An email may look innocent, perhaps from a trusted colleague, and bearing an innocuous subject line. Many people wouldn’t think twice about opening it and clicking on a link inside to a known website or to download a work-related file. Unfortunately, appearances can be deceiving, and that email may be an attempt at spear phishing.
Spear phishing attackers are using increasingly sophisticated methods to target organizations around the globe. Attacks against healthcare organizations are usually conducted to steal patient information, like social security numbers and billing details, to sell on the black market. Recently, UnityPoint Health became the victim of a spear phishing attack that compromised 1.4 million patient records. It was the organization’s second breach in 2018 and the largest health data breach of the year in the U.S. Perhaps more concerning are reports that UnityPoint didn’t know about the attack until nearly a month after it happened.
What is Spear Phishing?
Today’s digitally sophisticated society knows to be wary of clicking unknown links or providing personal information in response to unsolicited emails. While traditional phishing emails appear to come from large, well-known companies, spear phishing emails appear to come from someone within the recipient’s own organization. Often, the email contains information or requests that appear to be urgent and legitimate within the context of the recipient’s relationship to the sender.
When the recipient clicks on a link in the email or opens an attachment, malicious code is downloaded onto the recipient’s computer, where it can access confidential information, install a virus that blocks access to files and applications, or corrupts them, making them inoperable. The malware can also use backdoor access to infect the network that the individual’s computer is on, opening the entire organization to data breaches and potential disruption of operations.
Recognizing a Spear Phishing Attack
As the UnityHealth example points out, once bitten isn’t necessarily twice shy. Moreover, it can be difficult to recognize when a spear phishing attack has taken place. Healthcare professionals are trained how to use computers to do their daily jobs, but they’re not trained as computer security professionals.
HTML in email creates its own tricks to fool email recipients. In an email created in HTML, an actual URL can be “hidden” by other text or images and rendered like a web page. The “hover” feature gives recipients the ability to see what is underneath a displayed link; however, there are still some additional indications that an email may not be as innocent as it looks.
- Email contacts include the actual email address as well as an optional Contact Name or alias. However, many email applications may only display one or the other in simple format. The full email address (firstname.lastname@example.org) should match its “alias” (John Doe).
- The email displays a familiar email address as the Contact Name but the actual email address in simple view does not match. (e.g. “email@example.com” <firstname.lastname@example.org>)
- The email displays a familiar alias (John Doe), but the full email address in the simple view does not match the sender (email@example.com).
- The email contains only a link or attachment and little or no other content or signature.
- Subject lines or text within the body might convey urgency or that the content was previously requested (e.g. “Here’s that data you asked for”, “Please review for accuracy” or “Time sensitive”)
Combatting Spear Phishing
There are a number of strategies healthcare organizations and their employees can implement to reduce spear phishing.
- Take advantage of user analytics that can help identify behavior-based weak points so that security strategies can be designed around them.
- Ensure that anti-malware and antivirus programs are up to date.
- Restrict remote access to data or set up a Virtual Private Network (VPN) for physicians and nurses to access on the go, with authentication requirements and encrypted data.
- Educate employees to scrutinize the sender’s address, links and attachments for anomalies.
- Notify network security or IT personnel of any suspicious emails.
- Delete suspicious emails immediately and then empty the email trash folder.
- Notify the “spoofed” sender that their email address has been compromised.
Because attackers are employing increasingly sophisticated methods to avoid detection, healthcare organizations should devote additional IT resources to cyber security and incorporate ongoing employee education to fight spear phishing. Such training should not be limited to nurses, physicians and doctors, but should be required at every level of the organization, including the c-suite. Executive level buy-in and support is critical to creating a security culture necessary for safeguarding sensitive data.
Patrick Knight is the Senior Director of Cyber Strategy and Technology at Veriato, an innovator in actionable user behavior analytics and a global leader in user activity monitoring. Patrick can be reached at firstname.lastname@example.org.