The saying “You’re only as strong as your weakest link” may date back to 1786, but it’s meaning is no truer than today1.
Recently, a string of healthcare facilities revealed data breaches and hacks stemming from employees falling for phishing schemes2,3,4. (Read more details about the phishing schemes and the resulting hacks here, here, and here.) With each new article, the reality of modern cyber-security falls into place: You’re only as strong as your weakest link.
But what does that mean? What causes phishing attacks to be successful?
Let’s step back and define phishing:
Phish˙ing /’fiSHiNG/ noun. the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers5.
While some of these emails are obviously fake (think Nigerian Prince) but let’s be honest, some are really clever.
“The emails are getting more sophisticated, better formatting and messaging. Not as obvious that an e-mail is not representing who you think it is. Scammers are getting crafty; they are impersonating big companies and sending emails to millions of users in hopes of capturing a few.”
~ Mike Zinni, Director of Software Development at Davin Workforce Solutions
If, as Mike says, these emails are getting sophisticated, then how do we combat these attacks?
The two most significant factors in fighting phishing attacks are education and healthy paranoia.
It might be easy for IT to identify a phishing email, but that doesn’t mean everyone in your organization knows to be on the lookout, or even what to look out for. Instituting a company-wide training program may seem costly and time-consuming, but the alternative will make the time and cost seem paltry in hindsight.
There are many affordable training programs out there. Our company uses Proofpoint for our security awareness training, but that’s just one of many. You can’t expect your employees to know what to look for if you don’t take the time to train them.
It might sound extreme, but a healthy dose of paranoia and skepticism when it comes to emails can save you in the long run.
Every day, hundreds of emails pass through our inboxes. They run the gamut from personal to promotional to spam. We get so many that we can become numb. Hackers are counting on this. They spoof emails from big companies (such as Chase, Amazon, Apple, etc.) and send them out in hopes that you’ll think it’s legit.
And sure, it can be hard. But keep your wits about you, have some paranoia, and remember:
A legit email should never ask for your login information. It’s the same when someone claims to be calling from “Verizon support,” and they ask for your password. It doesn’t matter what company, they will never ask for your passwords, so don’t fall for an email asking for your login information.
Look at the actual email address. Most modern email programs give you a nickname for the email. It will say “Apple” or “Starbucks” or “Mike Zinni.” But don’t fall for the nickname. You can click on the nickname and read the full email address. Does it look legit? If it’s a string of random letters, it’s probably not from Apple.
Don’t click on the links. Yes, some of these links can be 100% legit. I get emails from Amazon every day suggesting products. But, if I genuinely want to look at one of those products, I skip the link and go directly to the site and search for that product. This might seem like overkill, but with the level of sophistication in phishing emails growing, any one of those legit-looking links could potentially send you to a site with a virus. Or it could send you to a spoof site asking you to “log in.”
If you truly want to protect yourself, no matter what the email says, whether a great offer or doom and gloom, eschew the links, head directly to the website and log in to your account there. Any offers or problems you need to fix will show up in your account there. Skip ALL links in non-solicited emails. (This guideline becomes null with emails you solicit, such as password resets.)
Don’t eschew skepticism with the excuse, “I don’t have anything to offer.” Any computer a hacker can breach is useful.
“Don’t think that a scammer is not interested in your information or that you have nothing of value. At the very least, your computer is a valuable resource for a scammer to use to propagate their scams.”
Hearing about company breaches exposing tens of thousands of individuals’ information is scary, especially when you imagine what it would be like for your company. But, if you keep your wits about you, educate your employees to the tactics employed by cybercriminals, and have a healthy dose of skepticism, you’ve created a safer and more secure company culture.
1. Wiktionary. (n.d.). a chain is only as strong as its weakest link. Retrieved January 27, 2020, from https://en.wiktionary.org/wiki/a_chain_is_only_as_strong_as_its_weakest_link
2. Garrity, M. (2020, January 17). Spectrum Healthcare notifies 11,300 patients of phishing attack: South Portland, Maine-based Spectrum Healthcare Partners is notifying 11,308 patients of an email incident that may have exposed their protected health information. Retrieved January 27, 2020, from https://www.beckershospitalreview.com/cybersecurity/spectrum-healthcare-warns-11-300-patients-of-phishing-attack.html
3. Garrity, M. (2020, January 21). Adventist Health notifies patients of phishing attack: Adventist Health Simi Valley (Calif.) began alerting patients Jan. 6 that their protected health information may have been exposed in a phishing attack. Retrieved January 27, 2020, from https://www.beckershospitalreview.com/cybersecurity/adventist-health-notifies-patients-of-phishing-attack.html
4. Garrity, M. (2020, January 23). Patient files class-action lawsuit against New York health system following phishing attack: A patient of Health Quest is suing the Lagrangeville, N.Y.-based health system for allegedly failing to safeguard her protected health information after it was exposed in a phishing attack, according to the Poughkeepsie Journal. Retrieved January 27, 2020, from https://www.beckershospitalreview.com/cybersecurity/patient-files-class-action-lawsuit-against-new-york-health-system-following-phishing-attack.html
5. Google Dictionary