Gretel Egan | June 01, 2018

You Think Phishing Is Terrible? Let's Talk About Spear Phishing

As seen in ITSP Magazine...

With medical records full of sensitive (and high-value) information, it’s no surprise that the healthcare industry is a prime target for criminal activity. But what exactly does the extra attention from cybercriminals mean for this industry? According to the IBM and Ponemon 2017 Cost of Data Breach Study, the estimated cost of a healthcare data breach is $380 per record – more than twice the average across all other industries.

The fast-paced healthcare industry stores, manages and shares a large amount of sensitive information daily, and the speed of doing business is taking its toll. In fact, in a recent survey from Accenture and the American Medical Association, 83% of U.S. physicians said they’ve experienced some form of cyberattack, with phishing reported as the most common vector (55%). These attacks not only disrupt back-office activity, they can also interrupt clinical practices and affect patient safety.

Additionally, the Wombat Security 2018 Beyond the Phish® Report [note: opens in PDF] found that while end users in the healthcare industry exhibit a better understanding of cybersecurity topics like social media safety and avoidance of ransomware attacks than their peers in other sectors, they fall behind in areas like data protection and disposal. This vulnerability could leave intellectual property and patients’ sensitive information — including social security numbers, financial data and medical histories — in a highly targeted spot.

As cyberattacks have continued to increase in frequency and volume, the precision with which they are executed has gotten better as well. Although phishing still often takes the form of broad-based attacks, with fraudulent emails sent out en masse, cybercriminals are more regularly opting for a sophisticated and targeted approach to social engineering exploits. Cue: spear phishing.

Spear Phishing Isn’t a One-and-Done Threat

Spear phishing. Even the name sounds violent, and for good reason. These targeted messages are often more personalized and sophisticated than the average phishing email, making them more effective against end users.

All phishing attacks utilize deception and disguise; malicious emails often include familiar logos and social engineering triggers that prompt an emotional response from recipients. Spear phishing messages employ these same tactics but are more tailored in their approach, implementing personalized touches that fool users into believing that the message was designed specifically for them.

Some characteristics of personalization might include referencing a full name or a bank account number. Spoofing techniques can also make spear phishing messages appear to have originated with an individual or company that a recipient contacts regularly. By incorporating these added “trust tokens,” cybercriminals are more likely to be successful.

When employees fall victim to spear phishing attacks, they put both themselves and their organizations at risk. There are a number of potential ramifications of a successful attack: malware and ransomware infections, fraudulent wire transfers, credential compromise, data exfiltration, and more. And while broad-based phishing attacks are still continuing to plague InfoSec teams in all industries, more and more cybercriminals are setting their sights on specific targets and using spear phishing to their advantage.

This is reflected in the analysis of the Wombat Security 2018 State of the Phish™ Report [note: opens in PDF], which revealed that organizations that experience spear phishing attacks are likely to face this threat on a regular basis. In quarterly surveys of InfoSec professionals that were conducted as part of the study, 53% of respondents said their organizations dealt with spear phishing attacks in 2017. While most organizations (67%) saw between 1 and 5 attacks per quarter, more than 20% experienced 6-15 spear phishing attacks quarterly, and 8% faced 26 or more of these targeted attacks per quarter.

Don’t Rely on Yearly Cybersecurity Check-Ups

Research from the 2017 HIMSS Cybersecurity Survey [note: opens in PDF] showed that about half of healthcare organizations rely only on once-a-year security awareness training to educate their users about existing threats and the best practices they should apply to identify and avoid these threats. For an industry swimming in sensitive information, an annual cybersecurity check-up just won’t cut it.

Healthcare organizations should be more proactive about maintaining a healthy level of cyber hygiene among their end users in order to protect confidential organizational and patient information. In this era of continuous, unexpected, and tailored attacks, infrequent and passive training exercises will not prepare healthcare end users to counter persuasive social engineers.

Security awareness and training programs are like preventative medicine: regular attention and the adoption of good habits can improve behaviors day-to-day and minimize catastrophic consequences further down the road.

Read this article in ITSP Magazine