Phishing and spear-phishing

Phishing attacks use email or fake websites to trick employees into clicking on a link and/or entering personal information, allowing access to a network or system to collect billing and health information or deposit malware.

Phishing emails and websites are often designed to look as if they have come from a legitimate source. In November 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) notified health care-covered entities of a phishing scam that used fake government letterhead and a fake email address to direct individuals to a fake URL. The fake email address and fake URL each had only a very subtle difference (a single added hyphen) from the official addresses, a typical approach in phishing scams.

Spear-phishing is a specific method of phishing that targets specific individuals or groups within an organization. Emails, social media, and other platforms can be used to persuade users to divulge personal information or perform actions that lead to network compromise, data loss, and/or financial loss. While phishing often involves random individuals, spear-phishing is aimed at specific targets and involves prior research. According to the Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3), phishing and related tactics were the third highest cybercrime experienced across the nation in 2017.

Business email compromise

Business email compromise (BEC) is a sophisticated crime that typically targets employees who have access to company finances. The cybercriminals trick these individuals into making a wire transfer to accounts thought to belong to trusted partners, but are actually controlled by the criminals.

BEC, also known as CEO spoofing, often starts by the criminals gaining access to a company’s network through a spear-phishing attack and the use of malware. This allows the criminals to study the organization’s vendors and billing systems, as well as the CEO’s style of communication and perhaps even his or her travel schedule, without detection. When the time is right, a spear-phishing request is made to a specific individual, such as a bookkeeper, accountant, controller, or CFO, requesting an immediate wire transfer, often to a trusted vendor. If paid, this money is often hard to recover due to laundering techniques and accounts that drain the funds into other accounts that are difficult to trace.

Ransomware

Ransomware is a type of malware in which attackers lock the data on a victim’s computer, typically by encryption, and payment is demanded before the ransomed data are decrypted and access returned to the victim. In 2017, the FBI’s IC3 received 1,783 ransomware complaints with adjusted losses of over $2.3 million.

Unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal’s identity isn’t known. Of course there’s no guarantee that the criminals will release the files or that the files have not been breached or disrupted in some way.

There is usually a delay between the insertion of the ransom software and the execution of the attack. This delay is intended to enhance the spread of the ransomware throughout the system, especially into backup files. This decreases the likelihood that the data can be recovered without paying the ransom.

Lines of defense

So how do you prevent social engineers from having a negative impact on your organization? One certainty is that as technical security factors become more stringent, social engineering techniques will respond in kind. The weakest link in the security chain is the human who accepts a person or scenario at face value. Although some technical barriers can be put in place, employee training is the most important defense an organization has to protect against social engineering crimes.

Consider the following tips to reduce your risk:

Email attacks

To reduce the risk of a phishing attack, keep malware and spam filters up to date.

To reduce the risk of falling victim to BEC, implement a formal structure and process for releasing information and making payments. Employees should be trained to be very suspicious of an email directive to wire money, mail a check, or release personal information. Consider the following actions recommended by the FBI’s IC3 (2016):

• Verify changes in vendor payment location and confirm requests for transfer of funds.
• Consider financial security procedures that include a two-step verification process for wire transfer payments. Double-check with a human. Call to verify and use the corporate telephone book rather than calling the numbers listed in the email.
• Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the address book to ensure the intended recipient’s correct email is used.

Social media security

Develop and implement a policy on employee use of social media, including personal page posts and references to the organization. Train your staff members on locking down their personal social media pages, and inform them of the risk to their personal property and well-being when too much personal information is shared.

Ransomware

To reduce and/or mitigate the risks of ransomware:

• Develop a response plan, which may require outside experts.
• Physically back up files outside of the network each day. Make a copy on electronic media or an encrypted external hard drive. Maintain the files in a secured location, preferably off-site or on a firewall-protected network or “cloud,” and periodically test them.
• If you experience a ransomware attack, notify all system users and shut down the systems as soon as possible to contain the spread. Notify the local FBI office and/or file a complaint with IC3 (www.IC3.gov). Notify your insurance carrier to determine coverage. Recovery will almost always require the help of outside experts.

Education

Provide all employees with ongoing education to combat these threats. Consider the following:

• Provide explanations and examples of the social engineering tactics currently being used by cybercriminals, particularly in the health care sector.
• Exercise vigilance regarding emails, unsolicited phone calls, or in-person interactions that attempt to get them to reveal personal or sensitive information, or that require going to an unfamiliar website or installing an unfamiliar program. Do not be afraid to question and/or challenge strangers or unusual requests, and always verify the identity of the requestor rather than taking people at their word.
• Be wary of unsolicited postal mail and unexpected emails, especially if they are requesting an urgent action. Always verify unsolicited messages through a different means, such as a phone call or face-to-face conversation.
• Refrain from opening links or attachments in emails from unknown sources.
• Involve your manager if you have any doubts or concerns.
• Do not use unknown or potentially compromised thumb drives that might contain malware.
• Require ID badges to be worn; inconsistent enforcement allows a social engineer to merely say they

Summing up

Cybercriminals are becoming increasingly sophisticated, and health care is a prime target. Assess the security of your computer systems and enhance them as needed. Train your employees on an ongoing basis. Develop and practice contingency plans for these attacks. Given the scope and impact of the threats posed by modern cybercriminals, consider retaining outside security support as needed.

Ginny Adams, RN, BSN, MPH, CPHRM, is a senior risk consultant for Coverys, a medical professional liability insurance company. She has a background in critical care nursing, nursing administration, performance improvement, regulatory compliance, and risk management.