Fight the Phish

October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.

Follow us this month as we engage our health IT community in cybersecurity awareness.

This is week 2 and the theme is Fight the Phish. We have engaged Atlantic.Net to share insights on this week’s theme.

By Richard Bailey, Lead IT Consultant, Atlantic.Net
Twitter: @AtlanticNet

Brief: Phishing attacks and scams have thrived since the COVID pandemic began in 2020, and today, phishing attacks account for more than 80 percent of reported security incidents. Week 2 of Cybersecurity Awareness Month will stress the importance of being wary of emails, text messages, or chat boxes that come from a stranger or someone you were not expecting. Think before you click on any suspicious emails, links, or attachments, and make sure to report any suspicious emails if you can!

Cybercriminals have been advocating phishing as a proven and successful hacking technique to maliciously steal data since the internet’s infancy. The first recorded phishing attempts were from 1995 when AOL users were tricked into handing over their dial-up credentials to cybercriminals falsely impersonating AOL employees. The goal then was to get free dial-up internet, but today, the exploitation from phishing has grown extraordinarily into a financially driven dark ‘industry.’

Hopefully, you have already heard of phishing and understand the basic principles of phishing, perhaps via a training program at work or from a local newscast. For decades, cybercriminals have been exploiting phishing techniques to trick people into disclosing sensitive personal information or downloading malicious malware payloads from a fake website.

The most common attack vector is a phishing campaign over email, but phishing can also happen over the phone, via text message, through social media, and so on. But what can you do to protect yourself in today’s connected world?

Make Yourself a Harder Target

Everyone has a digital footprint, a trace of information left behind every time you visit a website, visit social media pages, or post an update to Instagram. A digital footprint is either passive or active; passive information is inadvertently left behind, perhaps data gathered from a website after quickly clicking the ‘accept all cookies’ button, or maybe a friend tagged something about you online.

An active footprint is intentionally leaving personal information online, such as a status update on Facebook or a post on your favorite forum. Either way, your data is out there and available. Take time to review your privacy settings, delete social media accounts you no longer use. Check the privacy settings on your cell phone and always be on the lookout for suspicious emails, texts, and phone calls. Remember never to divulge sensitive information and think twice when answering an unknown phone number.

Big Phish, Little Phish

Phishing emails are getting much harder to spot. You may still get the laughable attempts to phish your bank details “because your Great Grandmother twice removed (that you never knew about) has left you $60 million in an offshore account”. However, the number of sophisticated scams in circulation is increasing rapidly, emails that look identical to the real thing or emails that already “know” something personal about you.

The more sophisticated attempts usually occur after a successful data breach at a website you have associated with. Hackers sell the breached data on the dark web, and the information is used in phishing campaigns. But there are still some tell-tale signs to be on the lookout for, so always think twice before clicking an embedded hyperlink or replying with personal data.

Is the email addressed directly to you, a “valued customer,” “friend,” or “fellow citizen?” This is a tell-tale sign of a scam. So are spelling mistakes, low-quality graphic design, and emails prompting for an “urgent response.” If you are asked to provide information on an email, alarm bells should sound as no legitimate company will ask you to validate your data on email. Check the official website or phone the advertised number to make sure before providing any information or personal data.

Combating the Phish

For businesses and organizations, the ability to combat phishing is rapidly becoming a mandatory business requirement. Customers expect robust security frameworks, secure website infrastructure, and technical solutions to counteract phishing. In addition, business owners can reduce the risk by identifying how the brand may be attacked and planning a response if the worst does happen.

Training employees is essential, and additional training should be offered to high-risk employees such as executives, finance, and IT professionals. Although enforcing in-house technical solutions can reduce a business’s attack surface, creating a strong password policy with multi-factor authentication is an easy win to ensure robust security. This is particularly important for healthcare providers to conduct compliance training through HIPAA training companies and ensure their website is HIPAA compliant.

Safeguarding web applications and associated plugin vulnerabilities with regular patching can help combat phishing attacks against SQL injection, cross-site scripting (XSS) and account takeover. Ensure that network traffic is closely monitored across your entire network, inspect TLS connections inbound and outbound, and block all ports apart from those necessary.

Bait the hook well. This phish will bite!

Phishing is all about exploiting human vulnerabilities, and despite all of these safeguards, it is estimated that over 40 million internet users are impacted by phishing every year. Covid-19 saw a dramatic rise in the number of reported phishing attempts, with phishing being blamed for 36% of successful data breaches in 2020/2021.

This swarm of phishing attempts targeted U.S. citizens with free HHS grants, free Covid-19 tests, and medicare prescription cards. In addition, they offered fake vaccine cards, Covid-19 surveys, and even falsified being Covid-19 contact tracers – all with the purpose of harvesting information in an attempt to socially engineer the disclosure of personal information.

Despite growing awareness of phishing and cybersecurity in general, there are vulnerable demographics, particularly the elderly and 18-25-year-olds. Research has shown that educating users about phishing is the most effective tool to combat phishing, but it is not a cure-all. However, combining education with the recommendations above can reduce the risk substantially.