Of all the ways a hacker can use to break into your practice’s network, sending phishing emails is by far the most common. There are a lot of reasons for this that we will discuss, but the most important thing to learn is just what can you do to protect your practice from these attacks.
What are phishing emails?
Phishing is the use of various forms of communication to send a victim a message with the hopes that the victim will perform an action for the attacker. It can be in the form of email, SMS messages, instant messages (WhatsApp, Viber, Telegram, iMessage, Facebook Messenger, etc.), or even phone calls. The one thing they all have in common is the attacker will try to make themselves look like someone trusted so that the victim will trust and then perform the required action.
Actions may include providing login credentials, clicking on links or attachments to install malware, or even performing electronic funds transfers.
Phishing emails work the exact same way. You might receive an email from the company CEO instructing you to send a wire payment to a new vendor. Maybe you get an email from Amazon letting you know that your recent order (that you didn’t actually order) has been delayed. Regardless, the goal is to get your attention, make you trust the sender, and then perform an action.
Why do hackers send phishing emails?
For an attacker, phishing is a high-reward, low-risk form of attack. It is extremely easy and cheap to set up a phishing campaign. The more emails they send out, the higher the chances of getting a hit.
On the risk side, there is almost no danger the attacker will ever be discovered and caught. The worst case for most phishing campaigns is that the domain they are using will be blocked on spam lists as a source of phishing emails.
This is why the number of phishing emails sent each year increases.
One thing to keep in mind is that most phishing is broadly targeted. Even though the emails may have some form of personalization, like a first name, they will be sent to tens of thousands of potential victims to increase the attacker’s chances of success.
Spear phishing is when the target creates hyper-focused messages to a single person. The attacker will spend time doing research on a target, gathering information from company websites, social media, and other publicly available sources. The more information they have, the better they can craft the emails to help the victim trust them more.
Common tactics used in phishing emails
Here are some of the common characteristics you may find in phishing emails. If you can learn to spot these, it will go a long way in helping you spot the attacks you may receive.
Create a sense of trust
One of the most important ways the attacker can get you to do something is to make you trust them. This is done by having the message appear to come from a known party or authority. For example, you might receive an email from Amazon, UPS, your bank or credit card company, or a government office. All of these will get your attention and try to convey a sense of trust and reliability.
Use your emotions against you
Fear will be the most common emotion you may feel when dealing with phishing attacks. This will usually be a fear of getting into trouble or a fear of losing something, like money. For example, the email from your bank may be letting you know that a large amount has been debited from your account. Phone phishing or vishing makes use of this to pretend to be the IRS letting you know that you will be arrested if you pay back taxes. When we are reading these messages with our emotions heightened, there is much less of a chance that we will think clearly. Attackers know this and try to make the best use of this tool.
Create a perception of immediacy
This goes hand in hand with using your emotions. By making the actions you need to perform immediately, you have less time to think about them. The more time we have to think about something, the more we can decide if it’s in our best interest or not. If you receive an email that needs you to do something right away, then that might be an indicator that it is a phishing message.
Carefully crafted message
This takes the form of choosing the right message for the email. In the old days, you might have received an email from a Nigerian prince who needed your help to get his money out of the country. While these messages still exist today, they are far less common since most users are aware of them. Today, attackers will choose messages that will lower your defenses and try to appear as realistic as possible. Another thing attackers will do is use the news, especially when it concerns a recent breach, as a way to get your attention. You might receive a message letting you know that a service you use was breached, you may have even heard about it in the news, and that you need to change your password for your security. The email will helpfully contain a link for you to click on and change your password but what is really happening is that the attacker is collecting your current password. Before you realize what happened, they have accessed your account. You can see some phishing examples here.
How to protect yourself from phishing attacks
Now that you have a good understanding of what phishing emails are and why attackers use them, let’s go over some ways you can help protect your practice.
This is the number one way you help. Because phishing emails are always evolving, your staff needs training to help them spot the attacks.
Training can come in various forms. The most common way is via an online video or course to help your staff learn to spot the types of attacks they may come in contact with. These can be boring for end users as there is little to no interaction with the training.
Another way is to make the training more interactive by having the user make choices and react to the training they are being given. Google offers a great quiz you can take to help you learn how to spot phishing emails. You can take the quiz here.
The final way is to use a phishing campaign that sends out similar messages to your staff that they may encounter in real life. However, when they click on the link, they are taken to a website that lets them know that this was a phishing test and then provides them with some training. This can be very effective and can be launched several times throughout the year to help keep staff sharp.
Stop, pause, and read carefully
Whenever you get a message that makes you feel ill at ease, stop and take a pause. Don’t do anything while you are in a potentially emotional state. Carefully read the email and see what they want you to do.
Are there links to click on? Don’t click them. If the email is legitimate, log into the site directly from your browser and change the password there. Do not click on the link supplied in the message.
Does the link have a legitimate domain name? This one can get very confusing because most users don’t really understand what a domain name is. For example:
The domain here is actually xyz.com and the amazon part is a sub-domain. Any domain owner can create any sub-domain they wish for a domain they own. I could create amazon.yourhipaaguide.com and it would be a real domain. But that doesn’t mean it would be a legitimate Amazon domain. When you see links in an email message, hover over the link and look at the domain name. Even if the link types out the domain, hover over it to make sure it is real. Take a look at the example below:
It reads as Amazon but if you hover over it, it goes to Google if you click it.
Grammar and spelling
For less sophisticated attacks, the grammar and spelling may not be up to standard. Since many phishing emails are created by those whose first language is not English, you may notice many spelling or grammar mistakes. Also, the use of non-standard American English could be an indicator. Many people around the world learn English as a second or third language but the vocabulary may be different from what you’re used to seeing. While this doesn’t immediately mean the message is a phishing attack, it is something to give you pause.
Make sure that your email provider offers phishing and spam filtering for your incoming email. While this won’t stop every message, it will block the overwhelming majority of it. If your email provider doesn’t offer this, you can use third-party services like Barracuda.
This gives you the tools you need to help your practice defend against phishing email attacks. In parting, one thing to remember, the IRS will NEVER email you anything about taxes. If you get an email claiming to be from them, it is 100% spam.
Good luck and stay safe.