Malicious Social Engineering and HIPAA

Spam accounts for 65% of the total volume of global internet email traffic according to Cisco’s 2017 Annual Cybersecurity Report. The Report also points out that hackers are successfully using automated attacks on your company’s networks, leaving them more time to attempt other strategies to bypass your network defenses.¹

What does this mean for you and your organization? Security awareness must be a priority across the board. In this blog we will outline three methods hackers use to trick your employees into revealing confidential information, possibly Protected Health Information, your organization has in its possession.

Social engineering is a term in computer security that refers to schemes hackers use to access your computer systems. The weakest link in most systems is the user; therefore, it’s extremely important you and your employees understand how it works.

For hackers, the three top methodologies of malicious social engineering according to Social-Engineer, Inc are:

1. Phishing: The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.
2. Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing”.
3. Impersonation: The practice of pretending to be another person with the goal of obtaining information or access to a person, company, or computer system.²

Phishing

Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransomware on your computer or possibly giving up your personal information. Criminals are looking, or phishing, for your personal information. This can be a simple email asking for you to verify your Gmail account or a PayPal account.

In our blog, Social Engineering and HIPAA, we provided key ways to identify phishing emails as fraudulent:

1. Grammar mistakes and misspellings
2. Threatening language
3. Fantastic job offers or promotions
4. The link addresses don’t match the sender of the email; such as the Google title being spelled with zero’s instead of the letter o
5. Requests for money
6. Unsolicited requests to change passwords
7. In general, anything that sounds too good to be true usually is

Take note to not click on the email or any corresponding links. This simple action can open up your entire company to a whole host of issues, and cause issues for your entire network.

Vishing

The practice of vishing is similar to phishing attacks but via the telephone. It is the practice of calling an individual and eliciting information or attempting to influence action.³ Two common techniques used for vishing are the attacker calling into customer service or the help desk of a company and the attacker acting as technical support.

In one technique common for vishing, the attacker calls a receptionist or customer service knowing that these individuals deal with clients in a positive manner to help solve their concerns with the organization. Due to the lack of training and the desire to give the caller a positive experience, customer service is likely to oblige any requests the caller has during the phone call. When a caller is asking for a password reset to their online account or asking for the credit card on file, have them verify some information only the corresponding individual would know.

Another effective technique used by hackers, they will have a user click on a link that allows the hacker to take over their computer, and voila, they have access to the system. Unless the technician is new to an organization, have the same person work on your computer. Question the technician if they are unfamiliar to you and verify they are an employee.

Impersonation

Impersonation is the practice of presenting oneself as someone else in order to obtain private information. One common attack is to impersonate a delivery person (e.g. Postal Service employee, FedEx delivery driver). Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. When a package is being delivered to your place of business, make sure to verify the credentials of an unfamiliar deliverer.⁴

How to Protect Yourself

Be sure to do a little social engineering of your own. Train your employees on how to use their workstations properly, how to recognize malicious emails, and help protect your systems. A key part of this is training your staff on HIPAA, and how they can support your efforts to keep client information safe. HIPAA security training covers these potential attacks on your system and much more.

Need help with your HIPAA Compliance and Training Plan? Let Total HIPAA help you today! Contact us at info@totalhipaa.com or call 800.344.6381.

1. http://www.cisco.com/c/dam/m/digital/1198689/Cisco_2017_ACR_PDF.pdf

2. http://www.social-engineer.org/framework/general-discussion/social-engineering-defined/

3. http://www.social-engineer.org/framework/attack-vectors/vishing/

4. http://www.social-engineer.org/framework/general-discussion/common-attacks/delivery-person/

Sharing is caring!