Phishing attacks can strike organizations of any size. They are especially frustrating for IT professionals because they exploit a weakness that all organizations have: user error.
Phishing attacks target an organization's employees, sending them emails that contain malware or other means a hacker can use to breach the organization. Though small in scale and not very complicated, these attacks are especially powerful because all it takes is one employee to open a malicious attachment, and criminals have access to your data.
Take the phishing scam that targeted hospitals in Texas this January. Medical data security news site PHIPrivacy.net reports on the string of recent attacks that exposed thousands of patients' information to cyber criminals. In a span of months, three hospitals in Texas were hit with phishing schemes, producing a truly Texas-sized cyber attack.
What Is a Phishing Attack?
A phishing attack occurs when an employee receives an email that contains a link or attachment that can cause a data breach. Links sometimes send users to faux websites or route them through a mirror, which allows hackers to record and steal any private information the employee enters. Attachments often include malicious software, which can allow hackers to gain remote access to a company's data.
In addition, there are two more advanced types of phishing attacks:
- Spear phishing. These phishing emails are designed to look like they come from an employee's boss. The reason for this is obvious. Employees are much more likely to open an attachment that looks like it came from the person who signs their paychecks.
- Social engineering. Like spear phishing, social engineering phishing emails are more specialized and dangerous. Hackers scrape information about an employee, their work, and their contacts from LinkedIn, Facebook, and other social media sites. The phishing email contains this information and is designed to look like it comes from someone the employee would communicate with. In one recent attack, hackers sent emails that were designed to look like they came from the company that processed payroll.
In the Texas data breaches, the phishing emails resembled the standard internal requests for patient information that doctors often receive. After a few doctors fell for the attack, hackers were able to gain control of their email and download thousands of patient files and data. Apparently, they don't teach you proper cyber security in medical school.
What You Can Do to Prevent Phishing Attacks
The reason phishing attacks remain so successful is that they prey on user error and ignorance. As these attacks become more advanced and hackers are better able to disguise their intent, we're likely to see more devastating phishing attacks in the future, even as data security efforts improve.
The linchpin for phishing attacks is an individual user’s ability to recognize suspicious emails. At the moment, many of your clients probably don't even know that phishing attacks can now be disguised to look like standard work emails or requests from vendors.
As an IT consultant, one thing you can do is teach clients about these new types of phishing schemes, explain proper email security procedures, and send data security reminders from time to time.
For a more thorough list of client education techniques, see "Don't Forget to Floss Your Passwords: 'Cyber Hygiene' Is the Latest in Data Breach Prevention."
Phishing Attacks Prove That Cyber Liability Never Goes Away
The story of these sophisticated phishing attacks fooling doctors tells an important data security truth: cyber risk isn't going anywhere soon.
While data security software and infrastructure become more advanced, simple human error leads to 30 percent of data breaches, according to the Ponemon Institute's 2014 Cost of Data Breach study.
In this risky environment, IT firms need to protect their liabilities and invest in Errors & Omissions Insurance, a type of malpractice insurance that covers the cost of data breach lawsuits. When a client is hacked and sues their IT professional, E&O Insurance pays for the IT company's legal expenses and damages owed to their client.
For a free quote on this IT risk insurance, submit our online insurance application.