Gone phishing: Recognizing Cybersecurity Awareness month.
Houston Methodist employees went phishing in October. Together we reeled in 22,408 phish. To recognize Cybersecurity Awareness month, each week we tried to lure you in with phishing drills designed to get you to take the bait and click on the email links. Phishing drills are planned training emails sent with the intent of testing our ability to recognize and report suspicious email. On average, 10.8% of HM employees reported the five October phishing drills. Only 2.8% clicked the links or the attachments ─ a big contrast to the 16% click-rate when we ran three phishing drills in October 2021.
According to the FBI, an estimated three billion phishing emails are sent every day and one in every five people will click links in those suspicious emails. At HM alone, our IT security team blocks over one million attacks daily. Phishing continues to be cybercriminals’ method of choice, mainly because it’s easy, cheap and often effective.
Keeping it reel: Our stats.
To recognize Cybersecurity Awareness month and teach you how to catch phishing scams, we sent out weekly phishing drills. Let’s take a week-by-week look at the October phishing drill stats.
Week 1 (3% clicked and 9% reported it)
The Bait: An email from Apple regarding a recent purchase from a device that “had not previously been associated with an Apple ID.”
Red Flags: There were spelling and grammar errors and the Apple logo had two apples, instead of one. Often, small changes in a corporate logo can be an indicator that the sender is not who they claim to be.
Week 2: (4% clicked and 12% reported it)
The Bait: This drill pretended to come from Microsoft Intune with high urgency behind it.
Red Flags: Cyberattackers will try to get you to act quickly before the email gets detected and reported by others. In this case, it used language like “non-compliant” and threatened to take away access to HM resources. While we could send you a message about keeping your devices up to date, this one came from an external sender. Most of our IT emails come from itinformationupdate@houstonmethodist.org.
Week 3: (2% clicked and 10% reported it)
The Bait: An urgent request to change your password with the threat that if you didn’t click a link to change it within 24 hours, your email access would be terminated.
Red Flags: Strong language with the intent to scare you into action is often a giveaway for a scam. While HM IT takes security and password changes seriously, requests to update your password have a grace period and will always come from an internal email. This phishing drill was from activation@office3889.com and was labeled as coming from an external source.
Week 4: (2% clicked and 10% reported it)
The Bait: This phish had the subject line, “Amazon Would Like Your Feedback” and it promised a $50 gift card if you completed a survey.
Red Flags: This is a good example of “if it sounds too good to be true, it probably is.” The other red flag was the sender’s email address (amazon-gc-offer@cardservices.online). This is not your traditional email address that has .org or .com at the end. It is also a long, complicated address for an email from a corporation like Amazon and was also from an external sender.
Week 5: (3% clicked and 13% reported it)
The Bait: This drill was a “Microsoft” software update with a warning for you to take action now or be locked out of your account.
Red Flags: The urgency in this drill was the main red flag, but did you notice the other subtle, but commonly used, red flag? The email address appears to be from softwareadministration@microsoft.com. In the phish, Microsoft is spelled with a lower-case “r” and “n” (rnicrosoft). This is a common trick cyberattackers will use because it appears to look like the letter “m” and therefore makes it a more authentic-looking email address. By hovering over the sender’s email, the actual sender’s email address will become visible. In this case it was from softwareadmin@internalitsupport.com.
Good catch: Ten employees win Apple Air Pods.
Thank you to the 22,408 people who participated in and reported the October phishing drills. As an added incentive, we drew two weekly winners from the list of employees who correctly reported the phishing drills and rewarded them with a pair of Apple Air pods Pro. Here are the winners:
Joy Banks
RN II
HMTW
Darrell Beck
MRI Technologist II
HMTW
Amanda Essary
Radiologic Technologist RT(R)
HMWB
Tanya Kamphuis
Sr. Business Analyst for Epic Continuous Improvement
Corporate
Tim Kistner
Paralegal
Corporate
Irene Kenny
Project Specialist
HMH
Casey Polk
RN II ADN
HMTW
Alessandra Rodriguez
Sr. Patient Services Representative
HMH
Imani Smith
Laboratory Technician
HMH
Victor Valenciano
Health Information Management Specialist
HMWB
Seems a bit phishy to me: Pro tips.
Ultimately, it’s everyone’s job to keep our data safe. No matter where you are (at home, school or at work) practicing cyber hygiene is critical. Here are a few best practices:
Be alert for suspicious emails.
Learn how to recognize and report suspicious emails. Read this article for tips. If any email or link asks you for credentials like a username, password or personal information, never enter it. HM IT, banks, schools, etc. should never ask you to share your login or password information.
To report a suspicious email, click the Report Suspicious button located in the header of all emails sent from someone outside of HM or click the Report Phish button on your Outlook toolbar (visible when you open an email).
Update your HM password.
The password requirement has been updated. Here are the full requirements and ways to change it.
Your password must contain a minimum of 15 characters and three of the following:
- Uppercase letter (A through Z).
- Lowercase letter (a through z).
- Number (0 through 9).
- Special character: (~!#$%^&*_-+=`|\(){}[]:;”‘<>,?/).
Your password must not include:
- Your name.
- Your HM username/ID.
- The Houston Methodist name.
- Common words like Astros, Houston, Methodist, Texans, etc.
- Any of your previous five passwords.
Here are three ways to change your password:
- Click this link.
- If you’re on-site or on VPN and have an HM-owned Windows PC (not a Mac), you can click Ctrl+Alt+Delete and select Change a password.
- Call the IT Service Desk at 832.667.5600 and press 1.
Use strong passphrases.
No that’s not a typo. Passphrases are like passwords, but they are harder for cyberattackers to guess. They are made up of random, unrelated words and your passphrase will not just be easier to remember but also safer! Important tip: Never use the same passphrase at work that you use on your personal accounts. Here are a few examples of a strong passphrase that meets HM requirements:
- ARTWALKHAPPY20#
- Season6Penguin!
- $bornrunbatcar88
It just takes one person – thank you for remaining vigilant.
Recognizing Cybersecurity Awareness month helped serve as a reminder that we all play a role to protect our HM patient and employee data from cyberthreats. Be on the lookout for more drills. Thanks for all you do to help maintain the privacy of our precious patient and employee data and keep our IT systems safe.