AOA cautions against email phishing scams
Email phishing scams are nothing new but that doesn't mean their effectiveness has waned as variations continue to catch victims hook, line and sinker. Now, there's a new threat possibly lurking in doctors' emails.
Recently, AOA learned of a new "spear phishing" attempt against some doctors' emails that utilizes a fraudulent AOA sender name and subject line to lure unwary users into downloading an infected attachment. This harmful email contains a "From" line that reads "©2018 American Optometric Association," and a subject line that states "AOA-Related Entities and Other Organizations Roster." However, this email does not originate from AOA.
Doctors should be warned that the email in question claims "You have a pending docs shared with you via Adobe Acrobat DC. Please ensure to review the attachment. The secure message expires on [a given date." Do not click this link as it could download Malware onto users' network.
Although unsolicited email prompts from Nigerian princes or stranded family in the Philippines (send money now) are, generally, easily identifiable as fishy—however, the latter caused a breach of the vice president's personal email—hackers now are taking a much more precise, sophisticated approach.
Called spear phishing, these malicious emails fraudulently appear to originate from a known or trusted sender to elicit confidential information, such as passwords, account numbers or other sensitive data. These schemers go to great lengths to trick users, and target victims ranging from individuals and small businesses to large corporations.
In April 2016, the FBI's Internet Crime Complaint Center (IC3) reported a 270% increase in identified victims and exposed losses in the previous year from business email compromise scams with losses totaling more than $2.3 billion in all 50 states and nearly 80 countries. But this deception is all about getting a foot in the door. Criminals can infect malware or even hold businesses' files and data hostage until a sum is paid—ransomware—to do even more damage, and that's where the toll significantly climbs.
Across all industries, the number of ransomware incidents handled by Beazley, the specialist insurer underwriting the cyberliability insurance offered by AOAExcel ® Endorsed Business Partner Lockton Affinity, quadrupled from 2015 to 2016, and half of those were in health care. That number was expected to double again in 2017.
"Nobody is immune," Katherine Keefe, head of Beazley Breach Response Services Group, told AOA Focus in a May 2017 article, titled, "Danger Data: The (Digital) Threat from Within." "That's because this is a good model for criminals—sometimes these little companies and doctors' offices have no other independent way of restoring that data from backup, so they're more likely to pay."
4 ways to prevent falling victim to phishing scams
These kinds of advanced spear-phishing scams are a very real, commonplace threat, and unfortunately easy to overlook. That's why the FBI's IC3 offers tips for avoiding these deleterious emails:
- Be suspicious. Most email users know not to open or engage spam email, but spear-phishing scams masquerade as a familiar entity. Therefore, take a skeptical approach to any unsolicited email, especially those asking for personal, financial or network security information. Be wary of free, web-based email accounts that are more susceptible to hacking. Also, be skeptical of emails that request secrecy or pressure you to act quickly.
- Keep confidential information confidential. Personal, financial or network security information that falls into the wrong hands can cost you and your business dearly. Stolen Social Security numbers can be used to open lines of credit or to file fraudulent tax returns, while compromised network security information in a medical practice exposes ePHI and can be a violation of the HIPAA Security Rule.
- Be wary of links, web addresses. Spear-phishing scams often mimic trusted parties by making miniscule changes in email extensions or links. For example, a schemer may use the exact same email as a known user, but change .com to .co and alter the account display name to read from a known party. Advanced attacks may even borrow a company logo or header to appear official and avert attention away from an altered extension. Such was the case with a phishing attack posing as communication from the Department of Health and Human Services Office of Civil Rights.
The goal of these realistic emails is to elicit an action, be it divulging confidential information or persuading a user to click a deceptive link. This link may take users to a familiar, look-alike site that requires security information, such as an online banking account. Once users enter their login credentials, the scammer can hack the account and continue spreading the malicious email. Always compare the link in an email to the link you're directed to, and visit the official website instead of clicking on the link in an unsolicited email.
- Make contact. Don't hesitate to reach out to the actual business or entity that supposedly sent the email to verify its validity. This quick, simple step could easily expose an email scheme for what it is, and alert you to malicious addresses, links or fraudulent email addresses.
Learn about cyberliability insurance and compliancy solutions from AOAExcel endorsed business partners.
Members can access new, template appeal letters to assist in payer denials and patient communications, as well as attend an #AskAOA webinar on addressing payer clawbacks and denials.