The Next Great Phishing Opportunity

what-is-phishingBy Robert Uomini, Ph.D
For many years, financial institutions, from the smallest local savings and loans with a few hundred depositors to nationally-known banks having tens of millions of retail customers, have been plagued by spoofers: individuals and organizations masquerading as banks or other trusted entities in order to gain access to customers’ credentials for the purpose of logging into bank portals and raiding the customer’s account, a practice known as phishing. The modus operandi of these cyber-criminals is the same: send an e-mail to the intended target, claiming that the target’s account had been hacked and directing them to log in to their account and change their password. The e-mail will often include the logo belonging to the spoofed entity and will contain a link to a Web site that may look exactly like the entity’s, but when the user enters her credentials, they are secretly captured and used to log into the user’s actual account for the purpose of raiding it.

According to a report by RSA, in 2013 there were 450,000 phishing attacks worldwide, resulting in financial losses totaling over $5.9 B, not counting the damage to the reputation of the financial institutions involved and the trust of its customers.

Fortunately, the problem of spoofing of banks and other financial institutions has garnered so much press in recent years that whenever users receive an e-mail that appears to be from their bank and which asks them to log in to their accounts to “fix” some sort of problem, they are usually wary and may contact their bank by phone to confirm that the message really did originate with them (a kind of primitive two-step authentication of the message). However, spoofers continue to refine their techniques and are becoming more sophisticated in their attacks, so, like cockroaches, can never seem to be completely eliminated.

“The latest efforts at spoofing are now being directed at healthcare providers”

The latest efforts at spoofing are now being directed at healthcare providers. Actually, this should come as no surprise. Because healthcare providers have heretofore been less of a targeted group than financial services, they have been less proactive in protecting against spoofing. As a result, hackers view patient data as low-hanging fruit with tremendous payoff potential: whereas accessing the account of a banking customer may provide a single payoff (the contents of the account), getting hold of medical records can provide access to many accounts, since key information contained in a record (Social Security numbers, drivers’ license information, etc.) may be used to access the accounts or even create credit accounts for which they are liable.

“No industry has been hit harder by hacking and data breaches than health care.”
– CNN Money, August 2014

Phishing for personal information is especially insidious. Patients think nothing of, and may even expect, an e-mail from their doctors telling them their lab results are in or something else of a personal nature, and directing them to log into the provider portal in order to access data. Besides, many people overlook the potential risk of revealing their personal information to untrusted individuals, not realizing that, in the worst case, they could become victims of the kind of identity theft described above. Cyber-criminals also target employees of healthcare providers. Earlier this year Tacoma’s Franciscan Health System was broken into and 12,000 patient records nationwide were potentially breached. This resulted from a spoofed e-mail appearing to come from the parent company (CHI) to Franciscan employees asking them to go to another site where they entered their user names and passwords.

So this is the big bonanza, the next great opportunity for cyber-criminals: spoofing healthcare providers, starting with the largest ones. Protecting against this threat is not obvious, as an adequate solution involves providing the patient as well as the provider with the necessary technology, whereas healthcare providers generally do not have the mindset for this kind of task. Without a concerted defense, however, we can only expect the problem to get much worse and to wreak the same kind of havoc on the reputations of the healthcare industry and on the finances of its patients as it has on financial institutions and its customers.

One solution is to store the content separately from the message and authenticate the sender before delivering the potentially malicious content. If the message content is kept out of the e-mail message, then access to it can be effectively managed in such a way that only content sent by authenticated entities will be delivered to the mail recipients. In other words, there is technology available right now that can stop 100% of all spoof attempts, by preventing the delivery of payloads sent by spoofers. This technology, Envelope-Content Splitting (ECS), is a powerful weapon in the war against spoofing and phishing and is available exclusively in ChiaraMail’s products. ECS is easy for the sender and recipient to implement and is inexpensive and once installed, authentication is automatic and doesn’t require the user to manually provide credentials.

To help make the e-mail experience safer for themselves, users need to demand that their healthcare providers implement a system, such as ECS, that eliminates spoofing and any business that values its customers needs to protect them from these cyber-criminals.