Last week email security vendor Vade Secure published its quarterly Phishers’ Favorites report, which ranks the brands used by phishers. Phishing attacks are malicious emails designed to trick you into clicking a link or opening an attachment which will install malicious software on your computer. These rankings are based on data obtained from users of its email security products. It is important for practices to understand Phishing attack trends and techniques because phishing attacks are the #1 route for malicious software delivery. Security awareness training is also required for HIPAA compliance.
The top 10 brands for the 2ndQuarter of 2019 are:
- Bank of America
Microsoft retains its #1 ranking, with a whopping 20,217 unique phishing attacks identified in the quarter, which is an average of 222 per day. Microsoft is likely the #1 favorite because of the popularity of its Office 365 product. Gaining access to a company’s Office 365 assets is valuable for criminals.
Coming in at #2 is Paypal, the #1 online payment service worldwide. Getting into Paypal is a rapid way to steal your money.
Facebook, at #3, has been surging in the rankings. Vade Secure speculates that Facebook’s growing popularity is because Facebook credentials increasingly can be used to sign into many 3rdparty cloud systems.
The complete report is available from Vade Security here and is a good read.
Your HIPAA Security Risk Assessment almost certainly will identify Security Awareness Training as a top control to implement. Practices can use this list as part of the ongoing security awareness training program. Employees should be taught to be especially vigilant regarding emails purporting to come from these top companies. Best practices for Security Awareness Training include:
- Gain support from the practice owner and/or CEO
- Ensure that all employees participate, including and especially the physicians!
- A simulated email phishing attack against all employees should be conducted, and the number of employees who fail is recorded and used as a baseline to measure success of the program.
- Training / Security Reminders should be frequent (monthly or quarterly), brief
- The program should be fun, entertaining, interesting and engaging.
- Simulated phishing attacks should be ongoing. Results should be measured. Remedial action should be taken to educate employees who are slow to assimilate.
- The program needs to be ongoing, not once-and-done.
While security awareness programs can be done completely in-house, some outside expertise and/or tools will usually improve the effectiveness of the program.
Please also see:
- More Health Data Breaches Coming
- Department of Homeland Security Warns: Protect Your Practice
- Cybersecurity Basics for Small Practices
- Security Awareness Training
- Phishing and Eagle’s Security Awareness Program
- Gmail Password Leak Sheds Light on Importance of Cybersecurity Awareness Training
- Employee Security Awareness Training May Have Prevented Centura Health Breach