No one likes to be manipulated, yet we are subjected to invasive tactics in our email to get us to click a link, give access to sensitive data or share confidential information. These aren’t just spam emails. Cybercriminals are using an email approach called ‘social engineering’ designed to feel and look familiar to quickly gain your trust.
Dental and medical practices are among the most vulnerable to these attacks. Protected Health Information (PHI) is a high dollar commodity, selling for hundreds of dollars per record. Practices may also be crippled by cybercriminals who hold your data for a high ransom.
Here’s how cybercriminals socially engineer their attacks. They tend to gather information about your industry, your business, and even your employees. Once they have enough information, they send out a targeted email campaign, called phishing. The email is just close enough to a real email that the recipient may trust its legitimacy and take a requested action, like opening an attachment or clicking a link.
Let’s look at one specific example. In a phishing attempt impersonating Amazon, cybercriminals claim a package was shipped to the wrong address and are requesting a call back to fix the issue. If you take action, those bad actors immediately work to steal money, compromise your data and perhaps cripple your practice operations.
Here are four things you can quickly check to determine if email has been socially engineered to trick you.
Can you verify the sender? Does the name or email address look suspicious?
Notice the sender address on the left is similar to the actual “Amazon.com” address. Whether you’ve received a questionable email from an apparent colleague or friend, or an attempt like this one, you’ll notice that the email address may closely resemble a known company or domain, but something is always amiss. The big differences include a slight altering of name or spelling, spacing or punctuation issues and/or omitting of a few characters.
Look for generic greetings, incorrect spelling and poor grammar.
Let’s start from the top. “Dear Customer” or “Sir and Madam” type of greetings may be a tip off. Most legit companies will insert your name in the greeting. In this phishing attempt, like most others, there are spacing issues in the body of the email, repetitive content and missing punctuation.
Be wary of unusual information.
Check out the delivery address. It says ‘San Antonio San Pedro’ which isn’t a real place. It’s good to ask yourself questions when something feels off. For instance, why would a known vendor share another person’s personal information with you? The sender is hopeful that you will only notice that the recipient isn’t you, causing you to call the phone number in the “If you have not placed this order” sentence.
Don’t click the links or call the phone number.
In the case of the Amazon spoof, the links take you to Amazon, but not to your supposed order. The goal of this approach is to get you to call a phone number. When you call, they will likely ask you to verify credit card or bank account information. If you click an attachment or a link it is highly probable you will be infected by ransomware, some type of malware or malicious bugs to steal your data, like PHI, or shut down your entire practice. And you may not even know it until it’s too late. Another tip: If you think you’ve received a legitimate email, look closely at the link. If the link doesn’t reflect the actual address or company connected to the sender, don’t click it!
Work with a proactive team of IT experts or Managed IT Services Providers who will detect threats early to eliminate or reduce damage well before it gets out of hand. Educate your staff to identify suspicious emails. As part of that process, make sure they are all aware of what information should be sent through an unsecured email account (like Gmail) and what requires HIPAA-compliant email. For complete protection, set up your practice to send and receive all work-related email through your HIPAA-compliant service. Double check that it is complete with multi-layered security to prevent phishing attempts from even making it to your inbox. A high encryption level of 2048-bit and a built-in user verification process will make your practice email almost impossible for a cybercriminal to access.