Email Phishing: How to protect your practice

In 2020, 505 reported email breaches resulted in 23.43 million compromised PHIs.

Per the Paubox team’s 2020 Breach Report: A Year in Review, which summarizes public data provided on HHS’ breach portal, last year there were 505 reported HIPAA breaches. In total, 23.34 million Americans had their protected health information (PHI) compromised.

Email breaches were the most common attack vector, with 188 breaches. The largest email breach occurred in December via MEDNAX Services, Inc., where 1,290,670 individuals were affected.

So why is email such a cybersecurity problem, and what can healthcare organizations do about it?

Email phishing

Email phishing is a common way that hackers gain access to a system. Attackers craft a message that looks like it comes from a credible, trusted source. The email will frequently be written to induce panic or quick action, such as describing an imminent account shutdown or a security breach in progress. The goal is to trick people into providing information in order to access and exploit valuable or sensitive systems.

According to Coveware’s most recent Q4 2020 report, email phishing overtook remote desk protocol (RDP) compromises as the dominant attack vector last year. Deloitte’s research also finds that 91% of all cyberattacks begin with a phishing email to an unsuspecting victim.

According to the 2020 HIMSS Cybersecurity Survey, phishing email is the typical initial point of network compromise, by either general phishing or spear phishing. Seventy-seven percent of respondents indicated that their organizations experienced a phishing attack or other social engineering attack in the past twelve months.

This is a big problem, since it takes just one error to infect a network. It serves as a great reminder that inbound email security is just as important as outbound HIPAA compliant email for a healthcare provider.

Display name spoofing

Display name spoofing is a common method that criminals leverage in phishing emails. It is a targeted attack where an email’s display name is altered to make a message look like it comes from a trusted source.

This is easy for criminals to do by simply signing up for a free email address through providers such as Yahoo! or Google and setting up the display name to be the person they want to impersonate. The forged person is someone the victim is likely to engage with, which a cybercriminal figures out by researching a company’s website or LinkedIn profile to learn the team structure.

Lookalike domains

Hackers may also employ a lookalike domain when trying to impersonate a known sender. They register new, deceptively similar domains by swapping characters, such as replacing the letter o with the numeral 0, or inserting an additional character such as an s or a hyphen.

Why phishing attacks still work

Phishing emails began in the mid-90’s, but they are still a huge threat nearly 30 years later.

Cybersecurity training programs require us to always be circumspect about emails we receive. Putting every email under a microscope is a laudable goal, but when our inboxes fill up with hundreds of messages every day, it’s hard to keep up.

Some organizations employ email warning tags as a method to combat malicious emails. This type of alert sits at the top of an email and typically includes the word “External” or “Caution” to remind recipients to verify an email’s source before opening a message.

Unfortunately, specialists worry that such tags only serve to reinforce lazy user awareness.

Furthermore, victims might not even notice the tag.

How healthcare providers can protect themselves

To protect staff, patients, and business partners from email fraud, consider these tactics:

  • Email authentication: Domain-Based Message Authentication, Reporting and Conformance, or DMARC, blocks all impostor attacks that spoof trusted domains.
  • Domain monitoring: Automatically identify and flag potentially risky domains that were recently registered by fraudsters.
  • Security awareness training: Teach employees how to recognize and report cybersecurity threats.
  • Block domain name spoofing emails: Employ an inbound email security protocol which blocks domain name spoofing emails from reaching the inbox in the first place.

Conclusion

Despite large investments in security, email fraud continues to rise. Cybercriminals are growing more advanced, and attacks are evading traditional security tools.

Taking a multilayer approach to cybersecurity, and protecting your most attacked employees, will significantly reduce risk and allow your institution to focus on patient care.