What would you do if you got a e-mail confirming the purchase of a $22,000 flight to Australia on your credit card, with a link allowing you to cancel? If you would furiously click through to complain and cancel, you are in good company -- so would many others. But your natural reaction could have far-reaching consequences. That e-mail was dangled in front of you as bait in a phishing scam. "Phishing", a play on the word "fishing", is becoming more common and sophisticated.
The concept is simple: scammers send an e-mail that sounds like a legitimate reason to click onto a website and type in your credit card info, password, or other personal financial details. The e-mails are terrifyingly easy to fall for: Scammers imitate well-known companies down to the logo and convincing website address. Mac McMillan, head of a security company, is quoted ominously in an article from Health Informatics, “Probably about 42 percent of e-mails are opened when we do the exercise of phishing attack testing. And an additional 60 percent of those who open the e-mails, provide the information asked in those messages.” That is 25% of recipients of these fake phishing e-mails going on to provide their credit card information: one-fourth of these employees could have had their identity stolen!
This identity theft could have terrible consequences for the employee, but even worse ramifications for the company. Once phishing scammers know personal details for a few employees, they often use that information to fake their way into higher and higher levels of data access within the company. As members of the medical community, you can immediately see the danger to patients' personal and medical information. Just one doctor, nurse, or front desk staff member clicking on a convincing e-mail can eventually lead to a security breach affecting hundreds of patients. The mistake is simple; the consequences are high.
How can you prevent such a disaster? Be aware. Know the ways to spot a phishing e-mail and make a habit of some simple safeguards.
Top priority in phishing protection is to beware all links and attachments. Links lead to websites ready to collect your financial details. Attachments may contain viruses or key-loggers which will record every keystroke on your computer and decipher your passwords as you type. Ultimately your goal is to never even open a phishing e-mail. If you don't identify it in time, at least refrain from clicking on the link or opening an attachment. Are you are in any doubt? Don't click. If you know the sender, contact them by other means instead.
Legitimate e-mails may have links and attachments too, of course, so read on for things that should arouse your suspicion, and things you can check to confirm your fears.
Suspicious Elements
- Non-personalized greeting such as "Dear Member"Scammers send out e-mails by the dozen, but your real bank or company that you have done business with will have a name to attach to your e-mail address and will use it.
- Urgent action: "Only three days to cancel!"
Scammers try to lure you to give out information first and think later. - Unsolicited call for personal/financial information
Legitimate banks, credit card companies, and the IRS do not request your account information by e-mail. Period.
Things to Check
- Deceptive e-mail address
Anyone could have signed up for an e-mail like 'sales.practice-alt@gmail.com'. Compare it to the legitimate 'sales@practice-alt.com'. Not anyone can sign up for this one, since the section of an e-mail after the @ symbol indicates the organization it is linked with, and is not chosen by the individual. If an e-mail claims to be from a particular company, expect that company's name to be after the @ symbol. - Links in disguise
Hover your mouse over any links in the e-mail. Does the link that appears at the bottom of your browser window match what is typed? Look also for misspellings (i.e. "Payapl" instead of Paypal) or for numbers substituted for letters. (Paypa1) They're hoping you won't look closely. Does the link start with 'https' or only 'http'? Any legitimate website asking for financial details will begin with 'https' -- 's' for 'secure'. Check every link, as an e-mail may include a legitimate link to throw you off guard, followed by a phishing link. - Pop-up windows
If a seemingly-innocent link opens a site with an immediate pop-up window asking for your name and password, don't enter them. You may have been linked to a legitimate site, but the phishers have inserted a pop-up that is going straight to them. - Attachments with executable filesWhat type of file is the attachment? Watch out for these: .exe, .bat, .com, .vbs, .reg, .msi, .pif, .pl, .php. Any one of these files could be hiding a virus or other malware. A .zip file could be concealing one of these executable files too.
Again, when in doubt, just don't click. If you get an e-mail with a suspiciously urgent call to action that you can't face ignoring, then contact the company it claims to be from, using a DIFFERENT means than provided in the e-mail. Rather than clicking on the e-mail's link, use the number on your bank statement or the website printed on their business card. Don't google for the website, since that could turn up a phishing site that uses a deceptive web address.
Now that you know the warning signs of phishing, you can check your ability to detect a scam by taking this test from Sonic Wall. How'd you do? Phishers are gunning for your personal information and access to your practice's records, but you can still outwit them. Just be on your guard and think before you click!
Written by Laura Rowe
