Thursday, November 7, 2019

Phishing

phish·ing
the fraudulent practice of sending emails (and phone messages) purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

And here I thought Phishing meant being an ardent fan of an iconic 1980's progressive rock band from Vermont! (Phish is a totally awesome band that tragically disbanded in 2004. Fortunately, they reunited and are still making music today.) Nope, as the above definition states,"phishing" refers to that odious practice of scamming e-mail recipients with the intent of separating recipients from their hard-earned money.

Phishing has been around pretty much since there's been Internet and scammers but especially for people within healthcare organizations, these e-mails are getting far more sophisticated and predatory.  TNW has an excellent article on how this area is evolving - well worth spending five minutes to read.

The worst type of malware is ransomware, which deploys nasty little programs that encrypt all the data on your computer system (or even network) and for a large fee, will let you have your data back...sometimes.  The ransoms demanded can be in the millions of dollars.

Open me please!

Messages with attachments can be a clear tell that you are being phished. Attachments can deploy all manner of nasty things like viruses, malware, and keystroke recorders. If a suspicious message has an attachment, do not click on the link to open it.

For a small fee...
The problem, though, is that the quality of phishing e-mails is improving. One trick is to send a resumé as an attachment to a reply to a legitimate job position for which the organization is advertising. The e-mail is addressed by name to the recipient and contains no obvious spelling errors or visual oddities. However, the act of opening the attachment will deploy malware, thereby holding your data hostage until an exorbitant ransom is paid.

The criminals understand, though, that most users are very skeptical of attachments at this point, so they are switching their efforts over to links (URLs) which appear to be legitimate, but point to a site which will download an infection. Ironically, they will take an e-mail from the Centers for Disease Control, copy it exactly, but just change the links to (say) updated immunization tables to point to something completely different.

There is an easy way to ascertain the Web address to which a link points: Simply hover your cursor over the link and the address will display in a pop-up window. For instance, if you hover over this seemingly innocent link, the web address should give you pause. Do this every single time you click on a link in an e-mail address.  Every single time!  You do not want to be the person responsible for bringing your organization down or costing it large sums of money!


Urgent Action Required!!!

"Your account will be suspended" "You will be arrested" "Your Social Security Number will be inactivated" All of these messages are designed to create an "Oh no!" response and get you to supply an account number, user ID, and password. Generally, legitimate companies will not require you to log into a website or otherwise divulge your password and account information.

Greetings Mr. (or Mrs.) um...um...er...What did you say your name was?
Your bank knows your name and will send e-mails that address you by your name. A scammer however, has your email address but seldom has your name. Accordingly, phishing emails will generally contain a more generic salutation like "Greetings Valued Customer" or "Dear Member".

Looks can be deceiving

Remember, phishers need you to think you are dealing with a legitimate problem and company. Therefore, any website you are directed to will probably resemble the real website of the real company. However, there is an easy way to ascertain the Web address a link points to. Simply hover your cursor over the link and the address will display in a pop-up window. For instance, if you hover over this seemingly innocent link, the web address should give you pause.

Legit and not legit

Often, to make the phishing message seem authentic, there will be genuine links sprinkled throughout the message like salt and pepper on mashed potatoes. Generally the authentic links will point to generic things like privacy policies and terms of service pages. Meanwhile, the malicious link to the spoof website is lurking within the e-mail, just a phrase or two and one mouse-click away.

I spel reel gud

Watch for grammatical, linguistic, and spelling errors as these are an indicator that the email or web page might have been put together by a phisher. Be wary of communiques with poor graphics, too.

The password is...

Readers of a certain (old!) age will recognize the above line from Password, a 1960's game show, and your blog writer probably just dated himself. However, your bank, credit union, credit card company etc will never ask you to verify or provide confidential information like passwords, Social Security number, date of birth, bank account number, and so and so forth, via an unsolicited email. 


Sadly, the basic message here is don't trust anything. But unfortunately, such is the electronic world we live in. While scammers will continue phishing (among other fraud schemes) some common sense mixed with a healthy dose of skepticism will go a long way towards fending off fraud victimhood.