Has Your Data Gone Phishing?

The truth is, phishing is no laughing matter. Phishing is a type of social engineering that uses emails designed to trick the recipient into clicking on a malicious attachment or visiting a malicious website. Spear phishing is a more targeted form of phishing that can appear to come from a trusted acquaintance.

If a recipient of a phishing email opens a malicious attachment or clicks on a link, he or she might download a program that installs malware onto the system, compromising the entire system and exposing sensitive data to theft. In other scenarios, a phishing email might lure a victim to a website that appears legitimate and tricks the user into disclosing private information like a username and password or bank information.

It’s easy to be deceived by a phishing scam. 97% of people globally can’t correctly identify a sophisticated phishing email. Often, phishing emails are disguised to look like they came from your IT department or a top executive from within your organization, such as your CEO. There are also billions of phishing emails – about 3 billion – sent daily. 25% of phishing emails get past spam filters and into Office 365. 30% of phishing emails are opened. What’s the risk? According to research from the Ponemon Institute, phishing incidents cost large companies an average of $14.8 million annually (or $1,500 per employee), up sharply from 2015’s figure of $3.8 million.

There are a few best practices to protect yourself and your organization against these attacks. Here’s how you can make sure you’re operating with a complete “tackle box:”

Educate Staff So They Don’t Fall for the Bait

J.P. Morgan performed a test to see how many employees would open and click a fake phishing email. They found that 20% of their staff fell for the bait. Make sure you are consistently educating everyone in your organization about phishing scams. While some may be easy to detect (e.g., a Nigerian prince offering to give you his inheritance), more sophisticated scams (e.g., a request from your IT department for your username and password) are harder to spot. Train staff to be on the lookout for anything that seems fishy – even the best-engineered scams often contain a giveaway.

Use the Best Security Software and Keep It Updated

There are a lot of tools available to help organizations monitor emails and filter out phishing scams. Look into options like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Host Intrusion Prevention Systems (HIPS) which can detect and prevent malicious activity. You should also make sure every device is equipped with anti-malware/anti-virus software and inform staff that they should always install new updates for this software to ensure the highest level of virus protection.

Keep Sensitive Data Off Your Network

The best way to protect sensitive data from phishing scams is to limit the amount of data that lives on your network. Healthcare organizations can leverage technologies like point-to-point encryption (P2PE) and tokenization that protect data stored or transferred on their networks. P2PE prevents people from viewing cardholder information and protects the confidentiality and integrity of this data.

Tokenization converts data into a token that is associated with your organization. This unique association prevents someone from using the stolen token for anything other than the intended purpose. To keep with the fishing analogies, you could compare a token to the keys to a fishing boat – if someone steals your boat keys, they can’t then stick them into the ignition of another boat and drive away; the keys only work with your boat.

While phishing scams are frequent and becoming more sophisticated, following these best practices will help protect your organization and keep you from falling for the bait hook, line and sinker.