as simple you having you call a number or click on a link. No matter what there is always one purpose in mind, to steal your private information.
Everyone is a target. Individuals, and businesses alike. No target is too big or too small.
Real world example
In what’s been labeled a “serious security incident”, the Milwaukee Bucks of the NBA confirmed that they fell victim to a phishing scam that compromised the basketball team’s financial data. After receiving an email impersonating team president, an employee sent out 2015 tax year data for all of the Bucks’ employees, including players. That means the names, socials security numbers, addresses, dates of birth, and salary details were among the data that has been obtained and now that data is in sinister hands. The NBA says the fraudsters made the request for financial data on April 26th, and it seems the team didn’t discover its mistake until May 16th.
How do you fix it?
Have a strong perimeter network including a next generation firewall with intrusion prevention.
Don’t open email or attachments from a user you don’t know. Even if you do know them, if the email looks suspect don’t open it.
Avoid clicking links in emails We understand that it is hard not to. Everyone clicks, but be selective. There are also some email security venders that offer targeted threat protection. This is a system that will verify a URL is a safe one before sending you to the site.
Make sure your email has a strong spam filter. This helps to ensure no phishing email comes your way, reducing the human factor of clicking on a malicious link.
Encourage your colleagues to do the same. However uncool we think it is to be concerned about security at our practices, it is exactly opposite. Remember the adage that it takes a village to raise a child? Every business associate or network user can be seen as a potential entry point for attack and trickle through, so it takes cooperation on the part of staff and business associates to keep protected health information secure.
Educate, Educate, Educate. This is the best weapon you have in the fight against these cyber thieves.
Never sacrifice security. But be smart, ask questions, get informed and in turn you can inform your employees. Take the time and do the research. Phishing is absolutely real and we need action taken against the would be fraudsters. If we don’t we will fall victim to them. Doing nothing changes the question from if, to when your practice has information stolen through an attack.
You can’t rely on staff, patients, and business associates to be completely secure 100% of the time. So now is the time to make yourself aware of your internal state of HIPAA. If you haven’t done a security risk assessment for 2016, that’s a great place to start. It touches on all aspects of the practice that affect data security both virtually and physically. Data security in the age of technology is a job that requires attention and expertise. Whether your staff or contracted help will hold the mantle for that responsibility, designate those people now if you haven’t. Give data security and annual risk management the priority it deserves by treating it as the critical business function it IS instead of making it an afterthought.
Join us next time for the next in our series. Sign up for our newsletter and subscribe to our channel. Thanks for reading.