How to Spot a Phishing Email
October is National Cyber Security Awareness Month, a time of the year when events are organized and new initiatives are launched to increase cybersecurity awareness and highlight the risk of cyberattacks, computer fraud, phishing campaigns and other data security and privacy issues.
When President Obama’s declared October National Cyber Security Awareness Month, his aim was to increase resiliency of the nation in the event of a cyber incident, and great strides have been made already to make his dream a reality.
The Cybersecurity Threat is Greater Than Ever Before
Unfortunately for healthcare providers, cybercriminals are now upping their game. They are developing ever more sophisticated methods of attack in an effort to gain access to healthcare data. The United States now faces the highest risk of cyberattack and all healthcare providers must now invest heavily in defenses to protect their computer equipment and systems from the onslaught of attacks.
One of the commonest methods used by cybercriminals to gain access to healthcare networks is phishing. The perpetrators of phishing campaigns send emails to healthcare workers in an attempt to get them to reveal their login credentials or install malware on their computers. Once malware is installed on a computer, server or other electronic device, it can be used to launch an attack on a computer network.
The emails can be very convincing. Even IT security professionals fall for phishing scams and inadvertently download malware or visit malware-infected websites. In fact, a recent study conducted by Vanson Bourne suggests IT professionals are actually more likely to open attachments, click on phishing links, and download infected apps than employees who have not received any security awareness training. That said, many employees also fall for phishing campaigns.
Why are Phishing Campaigns so Effective?
The perpetrators of phishing scams often take advantage of common fears and major events to mask their scams. Campaigns are often launched at times when there is a high volume of emails being sent, often relating to holidays and major events. At these times, computer users must be particularly vigilant and security aware. According to the United States Computer Readiness Emergency Team, cybercriminals often take advantage of the following situations to launch their attacks:
- Natural disasters (Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (H1N1)
- Economic concerns
- Major political elections
Spear Phishing is a Growing Threat
Spear phishing campaigns can be alarmingly effective. In contrast to standard phishing, which involve emails being sent to random individuals in the hope that some will respond, spear phishing involves highly targeted emails and the targets are very well researched.
Spear phishing emails often appear to have been sent by friends, family members and organizations that the target does business with. The emails often contain information that the victim may believe is only known to their close circle of friends.
Information used to convince the target to click on a link or open an attachment is often gained by accessing Social networking websites such as Facebook and Twitter. In some cases, when the victims are particularly well researched and the cybercriminals skilled, it can be very difficult to determine whether a link or attachment is genuine. The “from” field in an email is often masked and made to display the email address of a friend or colleague. The name of the sender can therefore not be trusted.
It can be difficult to spot a phishing email that has been well researched and carefully written, but with a little training it is easier, and speculative phishing campaigns can be easily identified in many cases, provided the recipient is security aware and knows some of the common tell-tale signs that the email is fake.
How Effective is Data Security Training?
It is not possible to totally eliminate the risk of employees succumbing to a phishing campaign, but it is possible to minimize the risk of them responding to phishing emails by providing data security awareness training.
Taking the time to train staff how to spot phishing emails can reduce the risk of those individuals responding to a phishing campaign, although given the sophistication of some campaigns, training will never be 100% effective.
So How is it Possible to Reduce the Risk of Staff Responding to a Phishing Campaign?
The advice that all healthcare workers must try to follow at all times, is Stop. Think. Connect. If suspicions are aroused by a link, attachment or request for information, it is better to delete the email or mark it as junk and seek advice. The golden rule is, if in doubt do not click. It is better to delete a suspicious email than to inadvertently give hackers the information they seek or to inadvertently download malware. If the email is important, the sender is likely to make contact again.
Homeland Security offers some useful advice in this regard, and suggests efforts are made to check the legitimacy of an email that requests account information, or a visit an unfamiliar website, namely to:
- Contact the company directly.
- Contact the company using information provided on an account statement or back of a credit card.
- Search for the company online – but not with information provided in the email.
A little information can go a long way. There are tell-tale signs that an email is not genuine and it is important that employees are shown how to recognize potential phishing emails, and are shown how to recognize some of the common identifiers.
Some of the common tell-tale signs of a phishing email have also been summarized in the infographic below:
How to Spot a Phishing Email
The Majority of Users Have Never Received Security Awareness Training!
A recent study sponsored by Security Mentor and Enterprise Management Associates, indicates that despite the high risk of cyberattacks taking place, and the frequency at which phishing emails are sent, the majority of computer users have never received training on data security awareness. Furthermore, that lack of training is resulting in users engaging in risky behavior.
The study – conducted by EMA Research – indicated that out of the 600 employees surveyed, 56% had received no security or policy awareness training from their organizations. 44% said that they only received annual training. Worryingly, 35% of respondents said they have clicked on links sent by people they did not know.
According to EMA Research analyst David Monahan, “People repeatedly have been shown as the weak link in the security program.” That is something that must be addressed if networks are to remain secure.
Further information on Phishing and Cybersecurity Awareness
Listed below are some useful resources that can be used for preparing phishing awareness training sessions, email cyber security bulletins and security reminders for message boards.