I write a lot about network security, HIPAA and protecting patient data. I truly believe that these concerns should be on the top of every healthcare organization’s security list. But recently something has hit my radar that concerns me even more. Phishing has always been a problem but now it seems like an epidemic. Let’s take a closer look at Phishing. What is Phishing? Below is the Wikipedia definition:
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
A good example of a typical Phishing attack is for a person to get an email from their bank that states their account has been locked due to suspicious activity. The email states that the person needs to log into their account to reactivate it. In the email there is a link to a website that looks like the normal bank login. The person enters their log in credentials. From here the login credentials are used to access the real bank account and money is then transferred out of the account to another bank.
Unfortunately over the past month I have heard of actual successful Phishing attempts that have resulted in hundreds of thousands of dollars being stolen. Now you see why Phishing is on top of my list of concerns not only for my company but for my client’s as well.
In the past Phishing attempts were easy to spot. The emails had spelling mistakes, the website didn’t look legitimate, etc. But that is not the case anymore. The emails now are almost impossible to spot as fake, the websites look exactly like the real websites. It is getting harder and harder to spot Phishing attempts.
With the recent high profile hacking of large companies such as Epsilon and Sony, millions and millions of email addresses are now in the hands of people that are using them for Phishing attacks.
So what can an organization do to protect themselves against Phishing attacks?
- Educate your employees – make them aware of Phishing attacks. Make sure anyone that has access to your organization’s financials, credit cards and online banking is very aware of what Phishing is and are on the lookout for Phishing attacks. Make sure they know that anytime they think something may be suspicious, they should call the bank or company and verify the legitimacy of the request prior to providing any information online.
- Lower your bank’s wire transfer amount limit – many times a successful Phishing attack utilizes a wire transfer out of the victim’s bank into another bank. One way to protect against this is to lower the wire transfer amount limit on your account. If you don’t use wire transfers often then lower it to $5,000 or less or insist that you have to verbally approve each wire transfer. Each bank is different but it is worth the time to discuss your options with your bank.
In addition to loss of money due to wire transfers, other Phishing attempts try to collect credit card information, social networking information such as ids and passwords of sites such as Facebook and LinkedIn. Now more than ever, it is very important to scrutinize each email that you receive and make sure that it is legitimate prior to providing any information that can be used to access your accounts.
Image: scottchan / FreeDigitalPhotos.net
