HIT Think

How to raise defenses to defeat phishing attacks

Register now

Phishing attacks are an effective and profitable form of crime. This helps explain why these types of attacks continue to increase according to the recent Anti-Phishing Working Group (APWG) Phishing Activity Trends Report, 2nd Quarter 2016.

The total number of unique phishing sites observed in the second quarter of 2016 was 466,065 which is an all-time high. The second quarter’s total rose 61 percent from the 289,371 phish found in the first quarter of 2016, which was the previous high.

Phishing attacks occur when cybercriminals use false emails or websites to extract confidential information from unsuspecting online users such as Social Security or credit card numbers or account and identity information. Users have a reason to be cautious—phishing attacks undermine the confidence in the authenticity of e-mails and websites.

Phishing attacks highlight the basic security weakness of the Internet in that there is no way to ensure with 100 percent certainty that an organization at the other end of an e-mail or web session is who they say they are. There are no easy answers or shortcuts to solve the phishing problem. But here is a list of key tasks to consider:

  • Ensure an enterprise-wide policy and procedure addresses how to handle a phishing attack.
  • Educate users on the policy and procedure ensuring it addresses acceptable and unacceptable behavior and covers topics such as the following.

- Never providing a password, credit card number, or other confidential or personal information via e-mail.
- Manually type the URL in a browser's address bar instead of clicking on a suspicious hyperlink in e-mail.
- Only enter information online by logging into a website after the address is manually typed into a browser.
- Look at the address in the address bar of a web browser and do not enter any information if the address doesn't match what the hyperlink shows or if it looks suspicious.
- Call the phone number listed on the alleged sender's website to confirm an e-mail's validity instead of replying to any suspicious e-mail.

  • Enable and continually update spam filters, URL filters, antimalware software, personal firewalls and anti-phishing features.
  • Implement multifactor authentication to minimize the likelihood of an attack obtaining login credentials.
  • Conduct social media monitoring to identify activity on social networks that may pose a risk to your organization.
  • Ensure your organization has the means to allow users to report phishing or fraud.
  • Subscribe to an anti-phishing service to track phishing attacks using your organization’s name to find phishing destination sites or to detect phishing e-mails.

Phishing can result in identity theft or medical identity theft for an unsuspecting user who enters credit card numbers, account names, passwords and other information into an attacker's website. A phishing attack can also potentially diminish the reliability of any organization’s reputation.

Healthcare organizations need to educate their workforce and patient population beyond the basic training and awareness often provided. They should take phishing more seriously and implement solutions that dramatically minimize the threat of these attacks because completely eliminating these types of attacks is not realistic. But organizations can reduce the frequency and impact of phishing.

For reprint and licensing requests for this article, click here.