We have witnessed an evolution in cybercrime, and the healthcare industry is particularly vulnerable. Cybercriminals seek to make money from bitcoin and other digital currencies that are hard to track, and they know that critical industries are more likely to pay out to avoid disruption. Cybercriminal activity is unlikely to decrease in the future and will likely become more sophisticated over time. One of the most common forms of cybercrime is phishing, which are fraudulent emails designed to acquire information. Phishing emails are easily overlooked if employees are not properly trained, so a cost-effective weapon is educating employees on recognizing and reporting phishing attempts before the damage is done.
Phishing awareness is a major initiative at Forward Advantage, so we wanted to share a recent Q&A session on this topic with our Chief Information Officer, Jake Smith. We hope you find the information and strategies Jake shares to be helpful. As always, feel free to reach out for more information!
Q: When did phishing become a concern for Forward Advantage?
A: Phishing was around 20 years ago but was not as pervasive. It has been an evolution, and we are seeing a rise in cybercriminals whose whole mission is to get a foothold into your organization by sending out phishing attempts. With more complex structures and crime syndicates involved, we have seen the level of advanced phishing attempts rise in the last few years. Mitigating this is a multi-layered approach by training end users how to spot phishing and not become a victim. Ultimately, phishing was always a concern, but the level of concern ratcheted up significantly five or six years ago when crypto currencies became more normalized. Cybercriminals now feel they can get paid without getting tracked. We have seen the complexity of phishing campaigns go way up and recognized the need to teach our users how to identify them.
Q: Why should our customers be concerned about phishing at their organizations?
A: Today’s cybercriminals are larger organizations with specialized teams and specialized targeting campaigns. This is a main reason to be concerned because they are going after you in a personalized way. It only takes one person to click on a message that could compromise your entire organization. You must train everybody well and consistently. Cybercriminals know if they can breach the organization, they will have a lot of leverage.
Q: What are the tactics Forward Advantage uses to prevent phishing?
A: A key component of our multi-layered approach to combat phishing is periodic phishing simulations. It is important not to feel like you have to “play fair” when setting up the simulations because they need to be as realistic and tempting as possible to be effective. If you know an Amazon Prime Day is coming up, use a simulation that offers $5 free on that day. If it’s the holiday season, send an email that appears to be regarding holiday bonuses.
Q: Would you recommend these same tactics for hospitals and healthcare organizations?
A: Absolutely! Any solution should be scheduled on a consistent basis. Simulations should be varied and relevant, so don’t use the same test every time and base it on current events. We used a phishing campaign during the peak of the COVID-19 pandemic that looked like it was coming from the CDC. You should also be able to report on the efficacy of simulations. How many users are clicking these or clicking and not reporting them? Are they engineering more information such as a username and password? It is also important to include remediation training. If someone falls for a phishing attempt, automatically enroll them in more training. Hospitals that are small shouldn’t think they’re not a big target. It’s not if you are going to be affected by crime, it’s when you’re going to be affected.
Q: What else is recommended to prevent phishing or mitigate damage?
A: There needs to be a multi-pronged solution in place. Formal policies are important and should be a basis for any structured plan. Also, security mechanisms, such as sandboxing, firewalls and proxies, need to be in place to prevent damage should a user click on a phishing attempt.
Q: Can you recommend everyday best practices?
A: Communication is the most important practice. If you know that a certain number of users have reported a suspicious email, send out an email to make everyone aware of it. Consider it like a neighborhood watch plan. If you know a neighbor down the street saw some suspicious activity, you will be on the lookout to help make everyone safer.
Q: Do you see phishing attempts slowing down in the future or increasing?
A: History tells us every time we think phishing attempts have peaked, they get more complex and targeted. It’s possible we may see slightly less volume, but the phishing attempts will be more complex and difficult to identify. This means that training protocols will need to match this level of difficulty. We are seeing an increase in “smishing” (text phishing) and “vishing” (voice phishing). These use social engineering to get bits of information that can then be used together to craft a more successful attack. We have even seen fax phishing as well, so it will be important to enroll those platforms into training programs.
There is hardly an industry more critical than healthcare, but the unfortunate reality is this makes healthcare a more likely target of a cyberattack. Employee education and training, coupled with formal policies, need to be rolled out with technical security mechanisms. As Jake stated, it is not if you will be affected, it is when. Phishing simulations should be varied, based on current events and difficult to identify. Reporting should be incorporated, and remediation training made automatically available to users who fall victim. Phishing attempts are unlikely to decrease in the future, but they are likely to become more sophisticated. It is up to you to be ready.