Don't Get Lured in by a Phishing Attack

Spam isn't just erectile dysfunction e-mails in your junk folder. Now you've got to watch out for spear phishing, where more experienced criminals will use information about you found online to craft a targeted e-mail designed to fool you into giving up personal information.

Spam, it sounds like such a harmless word. And it may well be—that is, when spreading it on bread for a sandwich. But not when it comes to the fraudulent email that regularly invades computer in-boxes.

Both can be harmful, actually

According to Marian Merritt, Symantec’s Internet Safety Advocate, “about 85 to 90 percent of all the email in the world is spam.” Much of that is in the form of phishing attacks—online attempts at identity and information theft. Doctors are not immune. In fact, with the recent development of ‘spear phishing,’ they’re even more of a target.

Getting speared

Spear phishing is a targeted form of phishing in which the apparent source of the email is likely to be an individual within the recipients’ company—usually someone in a position of authority. What that means, Merritt explains, is that somewhere, a cyber criminal has taken the time to thoroughly research an organization and its officers.

What was your social again?

“For a medical practice, it means they’ve gone to your website and seen the names of all the physicians; maybe even the name of your office manager that you post for billing purposes,” Merritt says. “Now they have information they can use to mimic an insider, which increases the likelihood you’ll click on something. If you do, your computer could be infected. And if you’re on a network, the whole network could be infected.”

The results of a July 2009 survey by the Messaging Anti-Abuse Working Group indicate how easily the above scenario could happen. According to the survey, almost one-third of consumers questioned admitted answering emails they suspected were spam. The survey, “A Look at Consumers’ Awareness of Email Security and Practices,” also found that while two-thirds of the people considered themselves “very” or “somewhat” knowledgeable about Internet security, 21 percent had taken no action to prevent spam or dangerous email from hitting their in-box.

The weakest link

Merritt says the security of a medical practice’s financial information is only as good as the weakest link in the organization. For example, if the individual whose job it is to maintain security of the practice’s website is using a weak password on the server hosting the website, a criminal could crack it and get into the system. She offers up the following scenario.

Imagine your practice has hired a college student to come in and handle some updating of your systems. They’re really into music, and they want to listen to music while they’re working, so they ask the office manager if they can install a program that can pull music in from the Internet.

No, really. We're harmless. You can let us in.

The office manager thinks it sounds fine; the person will listen to the music with headphones, and no one will be bothered. What you don’t realize is that they’ve downloaded a peer-to-peer file-sharing program. And what those programs do is they’ll scan the entire network they’re attached to and provide access to it to anyone on the Internet who uses that.

Merritt encourages physicians “to make sure that the people who are responsible for the management of the website use good security practices; that all the computers that have access to the Internet and to each other are secured with good security suites; and that you make sure that people use good passwords.”

Taking precautions

The volume of spam and spear phishing attacks also increases during certain times of the year, and is influenced by current events. For example, Keith Crosley, director of market development for Proofpoint, Inc., an email security vendor, reports that in the week leading up to the April 15 income tax deadline, phishing messages detected by Proofpoint’s spam traps were up 200 percent versus the prior week.

Where doctors are concerned, Merritt says that if the Food and Drug Administration issued a major report, “we’ll likely see malware associated with that report.”

How can physicians protect their practice and its finances? “If there are people in the office who are using computers to do banking on behalf of the practice, those are weak spots,” Merritt explains. “You have to make sure you have great passwords and security software.

And the Small Business Association of America is now recommending that any computer used for online banking and financial transactions be disconnected from the network. So, whatever the person with financial responsibilities is doing, it can’t be accessed by other users in the office.”

And, cautions, Merritt, don’t assume that because you have a security system in place, you’re safe. It’s important to regularly upgrade, because those cyber criminals are not sitting pat.

“If you look at the statistics in terms of how many threats we’re fighting, it’s millions and millions a year, and it’s growing exponentially,” she says. “Right now cyber criminals can go online and buy tool kits, and be in business sending out spam and infecting computers with malware in a few minutes. It’s really up to the individual end user to defend against it. Because just as with medical best practices, there are things any one of us can do to make ourselves safer when we go online.”