One of the most common, yet difficult-to-spot, strategies that cyber criminals use to defraud victims is phishing. Whether it's through a phony email, a fake website login or a simple phone call, phishing is everywhere.
This is especially true for healthcare organizations, which are among the most targeted sectors for phishing attacks, because of two main factors: a large number of users and a high dependency on data.
What is Phishing?
Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. Their goal is to steal sensitive personal data, login credentials, or to install malware on the victim's machine.
How does Phishing work?
Phishing attacks come in many forms, and are always made to look like they come from a trusted source. Here are some common types of phishing attacks:
-
Social engineering is the art of manipulating people so they give up confidential information. Cyber criminals often use this tactic, which plays on human emotions, to trick victims into giving them passwords or access to your computer to secretly install malicious software.
-
Vishing, or voice phishing, makes use of social engineering over the phone to gain access to private, personal and financial information.
-
SMiShing, or SMS phishing, encourages users to urgently click on a link or respond directly with their personal and sensitive details via text message.
-
Spear phishing is typically targeted in nature, unlike traditional phishing, with emails that are carefully designed to target a particular user. These attacks have a greater risk because cyber criminals do complete social profile research about the user and their organization, through their social media profile and company website.
-
Whaling is not very different from spear phishing, but the targeted group becomes more specific. This technique targets C-suite posts like the CEO, CFO, COO or any other senior management positions who are considered to be big players in the information chain of the organization.
What to look out for
Here are a few simple things to look for, in order to protect yourself online.
-
Spoofing: some emails are crafted to look like they are coming directly from a UHN leader; this is known as spoofing, using a look-alike email address that pretends to be from a real person. Always check that a sender's email address is correct.
-
A sense of urgency: phishing emails are designed to trick you into opening attachments, clicking links or providing confidential information. Always ask yourself if you're being urged or tempted to take action. Do not allow that sense of urgency to entice you.
-
Protecting your credentials: no legitimate organization will ask for your username and password or other personal information via email.
-
Beware of attachments: when you get a message with an attachment, delete it unless you are expecting it or are absolutely certain it is legitimate. If you're not sure, call the sender at a number you know is legitimate to check.
-
Don't click links in suspicious message: if you don't trust the email, don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your information.
At the end of the day, trust your instincts. If a message seems "phishy," it probably is.
What to do if you suspect a phishing attempt?
- Don't click on any links or open any attachments.
