During the summer months, some of my colleagues like to talk about the fishing trips they take every weekend. I don’t know a lot about fishing, but I do know a lot about phishing and spear phishing, so I’ve found a way to contribute to the conversation by interjecting a few jokes that usually do a good job at reeling in the laughs:
What’s a CISO’s least favorite summer activity? Phishing.
What are hackers doing when they target healthcare organizations? Phishing docs.
What’s another name for a hacker that uses phishing to trick email recipients? A prawn-artist.
What do you call a phishing attempt that uses a funny video link to get you to click? A clown phish.
I try to cap it at four phishing jokes. No need to go overboard.
The truth is, phishing is no laughing matter. An estimated 91% of hacking attacks begin with a phishing or spear phishing email, so healthcare organizations should be very serious about tackling (no fishing pun intended) this threat head-on.
One of the best ways to protect against phishing emails is to educate your organization about these kinds of attacks. So first, let’s define phishing and spear phishing.
Phishing is a type of social engineering that uses emails designed to trick the recipient into clicking on a malicious attachment or visiting a malicious website.
Spear phishing is a more targeted form of phishing that can appear to come from a trusted acquaintance.
If a recipient of a phishing email opens a malicious attachment or clicks on a link, he or she might download a program that installs malware onto the system, compromising the entire system and exposing sensitive data to theft. In other scenarios, a phishing email might lure a victim to a website that appears legitimate and tricks the user into disclosing private information like a username and password or bank information.
It’s easy to be deceived by a phishing scam. 97% of people globally can’t correctly identify a sophisticated phishing email (Intel). Often, phishing emails are disguised to look like they came from your IT department or a top executive from within your organization, such as your CEO. There are also millions of phishing emails – about 156 million – sent daily. Of those 156 million, about 16 million get through spam filters to your inbox and 8 million of those are opened. What’s the risk? According to research from the Ponemon Institute, phishing costs an average 10,000-person company almost $4 million USD annually.
There are a few best practices to protect yourself and your organization against these attacks. Here’s how you can make sure you’re operating with a complete tackle box:
Educate Staff So They Don’t Fall for the Bait
JP Morgan performed a test to see how many employees would open and click a fake phishing email. They found that 20% of their staff fell for the bait. Make sure you are consistently educating everyone in your organization about phishing scams. While some may be easy to detect (e.g., a Nigerian prince offering to give you his inheritance), more sophisticated scams (e.g., a request from your IT department for your username and password) are harder to spot. Train staff to be on the lookout for anything that seems fishy – even the best-engineered scams often contain a giveaway.
Use the Best Gear and Keep It Updated
There are a lot of tools available to help organizations monitor emails and filter out phishing scams. Look into options like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Host Intrusion Prevention Systems (HIPS) which can detect and prevent malicious activity. You should also make sure every device is equipped with anti-malware/anti-virus software and inform staff that they should always install new updates for this software to ensure the highest level of virus protection.
Keep Sensitive Data Off Your Network So There Aren’t Any Fish to Phish!
The best way to protect sensitive data from phishing scams is to limit the amount of data that lives on your network. Healthcare organizations can leverage technologies like point-to-point encryption (P2PE) and tokenization that protect data stored or transferred on their networks. P2PE prevents people from viewing cardholder information and protects the confidentiality and integrity of this data. Tokenization converts data into a token that is associated with your organization. This unique association prevents someone from using the stolen token for anything other than the intended purpose. To keep with the fishing analogies, you could compare a token to the keys to a fishing boat – if someone steals your boat keys, they can’t then stick them into the ignition of another boat and drive away; the keys only work with your boat.
While phishing scams are frequent and becoming more sophisticated, following these best practices will help protect your organization and keep you from falling for the bait hook, line and sinker.