The COVID-19 pandemic has been a boon for bad actors across the digital landscape. In July, for instance, authorities in the U.S., U.K. and Canada all issued warnings about serious cyberattacks against healthcare organizations and others involved in the coronavirus response. The purpose of these attacks? Theft of intellectual property during the race to develop a vaccine. The tool of choice? Spear-phishing email attacks.
Since the beginning of 2020, healthcare-related phishing targets have included hospitals, research laboratories, health care providers and pharmaceutical companies. As of this writing, the Department of Health and Human Services reports that it is under attack on a daily basis.
Which brings up this timely reminder for every healthcare facility: In August 2019, Threatpost reported on a new type of spear-phishing attack that your entire organization must be aware of. Sent via Google Drive, it uses email claiming to be from the CEO of your own organization sharing important information with recipients. While the email comes from Google Drive, it’s important to note the sender address doesn’t match your facility’s standard naming convention for email addresses.
Because the email is sent by a legitimate email service, it’s able to bypass Microsoft Exchange Online Protection on its way to users' inboxes. The point is, Microsoft’s built-in security features are not enough to protect your organization against spear-phishing attacks, particularly since cybercriminals are focused on ways to compromise exactly these protections.
No Spam Filter or Email Gateway Can Block 100% of All Spam
Spam filters and email gateways have proven quite effective at blocking most of the junk email sent by the thousands on a daily basis, but cybercriminals are always looking for new ways to bypass security measures through social engineering, new strains of malware, and exploiting newly discovered security flaws in Microsoft Exchange Server and cloud email platforms. That's why user training must always be a top priority for all healthcare organizations that use email.
10 Tips to Kill Phishing Attacks
In a prior post, I listed the following 10 tips to avoid falling victim to phishing emails. You should get all the details there, but here's a brief summary.
- Watch out for messages disguised as something expected, like a shipment or payment notification.
- Watch for messages asking for personal information such as account numbers, Social Security numbers and other personal information. Legitimate companies will never ask for this over email.
- Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
- Check for poor grammar or spelling errors.
- Hover before you click!
- Check the greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful and think twice!
- Check the email signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam.
- Don’t download attachments.
- Don’t trust the “from” address – Know the difference between the "envelope from" and the "header from" addresses.
- Don’t enable macros – Never trust an email that asks you to enable macros before downloading a Word document.
10 Tips to Protect Against Business Email Compromise (BEC) Email Attacks
Business Email Compromise goes beyond standard spam techniques by exploiting human nature and the trust established between employees and members of the executive team. Scammers use social engineering, CEO impersonation, and a variety of other techniques to trick users in accounting, finance or other high-power positions into transferring money into the scammer's accounts. These attacks are well-executed and targeted at specific individuals, and often take more time to plan and launch due to the amount of research that goes into these attacks. Cybercriminals use publicly available information on sites such as LinkedIn, Facebook and even the website of the targeted organization to gain insight into the company's business practices. They will often study the writing styles of the executive team, which allows the scammers to craft convincing emails that appear authentic to employees.
Because BEC attacks are often so well-crafted and contain no malware or other malicious attachments, they are able to bypass standard security measures. These tips should help you identify a BEC attempt if one should slip through your spam filter or email gateway.
- Train Users to recognize these common impersonation tactics used by cybercriminals:
- Domain name spoofing
- Display name spoofing
- Lookalike domain spoofing
- Compromised account
- Secure your domain by registering similar domains.
- Don't over-share on social media,
- Use SPF, DKIM & DMARC to protect your domain from spoofing.
- Use two-factor authentication.
- Require strong passwords.
- Don’t trust unknown sources.
- Establish strict processes for wire transfers.
- Provide regular end-user training.
- Run antivirus software often.
You can learn more on how to avoid Business Email Compromise attacks here.
Size Doesn’t Matter To Your Need for Protection
No healthcare facility is too big or too small to fall victim to email-borne scams. In fact, cybercriminals often target smaller organizations based on the assumption that smaller companies are less likely to have the latest security systems in place. MDaemon Email Server and Security Gateway for Email Servers include a variety of features to protect your healthcare facility from spam, malware and leaks of sensitive business data.
Would you like to learn more about how Security Gateway for Email can help protect your healthcare facility and its data? Visit SecurityGatewayForEmail.com to sign up for hosted or on-premise email protection.