AOA cautions against email phishing scams

AOA cautions against email phishing scams

Email phishing scams are nothing new, but that doesn't mean their effectiveness has waned as variations of the ploy continue to catch victims hook, line and sinker, and put sensitive data in jeopardy.

"Sometimes these little companies and doctors' offices have no other independent way of restoring that data from backup..."

Although unsolicited email prompts from Nigerian princes or stranded family in the Philippines (send money now) are, generally, easily identifiable as fishy—however, the latter caused a breach of the vice president's personal email—hackers now are taking a much more precise, sophisticated approach.  

Called spear phishing, these malicious emails fraudulently appear to originate from a known or trusted sender to elicit confidential information, such as passwords, account numbers or other sensitive data. These schemers go to great lengths to trick users, and target victims ranging from individuals and small businesses to large corporations.  

In April 2016, the FBI's Internet Crime Complaint Center (IC3) reported a 270 percent increase in identified victims and exposed losses in the previous year from business email compromise scams with losses totaling more than $2.3 billion in all 50 states and nearly 80 countries. But this deception is all about getting a foot in the door. Criminals can infect malware or even hold businesses' files and data hostage until a sum is paid—ransomware—to do even more damage, and that's where the toll significantly climbs.  

Across all industries, the number of ransomware incidents handled by Beazley, the specialist insurer underwriting the cyberliability insurance offered by AOAExcel® Endorsed Business Partner Lockton Affinity, quadrupled from 2015 to 2016, and half of those were in health care. That number is expected to double again in 2017.  

"Nobody is immune," Katherine Keefe, head of Beazley Breach Response Services Group, told AOA Focus in an upcoming feature article. "That's because this is a good model for criminals—sometimes these little companies and doctors' offices have no other independent way of restoring that data from backup, so they're more likely to pay." 

Read more about the downside of medical device interconnectivity and the Internet of Things in the upcoming May 2017 edition of AOA Focus.  

4 ways to prevent falling victim to phishing scams  

These kinds of advanced spear-phishing scams are a very real, commonplace threat, and unfortunately easy to overlook. That's why the FBI's IC3 offers tips for avoiding these deleterious emails:  

1. Be suspicious. Most email users know not to open or engage spam email, but spear-phishing scams masquerade as a familiar entity. Therefore, take a skeptical approach to any unsolicited email, especially those asking for personal, financial or network security information. Be wary of free, web-based email accounts that are more susceptible to hacking. Also, be skeptical of emails that request secrecy or pressure you to act quickly.

2. Keep confidential information confidential. Personal, financial or network security information that falls into the wrong hands can cost you and your business dearly. Stolen Social Security numbers can be used to open lines of credit or to file fraudulent tax returns, while compromised network security information in a medical practice exposes ePHI and can be a violation of the HIPAA Security Rule.   

3. Be wary of links, web addresses. Spear-phishing scams often mimic trusted parties by making miniscule changes in email extensions or links. For example, a schemer may use the exact same email as a known user, but change .com to .co and alter the account display name to read from a known party. Advanced attacks may even borrow a company logo or header to appear official and avert attention away from an altered extension. Such was the case with a phishing attack posing as communication from the Department of Health and Human Services Office of Civil Rights.

The goal of these realistic emails is to elicit an action, be it divulging confidential information or persuading a user to click a deceptive link. This link may take users to a familiar, look-alike site that requires security information, such as an online banking account. Once users enter their login credentials, the scammer can hack the account and continue spreading the malicious email. Always compare the link in an email to the link you're directed to, and visit the official website instead of clicking on the link in an unsolicited email.

4. Make contact. Don't hesitate to reach out to the actual business or entity that supposedly sent the email to verify its validity. This quick, simple step could easily expose an email scheme for what it is, and alert you to malicious addresses, links or fraudulent email addresses.  

Click here to learn about cyberliability insurance and compliancy solutions from AOAExcel endorsed business partners.

April 4, 2017

comments powered by Disqus