Phishing is the art of getting you or your staff to provide an attacker with information. The attacker then uses that information to compromise your systems or data to their benefit.
Usually phishing is most easily completed via the email system used by the healthcare practice. The e-mail appears to come from a legitimate source, such as a friend, coworker, manager, company, or even the victim’s own e-mail address.
The trigger for e-mail phishing is typically some sort of active link or file (sometimes a picture or social media image) that is enticing in someway to the victim. Clicking on the active “content” (link, URL, attachment, graphic, picture, survey or game) can launch a variety of infecting and malicious activity that compromises your computers, software or data.
One example we recently saw at group practice was an email from their EMR vendor claiming immediate action required. The well-meaning employee clicked on a link that took them to a malicious (copy-cat) site that proclaimed “Your password has expired! Please enter a new password immediately or you will no-longer have access to the system (bad news for a front desk worker with a full waiting – room in this case)”. The victim entered her old password, the new password, and verified the new password (which were meaningless of course) and the attacker gained (administrative) access to the entire EMR. The more well-meaning and good-natured the employee, the easier it is to exploit those good qualities unfortunately.
This example did not have a happy ending.
Need to report a phishing attack or phishing email? Start here.