How to Skin a Phish

PhishingBy Andrew Ramos, MedCost Director of Information Technology

Have you ever had someone go “phishing” for your personal information? Whether it’s your bank account, your medical information or your Facebook account, hackers are posing as legitimate companies or government entities in order to defraud you.

How Phishing Works

Cybercriminals have developed new ways to target organizations. Phishing often involves an impersonation of a specific employee at a company. In this instance, a cybercriminal could scour internet sites for information about a company and its leadership. Then an employee may receive a false email from a “staff member” in a bid to secure the victim’s trust.

If the targeted employee believes the email is authentic, the criminal can then leverage the employee’s interaction with the email to either install malicious software on the victim’s computer, or ask the victim to send them highly confidential information. This technique has proven to be very effective, sparking widespread concerns for the safety of protected or confidential information throughout many industries.

Four Facts about Phishing

Consider these important insights:

*Health care is a phishing target.
A successful phishing campaign at Middlesex Hospital affected the personal information of approximately 950 patients. The hospital responded by offering free credit monitoring for a year, and said the successful phishing attack did not include direct access to full medical records or Social Security numbers.

*Phishing isn’t just a corporate problem.
Time Warner Cable said that up to 320,000 customers may have had their passwords compromised by a targeted phishing attack, and urged these customers to reset the passwords on their accounts. Yahoo! reported a loss of over 500 million user accounts and associated passwords. These incidents happen regularly, and it is a growing importance that average consumers maintain good security practices.

*Social Media is a pond for phishing.
People love to communicate. We all routinely share information about our favorite place to grab a latte, our anniversary, our birthday, and so much more! Hackers know that. Even the platforms can be a place where cybercriminals try to solicit information from unwitting consumers. For example, A Facebook page named “Facebook Security” that warns ‘Your page will be disabled’ is making the rounds. The page redirects you to a phishing site designed to steal your login information.

*Building a sensitivity to phishing is key to a Security Program.
How many of your employees will click on a phishing email? JPMorgan Chase & Company was able to dupe 20% of its staff into clicking the fake phishing email. Would your company want to send a fake phishing email to gauge susceptibility of your employees? This site evaluates susceptibility to phishing for companies.

So What Can I Do?

The FTC has issued guidance for both consumers and businesses.  Reputable industry experts such as Michael Magrath at VASCO Data Security recommends stronger, multifactor authentication for employee access to sensitive data. Biometrics, security keys or a one-time code through a mobile app are some of the authentication tools available. Systems and servers should be in place to help thwart the impact of employee credentials that are compromised.

Chief Information Security Officer Heather Roszkowski is taking steps to combat the spike in phishing attacks and other external threats at the University of Vermont Health Network. She is implementing two-factor authentication along with encryption to protect patients’ Protected Health Information (PHI). Increased security controls “for anything facing the Web…can pretty much render phishing attacks that are designed to steal credentials useless,” said Ms. Roszkowski.

But it’s also important to remember the human element in the battle against external threats, says Dan Berger, CEO of consulting firm Redspin. “You’ve got to be training your people so that they’re not susceptible to phishing or social engineering type of attacks.”

Don’t let your company be a victim of cybercrime. Put systems in place and educate your staff to avoid records being lost, inappropriately accessed, stolen, or otherwise compromised, costing your company time, labor, legal costs, and other devastating results.

And keep those criminal phish from getting a hook in you.MedCost

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Time limit is exhausted. Please reload CAPTCHA.