Select Page

CIO QUARTERLY REPORT — February 2023

  1. Archives
  2. February 2023

Phish Are Biting — Don’t Take the Bait

Hackers keep trying new angles, but Houston Methodist remains watchful

Cybercriminals are trying to lure you in to clicking fake messages and compromising our patient data and corporate systems. In the past two years, we’ve gotten much better at not getting hooked by suspicious emails. Let’s look at our progress:

Getting schooled

We didn’t become wiser overnight — our progress is the result of sending a regular wave of planned phishing drills from external senders containing obvious red flags. Month after month, you’ve become much savvier at spotting the telltale signs of fraudulent phishing attempts like spelling and grammatical errors, overly urgent calls to action and promises of gift cards in return for completing surveys.

You’ve taken these lessons to heart:

  • If something sounds too good to be true, it probably is, so it’s best to avoid it altogether. If you’re suspicious of an email, don’t click on it. You can always click on the Report Suspicious button in the header of your email if you suspect an email might be a phishing attempt.
  • Don’t click on links within emails unless you’re 100% sure they’re safe. Make sure the link address looks legit; you can right-click on the link, copy the address and then paste it into your browser to take a closer look.
  • Take a breath and ask why you’re clicking. Cybercriminals will use psychology to trick you into impulsively clicking without thinking.
  • Pay attention to the sender’s email address. If it’s coming from outside HM, it will be labeled as External and you can click on the Report Suspicious button in the email header.
  • There’s no penalty for reporting a valid email. If it’s safe, we’ll let you know — no harm done, better to err on the side of caution. However, if it is a real phish, the tool will block the email from being sent to other people as well as pull it back from all other inboxes, a crucial process in preventing the spread of the phish.

Don’t let the voice fool you: watch out for vishing

Besides phishing emails, cybercriminals might try to infiltrate our security perimeter with voice phishing, or vishing. This is when an imposter calls pretending to be from your bank or the IRS, for example, with fake alerts about suspicious account activity. Beware of a caller’s demanding tone, requests for confidential information or alleged contact from a government agency when you haven’t requested contact. Don’t feel the need to be polite and carry on a conversation — simply hang up.

Watch out for suspicious smishing text messages

Smishing, also known as SMS phishing, happens through text messages. It’s often effective because most users don’t have antivirus software on their phones. If you have the slightest suspicion, don’t click on any links in a text message. Even if the text message says, “text STOP to stop receiving messages,” never reply. If the phishing message is spoofing a company, call the company directly to ask about the message. Also, you can forward the text to 7726 (SPAM).

Keep reeling them in

Hackers are becoming more sophisticated by the day, dangling shiny lures in front of us in hopes that we’ll pull on their lines. We’re learning that the bait is not really dinner, but danger. These phishing predators won’t release our data if they catch one of us. We all must remain vigilant and stay alert to protect our precious patient data and corporate systems.