Phishing threats continue to cause problems for healthcare organizations. Investing in phishing defenses become necessary to stop the theft of patient credentials and protected health information. The Q3 Quarterly Threat Trends Report from Webroot highlighted this problem. In Dec 2016, there were only over 13,000 phishing websites created everyday or 390,000 new phishing websites every month. But in Q3 2017, there are over 46,000 new phishing websites created a day or 1,385,000 every month.
According to the report, about 63% of companies had encountered a security incident related to phishing in the last 2 years. A lot of phishing websites are created fast because they are also quickly detected and added to blacklists. Phishing websites are usually active only for 4 to 6 hours, yet many already fall victim to these sites. Many of the phishing websites have SSL certificates, so seeing a website with HTTPS does not guarantee that it is a safe site.
Aside from using their own domains for phishing, many legitimate websites become loaded with phishing kits. Duo Security’s report mentioned there were over 3,200 phishing kits spread out in 66,000 websites. 16% of those websites were with HTTPS. Typically, the phishing kits are loaded into the wp-includes, wp-content and wp-admin paths of WordPress websites, and the images, signin, js, myaccount, home and css folders of other sites. Organizations should monitor file changes in the mentioned directories to know if the sites have been hacked. Use strong passwords and limit login attempts to defend against brute force attacks.
The question is how do organizations prevent phishing attacks? One solution is not enough to stop phishing attacks. Defenses should be a combination of technological solutions that thwart the delivery of phishing emails and block access to phishing emails. There must a spam filtering program to lower the volume of emails received. At the same time, a web filtering program is in effect to block access to phishing websites. Web filters should decrypt, scan and re-encrypt web traffic.
Employees must have regular security awareness training. They should be educated on how to prevent phishing attacks and respond to other cybersecurity threats. They should be informed that HTTPS is no longer a safe indication that a site is secure. Users need to check the domain name to be sure they are going to the intended website.
Lastly, healthcare organizations need to stay up-to-date with information relevant to their organization. Signing up to receive alerts from threat intelligent services is a good move to be aware about industry-specific attacks and be ready to deal with the situation.