What is “phishing“? It’s fraudulent attempts by criminals to steal computer accounts and passwords. The term was coined in the early 1990’s when the internet was young, with only a few million user accounts. Most people today have multiple accounts, providing billions of potential targets today.
Make no mistake, regardless of who you are, the size of your organization or the strength of your technology resources, you are under attack. How can we be so sure? Experience, and taking into consideration the value of the prize: one patient’s medical record could fetch $1,000 on the “dark web“.
Even small, neighborhood clinics are targets now. An unfortunate example is a small ear-nose-throat practice in Battle Creek Michigan that fell victim to a ransomware attack in early 2019, rendering their systems inoperable, losing years of patient data and forcing them to close their doors.
Spam filters and internet security software do improve safety. None can protect you against 100% of the threats. This is especially true for “zero-day threats” and non-computer-based attacks such as cell phone text messages. The strongest protection available is a “human firewall“. It’s you!
The most common form of phishing is done with very realistic-looking, seemingly appropriate emails:
- Have you received one that looked convincingly like it was from Linked In asking you to confirm your identity?
- How about one from UPS or FedEx telling you your package was on the way, containing a link to check its status?
- Did you get one from what looked like your organization’s Information Technology staff, telling you that systems had been compromised and you must change your password!
The realism of these emails is astounding, but there is one simple thing you can do to defeat them:
- Never click a link directly! Always hover over any link with your mouse and look at the bottom left of your screen to see the actual link. Here are some examples of things to look for:
- https://confirm.lnkedin.com (the domain is “lnkedin” rather than “linkedin”)
- http://tracking.fedex.xt77yq.com (http is NOT secure; the domain not fedex.com)
- https://IT.yourcompanysite.ru (your company’s site name doesn’t end in “.ru”!)
In general, don’t trust any link you receive in email, text message, or in a document…like this one! The links here are “legit” but use them to practice the hover technique before clicking any of them.
For text messages, it’s usually not possible to confirm the link. Rather than tap on it, avoid it. Enter the actual site address in your browser and access the needed feature from there. For example, if you do need to track a package, visit https://fedex.com and click the “Tracking” link.
The COVID-19 pandemic has actually increased the volume of phishing attacks. Stay safe, be vigilant, protect your data.