Most Common Healthcare Phishing Emails Identified

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click.

The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk.

The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018).

Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections occur as a result of malicious emails. Cofense cites figures from Symantec’s 2018 Internet Security Threat Report which suggests that on average, 16 malicious email messages are delivered to every email user’s inbox every month.

Cofense is the leading global provider of human-driven phishing defense solutions, which are used by half of Fortune 500 companies to improve resiliency to phishing attacks. For its latest report, Cofense analyzed the responses to more than 135 million phishing simulations sent through its platform and approximately 50,000 real phishing threats reported by its customers.

Cofense notes that out of the potentially malicious emails reported by end users, one in ten were confirmed as malicious. Half of those messages were phishing emails designed to get end users to disclose credentials.

Across all 23 industry sectors that were represented in the study, 21% of reported crimeware emails contained malicious attachments. By far the most common theme for phishing emails were fake invoices, which accounted for six of the ten most effective phishing campaigns of 2018 to date.

While fake invoices are often used in phishing attacks on healthcare organizations, they are only the third most common type of phishing email (16.5%). In all other industry sectors, fake invoices were the most common phishing threat. The second most common healthcare phishing emails were alerts of new messages in a mailbox (25.5%). The most common healthcare phishing emails were fake payment notifications (58%).

Cofense data shows that the most effective methods for reducing risk from phishing are training and phishing simulations. Technical email security solutions are essential, but they do not block all malicious messages. Only through training and simulations can end users be conditioned to recognize and respond appropriately to malicious messages. The industries with the highest resiliency to phishing attacks are those that train more often.

Cofense suggests that to get the most out of phishing simulation exercises they should focus on active threats. Training is recommended at least every quarter to condition employees to look for and report phishing emails. Companies that encourage reporting of potential phishing threats rather than scolding employees for failing phishing tests tend to have greater success.

The full list of recommendations for security awareness training and phishing simulations can be found in the Cofense State of Phishing Defense Report, which is available on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.