New fed guidance helps providers, stakeholders avoid phishing attacks
A report from CISA, a cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, offers a number of tips to beat phishing attacks.
The agency is aiming the report to share ways that healthcare providers, business associates, consultancies and other stakeholders can avoid social engineering and the phishing attacks that likely would occur.
In a social engineering attack, the offender employs human interaction social skills to get information on the organization or its information systems. Acting unassuming and respectable and passing off as a new employee, repair person or researcher, the offender may even offer credentials to support the identity deception.
By asking questions, the hacker may put together enough information to infiltrate the organization’s network. If more information is needed, attackers may find another source in the company and rely on information from the first source to augment add to their credibility.
Phishing is a form of social engineering. An attacker may send email to others in the organization that appear to be from a trusted source, such as colleagues or management, and the email suggests there is a problem. When users respond with requested information, the attacker now has more information to gain access to other email accounts.
Similarly, “vishing” is a social engineering ploy that leverages voice communication. The technique can be combined with other forms of social engineering to entice a victim to call a certain phone number and divulge protected information. A vishing attack can take over voice communication by exploiting Voice over Internet Protocol software and broadcasting services, taking advantage of misplaced trust in the phone services, particularly landline services.
Another form of attack, called smishing, uses social engineering and exploits text messages. These messages can contain links to web pages, email addresses or phone numbers. When clicked they may automatically open a browser window or email or voice message, or dial a number. This integration of email, voice, text message and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.
CISA also offers five ways to spot common indicators of phishing attempts:
Suspicious sender’s address. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
Generic greetings and signature. A greeting such as “Dear Valued Customer,” and a lack of contact information in the signature block indicate a phishing email. A trusted organization will address the recipient by name and provide contact information.
Spoofed hyperlinks. When hovering a cursor over any links in the body of the email, a user might see that the links do not match the text that appears, indicating that the link may be spoofed, which is identifying a person or program as another by falsifying data.
Spelling and layout. Poor grammar and sentence structure, as well as misspellings and inconsistent formatting, are other indicators of a phishing attack.
Suspicious attachments. An unsolicited email asking that a user download and open an attachment is another strong warning sign. A hacker may use a false sense of urgency to get a user to download or open an attachment.