Spotting a Spoofed Email in Healthcare
By Matt Mellen
Over the past year, healthcare organizations of all sizes have been impacted by cyberattacks. Most of them involve malware of one sort or another. As a former security operations lead at a hospital network in the San Francisco Bay Area, I learned what my research at Palo Alto Networks has confirmed: By far, the most common way for malware to make its way into Healthcare networks is by spoofed emails.
Spoofed emails are intended to fool the recipient into clicking a link or attachment that’s actually malicious. Once clicked, malware is typically downloaded and executed on the hospital workstation. There are plenty of technical approaches to filtering out these type of emails, but none are perfect. For that reason, it’s always prudent to also take some steps to educate your staff to help prevent them from clicking on malicious links and attachments in emails.
I’ll outline a few ‘tells’ or things your staff should look for to spot spoofed emails.
Tell #1. Look for Warning Signs
Before you click a link, look for warning signs that will help you determine its legitimacy. For example, was it sent by an unknown sender? Is it unsolicited? Are there any missing or replaced characters? Is it a shortened URL? If you’ve answered “yes” to any of these questions, you may have received a phishing link.
Tell #2. Unofficial “From” Address
Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Fraudsters often sign up for free email accounts with company names in them (such as “hospitalABC@gmail.com”). Users that don’t carefully review the sender’s email may miss the suspicious sending address.
Tell #3. Emotional Motivators
Fraudsters often prey on emotions to drive users to click on a link immediately. Emotions like fear, urgency, and curiosity are effective and frequently used. Additionally, be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The fraudster is taking advantage of your concern to trick you into providing confidential information.
- You have a new voicemail.
- Your mailbox is almost full.
- You have a new e-fax.
- We have detected a fraudulent credit card charge.
- Your account has been locked.
- View your invoice.
- Your package is at the front desk.
Tell #4. Generic Content
Fraudsters often send thousands of phishing emails at one time. They could have your email address, but they usually don’t know your name. Be skeptical of emails with a generic greeting like Dear Healthcare Professional or Dear Customer.
Tell #5. Grammar and Spelling Mistakes
Fraudsters will often make spelling or grammar mistakes when creating a phishing email. If an email sounds unprofessional, this is a red flag that the email may be a fake.
Tell #6. Fake and Obfuscated Links
Phishers include links in their emails to lure you to fake sites that look like the real ones to steal your login credentials or to sites that will infect your computer with malware. To find out where a link is really taking you, always hover over the hyperlink. If the URL that is displayed is only an IP address, does not match the URL that is shown in the email content. or is long and confusing but includes a familiar term, you are likely looking at a phishing link.
For example: https://login.hospitalXYZ.com.av6shj825.com/login.htm
Next-generation security technologies can stop many threats before they even reach the user, but for those that slip through, whether or not the attack is successful depends on the behavior of the staff. If you educate your personnel on what to look for, they’ll be much less likely to make a mistake and click on that malicious link or attachment.
Matt Mellen is security architect, healthcare at Palo Alto Networks in Santa Clara, CA.