Emails about an inheritance from a rich uncle abroad are hardly fooled anymore or are sifted out automatically by email inboxes before we have time to read them. The same is true of information about an undelivered package by a courier, which often looks suspicious at first glance.
And while we think we won't be fooled, the facts are scary: according to Proofpoint's
2022 State of the Phish report, 83% of organizations fell victim to a phishing attack last year. 25% of all data breaches involve phishing. All it takes is an inattentive click on a link or opening a PDF in an infected email, and a malicious program is installed on the computer – a gateway to data for hackers is opened.
Statistics leave no illusions: phishing is still one of the biggest threats to cyber security, even though it has been used for years, and we have become accustomed to it.
According to the Healthcare Cybersecurity Survey, phishing attacks are the top healthcare threat. They account for 45% of all cyberattacks, followed by ransomware attacks (17%) and breach or data leakage (7%).
Phishing messages are hard to spot
Hackers have perfected phishing messages. The best ones no longer contain easy-to-recognize language errors, typos, or strange colored fonts. They can deceptively resemble the graphic identification of a bank or courier company.
Here are some of the most important rules to help you successfully distinguish a phishing message from a genuine email:
- The message informs you that you need to take action immediately. Otherwise, you risk losing your data, having your account blocked, being fined, etc. Banks or government offices never send such messages. Financial threats are meant to make you act quickly and emotionally, turning off rational thinking. Why? Because the longer you think about the matter, the more suspicious it seems to you;
- The message suggests that you must enter sensitive data, such as your bank account number, online banking PIN, or credit card number, or log in to a service to verify your identity. Therefore, regardless of phishing, you should always log in to sites you have saved or can search for in a search engine. Links in emails can lead to duplicate, fake sites;
- Phishing messages often contain links or attachments that we don't expect;
- It still happens that the message's text is poorly written, and the graphics are dissimilar to previously sent emails. The text might contain different fonts or incorrect special language-specific characters;
- The phishing message often includes an impersonal introduction, such as "dear customer" or "sir/madam." However, it's not the case in personalized phishing;
- The message does not contain contact information.
A mythos of secure websites and other traps
Just as hacking methods change, healthcare professionals must update their cybersecurity skills.
For example, some might still be convinced that trusted sites start with "https://," which guarantees a secure connection to a trustworthy site due to an SSL certificate. Unfortunately, phishing scammers sometimes use SSL certificates to increase the effectiveness of the attack.
When technical safeguards can be misleading, double verification of suspect messages remains the best protection. Experts suggest developing a few simple habits to increase cybersecurity significantly.
The first principle is checking links in emails and social networks before clicking on them. But with great vigilance – fake sites can have very similar website addresses, differing only by a few characters. Anyone can buy a domain address, even if it is similar to a well-known institution like a bank or courier service.
Secondly, messages from either government institutions or a bank can be verified by calling the institutions. Another way is to copy the fragment of the suspicious email and paste it on Google to see if there are warnings against such messages.
Thirdly, be very cautious when opening attachments received from unknown email addresses. These could be an invoice, a call for payment, an important message from your bank, etc. If you log in to a bank account or another service, open the page directly in your browser, as you customarily do, rather than clicking on the link. Fourth, check who the message's sender is, and just to be sure, search Google to see if the email address belongs to the institution it claims to be.
What to do after receiving a phishing email?
- Never click on any links or attachments in suspicious emails. If you receive a suspicious message but are unsure whether it is real or fake, verify it by logging into the original page from your browser, calling the institution, and typing the first few sentences from the email into Google.
- Report the message to the institution it impersonates.
- Report it to the IT security department in your organization.
- Click the "mark/submit as SPAM" option in your email inbox, which allows spam filters to perfect their fraud detection skills.
- Delete the message (including from the trash).
Phishing is still the most effective way for hackers to get access to data they want to steal. They use social engineering principles to persuade us to provide data voluntarily so they don't have to break passwords or IT security systems, which is much more complicated and requires time. It only takes one click made by the cheated employee for a hacker to take control of an IT infrastructure, gain access to electronic health records, or block the entire health information system.
Get ready for even more perfected phishing methods like vishing (phone calls that can be today also performed by AI), callback phishing (for example, a message about a subscription that you didn't know about but there is a possibility to cancel it by contacting customer service), business email compromise and whiling (personalized phishing targeting senior executives), deepfake phishing (AI-generated fake video and voice messages). In healthcare, phishing is especially difficult to identify as healthcare workers are willing to help; they act empathetically and trust others.