[BreachExchange] ‘Payment Notification’ Is Top Healthcare Phishing Attack Subject

Destry Winant destry at riskbasedsecurity.com
Thu Oct 11 21:24:13 EDT 2018


The term “Payment Notification” is the top healthcare phishing attack
subject, appearing in 58 percent of healthcare phishing attack
campaigns in 2018, according to the latest data from Cofense.

Other popular subjects in healthcare phishing attacks are “New Message
in Mailbox” and “Attached Invoice.”

Cofense (formerly PhishMe) found that 7 percent of emails are
malicious in healthcare, compared with 10 percent across industries.

The healthcare industry is an attractive target for phishing campaigns
“because few industries collect more lucrative personal data: name,
Social Security number, email address, home address, date of birth,
and usually one or more credit card numbers,” Cofense related in its
report The State of Phishing Defense 2018.

For the report, Cofense analyzed more than 135 million phishing
simulations, 800,000 reported emails, and nearly 50,000 real phishing
campaigns targeting organizations in 23 industries.

Healthcare had a low 1.63 resiliency rate, which is the ratio between
people who report a phish versus those who fall victim to one.

This compares with a resiliency rate of 6.19 for the energy sector and
4.73 for the utilities sector. However, healthcare is higher than the
financial sector at 1.38.

Overall, the resiliency rate of users across industries has increased
over the past four years due to a large increase in the reporting
rate, Cofense related.

“We see phishing emails bypass technology controls every day and more
and more end-users recognizing and reporting these threats that
slipped past million-dollar defenses,” said Cofense Cofounder and CTO
Aaron Higbee.

“The results of our research detailed in the ‘State of Phishing
Defense’ shows that resiliency is building across key industries
thanks to those same people that were once deemed as the weakest-links
in an organization. These trends are powerful and reinforce that
humans are a key element to a successful security program,” Higbee

In addition to using deceptive subject lines, phishing attackers
impersonate people who are trusted by the targeted individual.

A recent study by Mimecast found that there was an 80 percent increase
in impersonation-based phishing attacks.

“Targeted malware, heavily socially-engineered impersonation attacks,
and phishing threats are still reaching employee inboxes. This leaves
organizations at risk of a data breach and financial loss,” warned
Mimecast Cybersecurity Strategist Matthew Gardiner. “Our latest
quarterly analysis saw a continued attacker focus on impersonation
attacks quarter-on-quarter.”

Phishing attacks can be costly for healthcare organizations in terms
of lost PHI, reputation damage, and regulatory fines and lawsuits.

In a recent HealthITSecurity.com feature article, security experts
recommended that healthcare organizations take a number of steps to
reduce the risks from phishing.

First, healthcare organizations should use the Domain-based Message
Authentication, Reporting and Conformance (DMARC) protocol to improve
its email security by providing greater accuracy on the identity of
the sender.

DMARC is designed to identity forged sender addresses that appear to
be from legitimate organizations or individuals by providing the exact
domain name in the “From:” field of email message headers. It enables
organizations to stop scammers from using an email domain to attempt

Other steps that organizations can take include conducting an audit of
the current security and compliance environment, establishing detailed
and thorough anti-phishing policies, implementing best practices for
users to follow, providing adequate security awareness training, and
deploying alternatives to employee-managed tools and services.

Healthcare organizations will need to change in order to prevent
phishing attacks from succeeding.

“Change is not expensive, but it has to be readily accepted. People
have to be willing to devote some time and focus to improving the
behavior of every user in the hospital so that at the end of the day
those users become essentially control officers in the cyber program,”
said Alan Levine, a cybersecurity advisor to anti-phishing vendor
Wombat Security.

Healthcare organizations should train employees on how to spot and
avoid phishing email, adopt  best practices, and deploy appropriate
technology to lessen the chances that a phishing attack will succeed.

More information about the BreachExchange mailing list