Phishing in the Wrong Pond
By Gil Vidals, , HIPAA Blog, Resources

Have you heard the one about the company that decided to plan a “Phishing trip” for their employees?

Back in 2016, Atlantic Health System circulated a juicy email, promising employees a raise if they would simply respond with some key verification information. The information included employee id, date of birth, and home zip code. Roughly a quarter of the Health system’s 5,000 employees took the bait and opened the email; 2/3 of that group actually provided the requested information.

The company’s test proved insightful, and highlighted an all-too-common threat: an adversary with malicious intent can easily target “inter-office” email, capitalizing on a familiar and frequently relied upon form of company communication.

Playing on Emotions

Hackers know that with the right bait, they can manipulate an employee’s emotions, playing on both positive desires (“You’ll get a raise”) and fears, (“Must Reply at Once!”). So why not cast a phishing net into a key “feeding ground,” under the guise of “Important Company Business”?

Lest you think that no thoughtful person would be taken in by an actual, “real world,” email attack on a company, think again. In June and July of this year, employees from the Minnesota Department of Human Services clicked on links in phishing emails, and opened a door for malicious attackers to access their accounts.

These seemingly innocuous clicks ultimately led to a protected health information (phi) breach of nearly 21.000 individuals who are on medical assistance.

Then in August, a similar occurrence happened. An employee of Gold Coast Health Plan, a CA-based pharmaceutical company, was fooled into clicking on a phishing email that provided attackers access to their account. Gold Coast Health is now reporting that 37,000 Health Plan members had their PHI exposed.

HIPAA and Security Awareness

Data breach stories like these have become all too common, which is why an essential part of maintaining compliance for HIPAA-protected data is security awareness training (see §164.308.(a).(5).(i)) – for all members of your workforce.

So how do you know if you were sent a Phishing email? Fortunately, there are some obvious telltale signs that you can be on the lookout for. We cover the basic ones here.

Below are some additional “red flags” to look for, commonly associated with many phishing email schemes:

  • generic emails that don’t include your name. (Think about it – why would your company or bank, etc. not know your name?)
  • unusual emails from your “CEO” or your “supervisor,” possibly with a screenshot of an urgent document enclosed, asking you to handle something on their behalf. Be sure to check the email address!
  • an email requesting payment of a debt with a gift card. (e.g. The ‘IRS prepaid card scam’.)
  • bad grammar. Poor spelling is a big tip-off that something is amiss!

It’s important to share these common, telltale signs with your staff, and have clear procedures in place to help verify potential phishing scams. Remembering this simple adage can help:

When in doubt, check it out – before you take the bait.