" phishing Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘phishing’

How to Know if an Email is a Phishing Scam or Not

Tuesday, November 20th, 2018

Phishing scams are a major threat to all email users, especially businesses. The scary part is that they’re becoming increasingly sophisticated. Phishing emails popped up sometime in the early 90s. However, back then, they weren’t too hard to detect. For instance, typos were commonplace in an old-school phishing mail, and that was a dead giveaway.

Of course, this was a long time ago, when email was still in its infancy. Times have changed and today’s cybercriminal has changed with the times. Their tactics have evolved and phishing emails are far more convincing than they used to be. They are well written and personalized. Hackers and cybercriminals already have a rough idea of who you are, and that means today’s phishing emails are targeted.

Today’s phishing emails also look authentic; they replicate legitimate emails in terms of design and aesthetic. In fact, at first glance, you wouldn’t know the difference between a real email from your bank and a fraudulent version. Needless to say, this makes fighting phishing scams a major challenge.

On the rise

According to data from the RSA, phishing attacks are only growing, and this is despite an increase in user awareness. One major reason for this growth is the simplicity of executing such scams. Malware developers now offer automated toolkits that scammers can use to create and host phishing pages with the utmost ease.

It is estimated that each phishing attack manages to extract an average of $4500 in stolen funds.

how to prevent phishing scams

So, the big question is – how does one protect their email, especially at a time when phishing scams are evolving? Well, here is what the experts have to say.

Never trust just a name

 A common tactic used by scammers is spoofing the display name in an email. According to a study done by ReturnPath, around 50% of 760,000 email threats targeting some of the world’s biggest businesses had made use of this tactic.

This is how it works – let’s say a scammer spoofs a brand name such as “Nike.” The email address of the sender may look something like “Nike nike@customersupport.com.” But, even if Nike doesn’t actually own the domain “customersupport.com,” DMARC and other email authenticity and anti-fraud tools will not to block the mail. This is because the email is legitimately from customersupport.com, even though this domain has nothing to do with Nike.  There is no authentication for the “comment” that goes along with the email address (in this example, that is the word “Nike”).

Read the rest of this post »

Best Practices for Minimizing the Impact of Social Engineering on Your Organization

Tuesday, June 26th, 2018

When many people think of cybercrime, they think of a bearded guy beating away at his keyboard in a dark room, searching for vulnerabilities in the network that can be exploited. While exploits are a big threat, the reality is that many attacks happen in smoother and more subtle ways. Why spend days slaving away to get in the backdoor, when you can just ask nicely to be let in through the front? This is the essence of social engineering.

social engineering impact

 

A social engineer uses a wide range of tactics to manipulate their victims into giving up whatever information they need. Imagine that someone with a police uniform knocks on your door and asks to have a word. They look authoritative, so you invite them in to sit down. They spend five minutes discussing crime in the neighborhood and on the way out, they secretly swipe the spare key. A few days later, you come back home to discover that all of your valuables are gone.

In this case, the social engineer tricked their way into the home by using the authority of the police uniform, which many people respect or even fear. Most people won’t think to turn down a police officer’s requests, or to ask for further identification. The attacker took advantage of this to gain access to the house, where they could get what they wanted, the spare key.

Read the rest of this post »

Creating Secure Web Pages and Forms: What You Need to Know

Monday, September 25th, 2017

Fred is a busy small business CEO.  He hired a cheap developer online to setup his secure medical web site for him.  The developer got an SSL certificate and setup pages where patients can make appointments and the doctor can receive patient requests and notices, “securely”.  However, the developer didn’t have any real training in security, none in HIPAA, and as a result, PHI was being sent in the clear, there were no audit trails or logs, SSL security was not enforced, and may other serious issues plagued the site.  The worst part — No one knew.

Luckily, Fred was made aware of the situation before a serious security breach happened (that he knew of); however, he had to re-do the site from scratch, more than doubling his time and money costs.

Creating secure web pages and forms

Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate.  All such a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place.  In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them.  At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire.

Read the rest of this post »

SPF & DKIM: The State of Domain-based Email Authentication – Part 1

Friday, September 1st, 2017

Recent reports on cyber-security threats in the healthcare sector by Verizon, Symantec and Ponemon consistently make several observations:

  • Email-borne malware is on the rise, with such malware delivered via spam or phishing;
  • Small-to-medium sized businesses (from all sectors) have the highest rate of email-delivered malware;
  • Most breaches are caused by negligent employees or contractors.

These conclusions are hardly surprising as email is now an increasingly common part of communications with protected health information (PHI) frequently exchanged amongst employees and patients within a practice, between medical providers, and medical providers and their business associates. The concern for the healthcare industry is the potential violation of the HIPAA privacy rule caused by email-related (and other) breaches, leading to disruptions from loss of data, compliance audits and possibly hefty fines.

No Phishing

We wrote about obvious measures medical providers can take to avoid HIPAA non-compliance in email exchanges such as opt-out email security. That addresses only one aspect of the threat landscape, though – the protection of PHI in email exchanges. Another aspect is more sinister, as it deals with external, malignant actors. These actors use various spoofing techniques to trick patients or employees of a medical practice to react incautiously, often impulsively, to emails supposedly coming from valid sources. These often lead to identity theft, where the damage is more far reaching as the information given up is more long-lived and more widely used and cannot just be erased like revoking a misused credit card.

Read the rest of this post »

Plenty of Phish in the C-Suite: Protecting Your Executives

Tuesday, May 9th, 2017

Phishing attacks have grown more complex as hackers learn how to defeat security measures and countermeasures, and their targets have become more lucrative in scope and scale: the CEOs, CFOs, CMOs, and other executives collectively making up your company’s C-suite. Personalized hacks that target top executives, known as “spear phishing” or “whaling,” can be incredibly detrimental. Training and awareness are your top tools for strengthening your C-suite’s ability to recognize and defend itself against malicious cyber threats.

Phishing

Read the rest of this post »

LUXSCI