" phishing Archives - LuxSci

Posts Tagged ‘phishing’

Why the Healthcare Industry is a Target for Cybercrime

Tuesday, September 21st, 2021

Healthcare data seems mundane- but in the hands of a cybercriminal it can be quite valuable. Medical records contain private information that can be used to blackmail or impersonate others. Even if you aren’t a public figure with a sensitive medical condition, the financial and personal identifiers found in medical records make them a target for cybercrime.

healthcare cybercrime

Read the rest of this post »

30th National HIPAA Summit Recap

Tuesday, March 30th, 2021

Last week, the LuxSci team attended the Virtual 30th National HIPAA Summit. The conference featured government and industry leaders who led sessions on updates to HIPAA rules, ongoing threats to cybersecurity, the impacts of remote work, and many other topics.

We can’t touch on every session that took place over the four days of the conference, but some of the most interesting updates came from the Office of Civil Rights (OCR) at Department of Health and Human Services. OCR is responsible for enforcing HIPAA, so as you would expect their sessions were of high interest to anyone responsible for compliance.

OCR UPDATES

At the start of the pandemic, OCR adopted enforcement discretion to allow health care organizations to quickly transition to virtual health care and remote work without fear of penalties. In January, OCR announced that enforcement discretion would also apply to Covid-19 vaccine scheduling. OCR will not impose penalties on those acting in “good faith” to create online or web-based scheduling applications for Covid-19 vaccine appointments. Nevertheless, this does not mean that covered entities are off the hook when it comes to HIPAA. It is recommended that they implement “reasonable safeguards” to protect PHI.

The Office of Civil Rights has also continued to penalize organizations for right of access violations. When most people think of HIPAA, they think of protecting private information through strict security policies. However, HIPAA stands for the Health Insurance Portability and Accountability Act. Portability means that patients have a right to access and transmit their information to other insurance or health care providers as they see fit. In recent years, OCR has increasingly penalized organizations for failing to respond to patient information requests in a timely manner. It is important for health care organizations to have secure offsite back-ups of patient information to prevent enforcement actions. It is challenging to find the right balance of security and patient access, but it is so important!

CYBERSECURITY THREATS     

Unsurprisingly, Covid-19 exposed organizations to new security risks as employees rapidly transitioned to remote work. Although the pandemic changed practically every aspect of our lives, phishing and ransomware remained two of the biggest security threats to health care providers. At the outset of the pandemic, many ransomware hackers voluntarily stopped targeting hospitals systems in a show of solidarity. However, the respite was temporary. As the value of health care data on the black market has continued to rise, ransomware attacks have surged.

Phishing also remains a primary attack vector for intruders. OCR reported that in the first two months of 2021, hacking/IT accounted for 71% of large health care breaches. According to OCR, most large breaches have occurred via email (39%) or network servers (32%). Phishing attacks increased so much over the last year that one conference speaker noted his organization considered turning off external emails. Though it is true that the only way to completely avoid hackers is to disable your systems, it is an unrealistic option for most businesses. To combat phishing, organizations need to train staff and have technology controls in place to prevent human error. If you have the right email filtering in place, you can prevent phishing emails from even reaching your employees’ inboxes.

REMOTE WORK- LEARNING FROM THE PANDEMIC

Shifting to remote work in early 2020 left organizations scrambling to create security policies and protect patient information. Not only did providers need to worry about preventing telehealth conversations from being overheard by their families, but they also needed to be conscious of a wide array of security issues including:

  • Securing their physical workspace and devices
  • Preventing data loss
  • Protecting notes from patient conversations
  • Using secure network connections
  • Letting children or partners use work devices

The number of security risks that remote work introduced were almost immeasurable. Organizations needed to act quickly to create new policies to protect patient data, while maintaining excellent standards of patient care. Time and time again, health care organizations that lacked basic cyber hygiene like unique logins, complex passwords, and device usage policies were the most at risk of a cyberattack or breach.

One year later, organizations are continuing to adapt their policies as much of the workforce remains remote. Many presenters expect at least some of their workforce to remain remote once the pandemic ends. Some organizations were surprised to discover the benefits of having a remote workforce. Rural hospitals are better able to attract talent when remote work is an option. Patients also benefitted from increased access to health care when telehealth was an option.

The HIPAA Summit was a wonderful reminder that if you don’t have procedures and policies in place to protect your patient data and communications, it’s only a matter of time before a breach occurs. Did you attend the HIPAA Summit? We would love to learn more about your challenges with Covid-19 and secure patient communications.

What Is Smishing And How Can You Avoid It?

Tuesday, March 9th, 2021

You are probably familiar with smishing, even if you aren’t quite sure what it’s called or the underlying details. We’ve all received strange SMS messages along the lines of:

  • We’ve noticed suspicious activity on your account. Visit scamsiteabc.com/kkjdkjh if you did not make any recent purchases.
  • Congratulations! You’ve won a $500 Best Buy gift card. Click the link to redeem your prize scamsitexyz.com/ljhkjsfds

Of course, both of these messages are really just scams. They are a type of phishing conducted over SMS, hence the name Smishing. These smishing messages can look real—that’s the point. They are designed to trick the recipients into thinking that they are legitimate. They lead the recipients through a number of steps that ultimately result in them handing over sensitive details, such as their login details or banking information.

smishing title card

How Does Smishing Work?

Scammers collect a bunch of phone numbers and send out smishing messages in bulk to unwitting victims. These messages often appear to come from respected organizations, such as the recipient’s bank, or a major retailer. The exact details of the messages vary, but they generally try to elicit a quick response before the recipient has a chance to question it.

Common examples include offering prizes that may excite recipients or a warning that someone has attacked their account. The message prompts the recipient to take some immediate action. These actions can include:

  • Clicking a link – This is probably the most common example. These links will take you to a website that looks legitimate, but the details will be slightly wrong. For example, instead of the real URL, yourbank.com, the scam site may actually be yourbamk.com. At a glance it looks the same, but the scam site has no relation to your bank.
  • Contact an email address – Much like in the above example, the address can seem real, but it may have subtle differences, such as customerservice@yourbamk.com, instead of customerservice@yourbank.com.
  • Call a phone number – The number will not actually belong to the company, but a scammer impersonating the organization’s call center.

When these messages succeed and trick the recipients into taking the next step, they will be funneled deeper along in the attack. The recipient may be pushed to download malware onto their device, which can end up spying on them and stealing their sensitive information.

The other main tactic is to manipulate recipients into handing over their login details or banking information. One technique is to fake a security breach and have users re-enter their password on a fake login page. Just like that, scammers can take control of your account.

Other tactics include asking the recipient to update their account details, or to confirm their security questions and answers. This can ultimately give attackers the information they need to take control of the account.

Smishing is used to directly target individuals, or as an attack vector for penetrating deeper into an organization. If a smishing attack fools an employee, it can give these scammers access to the company’s systems. From this foothold, they can escalate their privileges until they reach their ultimate goal. This could be stealing valuable data or even accessing the company’s finances.

How Can You Avoid Smishing?

Individuals can avoid smishing by always being skeptical of text messages that ask them to visit a link, to email someone, or to call a number. They should use caution if they do not know the sender, or if the message sounds too good to be true.

Recipients should always double check the URLs, email addresses, and phone numbers to make sure that they belong to the company. You can check your prior correspondence with the company, or do a web search of the details alongside the company name to confirm. Compare the details in the smishing message against the official ones from the company, making sure to look closely for misspellings.

You can also check potential phishing sites against this database to see if it has already been reported. If you can confirm it is a smishing message, all you have to do is ignore it to stay safe. Do not even click the link, because it could infect your device. If you aren’t sure, contact the company via its official channels to check whether or not it is a scam.

Many companies have a blanket policy that they will never contact you by text asking you to update your account. If this is the case and you receive such a message, you can easily disregard it as a scam.

How Can You Defend Your Customers From Smishing?

If your company would like to be able to send URLs in its text messages without also opening the door to scammers, you can use a service like LuxSci’s SecureText. You can alert your customers that the only text messages you send will take them to the SecureText portal. As long as they check that the URL for the portal is correct, they will be safe to click the link. They can disregard any other messages purporting to be from your organization, because these will be scams.

From the SecureText portal, the recipient can enter their details to gain access to the message. The protective features of LuxSci’s SecureText allow organizations to send sensitive information via SMS, all in a HIPAA-compliant manner. With SecureText and a proper warning strategy, you can help protect your recipients from being tricked by smishing scams that seem to come from your organization.

It’s Tax Season – Watch Out or You’ll Be Paying More than Just Taxes

Thursday, March 14th, 2019

The season is upon us. It’s definitely not Christmas, and there are very few people who would claim that the lead-up to April’s cutoff date is their favorite time of the year. If you thought that paying your dues to the IRS was already enough to worry about, get ready for some bad news:

It’s also scam season.

To celebrate the rising number of fraud and identity theft attempts, the helpful folk at everyone’s favorite government department have just begun their annual ‘Dirty Dozen’ campaign, listing the biggest tax scams that people need to be aware of.

Phishing Is Still King

The first entry on this year’s list is the ever-pervasive phishing scam. The IRS press release warns that phishing attacks “tend to increase during tax season and remain a major danger of identity theft.”

These phishing schemes can take many forms in their attempts to extract sensitive information (such as login credentials or credit card details) from targets. At this time of year, many attackers take advantage of the confusion and target their victims with tax-related scams.

“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig in the press release.

“Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”

Organizations Are Being Targeted As Well

It’s not just the individual who is being directly targeted either. Over time, a series of more sophisticated scams have evolved. One of these is known as business email spoofing (BES), which involves attackers sending convincing emails from a faked address.

Another is called business email compromise (BEC), which involves a hacker stealing the credentials of a target’s email account, then sending emails from that account to other victims, impersonating the account’s owner to manipulate these new victims into divulging information or transferring money.

The IRS also states that it is seeing a greater number of advanced scams that target the files of human resources personnel, tax professionals and other organizations. These targets tend to have extensive amounts of their client’s financial information, which hackers chase after in a number of different ways.

The hackers may pose as an employee and ask for a deposit to be rerouted to another account, act as a business and ask their target to pay a fraudulent invoice, or even pretend to be one of the victim’s associates and trick the victim into transferring money into the hacker’s account.

Due to the growing sophistication of these scams and their proliferation at this time of year, the IRS has warned tax professionals to be on high alert for any suspicious or unusual activity.

Keeping Yourself, Your Organization or Your Clients Safe

As part of the IRS’s campaign on combating identity fraud, it launched the Security Summit, a conference of various stakeholders aimed at coming up with solutions and mitigation strategies.

Some of the summit’s recommendations include raising awareness about spear phishing and how to recognize it, encrypting all sensitive client data and implementing strong password strategies.

If you or your organization come across any phishing attempts that impersonate the IRS or related organizations, you should report the scam to phishing@irs.gov.

How to Know if an Email is a Phishing Scam or Not

Tuesday, November 20th, 2018

Phishing scams are a major threat to all email users, especially businesses. The scary part is that they’re becoming increasingly sophisticated. Phishing emails popped up sometime in the early 90s. However, back then, they weren’t too hard to detect. For instance, typos were commonplace in an old-school phishing mail, and that was a dead giveaway.

Of course, this was a long time ago, when email was still in its infancy. Times have changed and today’s cybercriminal has changed with the times. Their tactics have evolved and phishing emails are far more convincing than they used to be. They are well written and personalized. Hackers and cybercriminals already have a rough idea of who you are, and that means today’s phishing emails are targeted.

Today’s phishing emails also look authentic; they replicate legitimate emails in terms of design and aesthetic. In fact, at first glance, you wouldn’t know the difference between a real email from your bank and a fraudulent version. Needless to say, this makes fighting phishing scams a major challenge.

On the rise

According to data from the RSA, phishing attacks are only growing, and this is despite an increase in user awareness. One major reason for this growth is the simplicity of executing such scams. Malware developers now offer automated toolkits that scammers can use to create and host phishing pages with the utmost ease.

It is estimated that each phishing attack manages to extract an average of $4500 in stolen funds.

So, the big question is – how does one protect their email, especially at a time when phishing scams are evolving? Well, here is what the experts have to say.

Never trust just a name

 A common tactic used by scammers is spoofing the display name in an email. According to a study done by ReturnPath, around 50% of 760,000 email threats targeting some of the world’s biggest businesses had made use of this tactic.

This is how it works – let’s say a scammer spoofs a brand name such as “Nike.” The email address of the sender may look something like “Nike nike@customersupport.com.” But, even if Nike doesn’t actually own the domain “customersupport.com,” DMARC and other email authenticity and anti-fraud tools will not to block the mail. This is because the email is legitimately from customersupport.com, even though this domain has nothing to do with Nike.  There is no authentication for the “comment” that goes along with the email address (in this example, that is the word “Nike”).

Read the rest of this post »

LUXSCI