Select Page

CIO QUARTERLY REPORT — May 2023

  1. Archives
  2. May 2023

Don’t Take the Bait: Smarter Phish Are Harder to Catch

If you’re like most people, your devices are getting flooded with more suspicious emails and text messages than ever before. Cybercriminals are trying smarter tricks to lure you in, get your personal information and access our HM patient information and corporate systems and your personal data.

While HM blocks more than one million attacks a day, cybercriminals continue to employ more sophisticated hacking methods. To continue to keep our patient and corporate data and systems secure and your personal information safe, be sure to stay alert and always remain vigilant.

“The sad truth is, the sharks are out there,” said Barry Becket, HM chief information security officer. “We must stay on the lookout for anything that looks suspicious. Keeping these criminals out of our systems is a continuous battle, and one in which everyone has an essential part to play.”

More types of phish in a deeper sea.

Phishing, the use of fake emails to trick you into sharing personal information or system credentials, remains the most common way cybercriminals try to hack HM and you. They impersonate a trusted source and lure you into providing information you would otherwise not share.

As a rule, you should always check the email address of messages that ask you to click a link or open an attachment.

“These types of attacks have become increasingly sophisticated — making them more dangerous — and more common,” according to CNBC. Some of the new types of phish include:

Spear phishing

Spear phishing messages appear to be more personal, and thereby more legitimate, because they include details that get your attention or appeal to you. The message may include your name, bank, job title or the name of your manager, co-workers or friends. They might also use information that is known to be an interest to you, like current events or purchasing a new car. Once you believe the message is real, you may become more apt to click a link or share private information.

Whaling phishing

Whaling attacks take spear phishing to the next level by impersonating an executive or senior leader who has influence over you. The message appears simple ─ a request from your boss. In this case, cybercriminals are playing on your willingness to follow instructions from someone in a place of authority. As always, validate the sender’s email address (or phone number, if a text). If someone like Dr. Boom or other HM executives are suddenly sending you text messages and they have never done that before, it is probably fake. If you’re unsure, use an address or phone number you know to confirm.

Mirror phish

Cybercriminals are adapting the content in these phish messages to mirror or look like real corporate websites. They will even go so far as using logos and designs you’re familiar and comfortable with. This is all to hide malicious code and steal your information. The use of artificial intelligence and “deep fakes” has made the ability to catch some phish even more challenging.

According to analysis by Ironscales, more than 50,000 fake login pages were identified in the first half of 2020, spoofing 200 of the world’s biggest brands, including Amazon, eBay, Facebook, Microsoft and PayPal.

Even the FBI and IRS have not escaped the grasp of cyber spoofers. In 2020, more than 50,000 Microsoft Office 365 accounts were targeted with a phishing campaign that spoofed the U.S. Internal Revenue Service domain to get victims to send money.

These criminals may also send you a text (smishing) or impersonate a company representative (vishing) and ask you to click a link or visit a fake website. You may think they’re helping you, but in fact, you’re a target to their schemes. 

Using the tools in our security tackle box.

To keep HM safe, never click on a text, email or search result link from someone you don’t know or can’t confirm. HM and our IT Service Desk will never ask you for your network password or ask you to visit any websites to click on links or download information.

More security reminders:

  • Use complex passphrases, with at least 15 characters and a mix of letters, numbers and symbols.
  • Never reuse your HM password outside of work or use your personal passwords at work.
  • Use a password manager, like LastPass, to keep track of your passwords.
  • Use multifactor authentication whenever possible.
  • Save and use favorites and bookmarks to valid sites, instead of following provided links.
  • Call customer service and service desk representatives back, using verified phone numbers, to ensure you’re speaking with legitimate representatives.
  • Recognize and report phishing (email) and smishing (text) attempts. For HM emails, look for EXTERNAL sites and use the Report Suspicious button.