Tips to Avoid Phishing Attacks

PUBLISHED: Mar 1, 2018
Relevant to: All Healthcare Organizations

The US Department of Health and Human Services Office of Civil Rights has recently published tips to help avoid phishing attacks. Phishing is a type of cyber-attack used to trick individuals into divulging sensitive information via electronic communication by impersonating a trustworthy source. Phishing is one of the primary methods used to distribute malicious software, including ransomware.

Phishing Example: An individual may receive an e-mail or text message informing the individual that their password may have been hacked. The phishing email or text may then instruct the individual to click on a link to reset their password. In many instances, the link will direct the individual to a website impersonating an organization’s real web site (e.g., bank, government agency, email service, retail site) and ask for the individual's login credentials (username and password). Once entered into the fake website, the third party that initiated the phishing attack will have the individual’s login credentials for that site and can begin other malicious activity such as looking for sensitive information or using the individual’s email contact list to send more phishing attacks. Alternatively, rather than capture login credentials, the link on the phishing message may download malicious software on to the individual’s computer. Phishing messages could also include attachments, such as a spreadsheet or document, containing malicious software that executes when such attachments are opened.

One of the primary methods of combating phishing attacks of all kinds is through user awareness. A fundamental part of a comprehensive cybersecurity program is training and awareness. The following tips are examples of what should be included in your organization's phishing awareness education program:

  • Be wary of unsolicited third-party messages seeking information. If you are suspicious of an unsolicited message, call the business or person that sent the message to verify that they sent it and that the request is legitimate.
  • Be wary of messages even from recognized sources. Messages from co-workers or a supervisor as well as messages from close relatives or friends could be sent from hacked accounts used to send phishing messages.
  • Be cautious when responding to messages sent by third parties. Contact information listed in phishing messages such as email addresses, web sites, and phone numbers could redirect you to the malicious party that sent the phishing message. When verifying the contents of a message, use known contact information or for a business, the contact information provided on its web site.
  • Be wary of clicking on links or downloading attachments from unsolicited messages. Phishing messages could include links directing people to malicious web sites or attachments that execute malicious software when opened.
  • Be wary of official looking messages and links. Phishing messages may direct you to fake web sites mimicking real websites using web site names that appear to be official, but which may contain intentional typos to trick individuals. For example, a phishing attack may direct someone to a fake website that uses 1’s (ones) instead of l’s (i.e., a11phishes vs. allphishes).
  • Use multi-factor authentication. Multi-factor authentication reduces the possibility that someone can hack into your account using only your password.
  • Keep anti-malware software and system patches up to date. If you do fall for a phishing scam, anti-malware software can help prevent infection by a virus or other malicious software. Also, ensuring patches are up to date reduces the possibility that malicious software could exploit known vulnerabilities of your computer’s or mobile device’s operating system and applications.
  • Back up your data. In the event that malicious software, such as ransomware, does get installed on your computer, you want to make sure you have a current backup of your data. Malicious software that deletes your data or holds it for ransom may not be retrievable. Robust, frequent backups may be the only way to restore data in the event of a successful attack. Also, be sure to test backups by restoring data from time to time to ensure that the backup strategy you have in place is effective.

Included with today's notice is an example p\Phishing Awareness Education Plan.

Want to read the full alert and receive alert emails?

Browse Additional Alerts