The game of whack-a-mole between security professionals and cybercriminals carrying out phishing attacks rolls on.
In its “The State of Phishing Defense 2018” report, Cofense found that 1 in 10 emails reported to the company was malicious. Further, Cofense found that more than half of these malicious emails engaged in fraudulent attempts to gather login and system information from users.
Healthcare systems are popular phishing targets because of the data they keep, says David Mount, director of sales engineering at Cofense. Recent ransomware attacks within healthcare have “demonstrated that phishing threat actors are ruthless in their pursuit of financial gain and don’t care about the consequences,” he says.
But healthcare organizations are far from powerless against phishing attacks. By gaining a deeper understanding of the threats they face, training users to recognize potential attacks and holding users accountable for their mistakes, organizations can significantly mitigate the risk of phishing attacks.
1. Understand Phishing Threats to Best Defend Against Them
While most phishing attacks are caught by security measures before they ever find their way into a user’s inbox, some do still slip through, says Martin Littmann, CTO and CISO at the Kelsey-Seybold Clinic in Houston.
While patient information is still a prime target, Littmann says his clinic has seen a rash of impersonation scams, social engineering attacks in which cybercriminals pretend to be authority figures within an organization, such as a financial executive, to obtain financial information. These attacks even involved someone pretending to be Littmann himself. The scammer sent an email to the clinic’s human resources department asking to change his direct deposit information.
Having users report suspicious emails can help hospital security teams to build better protections. Companies should “ensure that all users are enabled to recognize evolving phishing threats that bypass perimeter controls, and are empowered to report them,” says Mount. “This gives security operations teams visibility of attacks they otherwise wouldn’t see.”
2. Use Phishing Simulations to Help Identify Weaknesses
Phishing scams aim to circumvent security controls by targeting users. An effective defense requires users to be trained to look out for attacks. “I can put in place firewalls and intrusion detection and prevention and every possible tool you can imagine, yet people still do things like click on UPS notices for packages they aren’t expecting,” says Dr. John Halamka of Beth Israel Deaconess Medical Center in Boston.
Testing employees encourages them remain on the lookout for possible phishing attacks. These tests also demonstrate to the security team which attacks may be most successful — and which users may be most vulnerable.
In May, Kelsey-Seybold sent out a simulated phishing attack from “Amazon” that offered Mother’s Day discounts. “It was clearly not from Amazon, based on the URL that was in the link. Nevertheless, everybody wants to get something for Mom, and we had people click,” Littmann says.
3. Create Consequences for Users Who Fail the Test
Some organizations shame employees who fall for simulated phishing attacks. This is a mistake, as it may discourage them from reporting phishing attacks that they see — or, worse, stop them from speaking up when they realize they’ve fallen victim to an attack. But establishing some kind of consequence for users who fail these tests is helpful, says Littmann.
Users who fall for a simulated phishing attack at Kelsey-Seybold are required to change their passwords immediately (most passwords are changed once a year) and to take an educational course on phishing.
The threat of phishing remains significant, but organizations that set up programs to deal with the issue strategically can significantly reduce their risks.