How to avoid the hook, line and sinker of a phishing email
The damage of a phishing attack can be huge. Learn how to avoid falling for a phishing email with these great awareness tips.
Most phishing emails look as if they come from a legitimate bank, government agency, or other such ‘real’ company. They typically try to trick you into handing over your personal information such as your credit card details, or your credentials (username and password) for online banking; or they entice you to open malicious links or attachments.
Phishing attempts can arrive in the form of emails, SMS, or phone calls (aka ‘vishing’) and are designed to give the attacker access to personal information or infect a computer (or an entire computer network) with a virus or malware. Once the attacker has obtained someone’s personal information or access to their computer, they have a multitude of choices on what they can do next. They can pose as that person and continue a chain of phishing attacks within an organisation or to the organisation’s external contacts; they could hold the organisation’s data to ransom; or send fraudulent invoices with the hacker’s bank account details, and more.
There has been a significant increase in phishing emails in New Zealand recently, so it is imperative that the health sector is aware of cybersecurity issues like this.
Additionally, in our sector we all have a responsibility to minimise the risk of sensitive patient data being exposed or stolen.
The damage of a phishing attack can be huge
In September 2019, cyber criminals used a phishing email to attack two regional hospital networks in Victoria, Australia. When a hospital employee opened a phishing email a virus was downloaded and quickly spread across the hospital’s network. Unfortunately, this had serious implications causing some elective surgeries to be cancelled.
Thankfully no patient data was stolen and authorities ruled that the attack had been financially motivated. But this situation could have been significantly worse if data had been stolen or lost. The potential financial and reputational damage of compromised patient data is huge.
Some real-life examples of phishing emails
The two examples below are email and website imitations of trusted and well-known brands that look convincingly real. Both emails contained links directing the recipient to an imitation login page, that would capture your credentials when entered.
How to spot a phishing email
Sadly, all too many of us fall for these fakes by clicking on malicious links and supplying our credentials. For some key pointers see CERT NZ’s resources on how to identify a phishing email.
For example, you might notice that:
- you don’t recognise the sender
- the sender’s name or email domain doesn’t look quite right
- you don’t recognise the name of the company
- the company logo doesn’t look the way it should
- the email refers to you in a generic or odd way – for example ‘Dear You…’
- the email contains bad spelling or grammar
- if you hover over a link in the email with your mouse, the address you see doesn’t match the place it’s saying it’ll take you.
What to do if you experience a phishing attack
Firstly, if you haven’t done anything with the email you need to delete it immediately. And then delete it from your trash can / Deleted Items folder too.
However, if you did give out your personal or financial details, contact the (real) service provider, explain what’s happened, and report it to CERT NZ.
Then change the passwords for any online accounts you think might be at risk.
You should also enable multi-factor authentication for those online accounts if it is available.
If you need assistance at any time, please do not hesitate to contact Patients First for guidance.
How to prevent a phishing email from causing damage
The good news is that as long as you don’t click on any links or attachments in the email, your computer and system are safe.
But you should always keep your wits about you and keep these things in mind:
- Don’t click on any links sent by someone you don’t know. If you’re unsure, contact the person to check first.
- Use bookmarks or favourites rather than relying on links in emails.
- Check to see how the companies you deal with will contact you, so that you can tell the difference between a phishing email and a legitimate email.
- Keep your support contracts with your antivirus provider etc up to date.
- Enable multi-factor authentication (where available) for all of your online accounts.
If it looks like a phish and acts like a phish, it’s a phish.