Posted and filed under Compliance, Cybersecurity.

Phishing is a common fraudulent practice that involves, “sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers”. Phishing is an example of deceptive social engineering, one that exploits cybersecurity weaknesses held across most industries, including healthcare. Phishing attempts are typically carried out through emails or instant messages, and will fool unsuspecting users into entering personal information into a manufactured website that closely resembled another, legitimate site. “Phishermen” may also include download links to malicious files that can harm your device and compromise your private information.

You might recall receiving a strange instant message from a Facebook friend that has a hook for you to take a bite out of:

These kinds of messages are looking to elicit some kind of emotional response or to peak your curiosity enough to get you to click the link. It goes without saying, but we’re going to say it anyway. DO NOT CLICK THE LINK. Doing so could result in a virus or in the theft of your passwords, credentials, and other private or personal data.  Instead, call or text your friend and let them know that you think their account may have been hacked. Report the message as spam (if possible), then delete the message or conversation to prevent yourself from accidentally opening the link.

Phishing isn’t just popular on social media or private devices. For years phishing has been a plague in the corporate world, and it still reigns supreme as king of the sea. Despite the corporate world’s attempts to prevent such attacks through stronger policies, phishing scams have adapted to the current climate. Many scammers now spoof emails from reputable companies such as Apple, Dropbox, and even industry-relevant organizations. Advize recently received a few questionable emails from a supposed healthcare organization wishing to share files with us via Dropbox.

There were a few issues with this email from the start. First was that while the Advize team member was familiar with the sender’s organization, they were not familiar with the individual supposedly sending the email. While the email was branded with Dropbox’s aesthetic, certain details looked slightly askew. Lastly, when the Advize team member hovered over the “View File” button (with no intention of clicking it), the destination was in no way associated with Dropbox. The Advize employee who received this questionable email followed Advize’s Security and Compliance Policy by immediately forwarding the email to IT Support and reporting it for suspicious activity.

A few minutes after reporting this email to IT, the team member received another email from the same sender that included a different route to a similar, mysterious link. This email was also reported, and was deemed as a potential threat.

These are just two of the many forms of phishing. They are not sophisticated, but rather prey upon the population’s curiosity, reactivity, and lack of awareness. It is important to have the tools and the attention to detail required to catch potential risks. If this blog post makes you feel a little more suspicious of what’s coming through to your inbox – good. We strongly encourage you to spend some time reacquainting yourself with your organization’s compliance and cybersecurity policies and learning the signs of a potential threat. Remember, if something looks and feels suspicious…it probably is.

If it looks like a phish and smells like a phish…well – you know how it goes.