Merry Christmas everyone!

With all the prepping for Santa's big visit tonight, we know that avoiding phishing scams is top of your list... yeah right. It may not be your focus at this moment, but avoiding email scams, particularly at this time of year, is tricky - just like the scammers - and Medcom wants to help you learn how to spot signs of email phishing and avoid being scammed any time of year. Thankfully, our resident HIPAA security guru and IT professional, Michael McGregor, wrote an article that addresses this topic. We first shared Michael's advice in our Quarterly Benefits Leader in November. If you are not signed up to receive our newsletter, subscribe to our mailing list at the top of the page! We will be in touch to get more details so we can provide you with the most relevant and helpful content.

Now, without further ado...

How to Avoid Phishing Attacks

Phishing

Phishing is a malicious attempt to obtain sensitive information by disguising it as a trustworthy website, person, or company. Phishing is a form of social engineering that uses legitimate-looking email or fraudulent websites to encourage users to give up personal data or information, such as social security numbers, credit card numbers, passwords, etc. It is an attempt to acquire sensitive information about you and could lead to identity theft. Phishing emails are typically sent to many individuals who appear to come from trusted websites like banks, credit card companies, social networking sites, or online stores. Phishing messages often tell a story and attempt to trick you into clicking on a link or opening an attachment. 

Types of Phishing

Spear Phishing: Targeted and sophisticated phishing messages personalized to victims. Spear phishers learn about the victim by spying on their email, social media, and other online habits. The perpetrators use the information they have gathered to portray themselves as legitimate entities and create tailored messages to your interests to steal personal information such as your Domain ID and password.

Vishing: Phishing conducted by making phone calls portraying a trustworthy entity to convince the target to take an action. 

Smishing: Phishing conducted via SMS text messages. Smishing is a security attack where the user is tricked into downloading malware onto their smartphone or device.

Business Email Compromise: Form of phishing attack where a criminal impersonates a person of authority such as an executive, president, supervisor, etc. The scammer attempts to get an employee or vendor to transfer funds or sensitive information.

Learn to Spot Phishing

Although identifying phishing emails can be difficult, some indicators can help prevent an account compromise or identity theft if spotted. It can be helpful to focus on one part of an email at a time. Each piece offers its own set of clues and questions to ask.

Analyze the Sender Details: 

• Who sent the email, and when was it sent? Was this message expected? Would this person typically send an email like this?
• Confirm the Sender's Identity: The sender's display name can be spoofed to look like a legitimate person or organization. Hover over the name or double click the email name to view the actual email address.
• View the date and time of the message: Is it ordinary for this person to send messages at this time? (example; business-related emails sent at 2:00 a.m. are not standard)

Analyze the Context: What is the purpose of the email? Is it personalized?

• Beware of Urgent Subject Lines: Invoking a sense of urgency or fear is a common phishing tactic used by scammers. Be cautious of subject lines and message content that invoke a sense of urgency or fear.
• Look Out for Generic Salutations: If the message is from a supposed familiar source, but contains a generic greeting and signature, it could be a sign of a phish.

Analyze the Content: What is the tone of the email? Does the message contain a call to action?

• Think Before you Click: Don't click on links or download attachments from unknown sources, especially when they are unexpected. While a website address might look perfectly valid, hover your cursor above the link, and a different URL address may display altogether. 
• Protect Your Credentials: Medcom and other legitimate organizations will never ask you to verify your credentials via email or over the phone. Be wary of unsolicited requests for personal information.  
• Trust Your Instincts: If you receive an unexpected email from a seemingly trustworthy source that seems out of character, do not respond to the email. Instead, reach out directly to the individual through a trusted channel to confirm the message. Never respond directly to a suspicious email.

Email Spoofing

Email Spoofing is another form of a Phishing attack intended to trick you into thinking the email you received is from a trusted source. The following are some steps you can use to protect yourself, client data, and Medcom from email spoofing attacks.

How to Identify Email Spoofed Phishing Attacks

• Did you know that email scammers can easily forge the email from the address? It is called email spoofing, and it can make the job of spotting scams more difficult.

• Email spoofing is a form of impersonation where a scammer creates an email message with a forged sender address in hopes of deceiving the recipient into thinking the email originated from someone other than the actual source. Scammers will use email spoofing to help disguise themselves as supervisors, clients, or peers to trick users into performing some action.

• Scammers use this method of deception because they know a person is more likely to engage with the email content if they are familiar with who sent the message.

There are various types of email spoofing.

“Display name spoofing” portrays a display name of the person being impersonated while leaving the actual sending email address intact.

Example 1: "John Doe"
Example 2: "John Doe"

Scammers can also spoof the entire email address or just the domain name, i.e., what follows the @ symbol. Individuals can do a few things to determine if an email is coming from a spoofed email address or is otherwise malicious.

Check the Email Header Information

The email headers contain a significant amount of tracking information showing where the message has traveled across the Internet. Different email programs display these headers in different ways. In Outlook, inspect the header information by popping the email out and clicking on File. Next, click Properties and then scroll through the internet header information at the bottom to find the information mentioned below.

The following tips can help identify a spoofed message in the email headers.

• Identify that the 'From' email address matches the display name. The ‘from’ address may look legitimate at first glance, but a closer look in the email headers may reveal that the email address associated with the display name is coming from someone else.
• Make sure the 'Reply-To' header matches the source. It is usually hidden from the recipient when receiving the message and is overlooked when responding. If the reply-to address does not match the sender or the site they claim to represent, there is a good chance of forgery.
• Find where the 'Return-Path' goes. The ‘return-path’ identifies where the message originated. While it is possible to forge the ‘return-path’ in a message header, it is not common.

Question the Content of the Message

Sometimes the best defense against phishing is to trust your best instincts. If you receive a message from a supposed known source that appears out of the ordinary or out of date, it should raise a red flag. When receiving an unsolicited message, users should always question the message's content, specifically, if they request information or direct the user to click on links or open attachments.

Before responding to any questionable message, perform the following tasks to ensure the message is reliable.

• Ask yourself:
  • Was I expecting this message?
  • Does this email make sense?
  • Am I being pushed to act quickly?
• Examine the email and look for:
  • Sense of urgency
  • Unsolicited request for personal information
  • Generic greeting/signature
• Unfamiliar links or attachments
• Contact the sender of the message through a trusted channel
  • If the email appears legitimate, but still seems suspicious, it is best to contact the supposed sender through a trusted phone number or open a new outgoing email message using their real email address found in the address book. Do not reply to the message in question.

It is essential to remain vigilant when receiving mail, whether from an unknown sender, someone you are close with, or an organization with which you are familiar. Cyber scammers are always looking for new ways to exploit individuals for their own personal gain.

Michael McGregor, CSCS, CCSA, IT Desktop Support

If you are searching for ways to prep and train your team on cybersecurity and HIPAA regulations, reach out to Medcom; we can help with that. Check out all our HIPAA Privacy and Security solutions!