Up the creek without a clue?  Time to recognize that baited hook

Wednesday, May 30, 2018

Fish with baited hookA social engineering attack is not something to avoid at an office party. Rather, it's a catch-all term for the variety of threats we face as we interact with the Internet...and we're not immune at work.

The five most common attack types that social engineers use to target their victims are phishing, pretexting, baiting, quid pro quo and tailgating. More than 40% of all information breaches result from social engineering attacks, with 98% of these incidents carried out by phishing, according to the 2017 Verizon Data Breaches Investigation Report.

Phishing uses targeted messaging to steal information or gain unauthorized access to computer systems.  It’s primarily conducted via email but can come in the form of voicemail, SMS texting and even social media posts. Phishing attempts ask you to provide sensitive information, encourage you to click links, or urge you to download attachments.

When suspicious emails make it through a hospital's technical defenses, employees are the last line of defense. Therefore, it is vitally important that those staff members with computer access learn to properly identify and report suspicious emails as potential threats. Purdue Healthcare Advisors offers Phishing Simulation & Security Awareness Education to instruct clinicians, administrators and others with computer access on what to look for and how to respond. Students will gain awareness of warning signs and common tricks by participating in a phishing simulation platform. Phishing simulation tests an employee’s susceptibility to clicking on suspicious links, opening unsolicited attachments, and sharing information with unverified websites. Point-in-time training occurs in the event that an employee interacts with a phishing message. Monthly security awareness reminders, flyers, and training are provided for all active phishing simulation clients. To learn more, contact PHA’s Senior Advisor for Health IT George Bailey.

In the meantime, George urges you and your staff to slow down and examine emails closely before taking action, then make sure to: 

  • keep emotions in check. Look out for emotional triggers like surprising headlines referencing a current event, thank you emails, or unexpected bank notices. Phishers frequently leverage emotions like fear, greed and curiosity.
  • look for warning signs. Does anything in the email seem strange? Was the email sent by an unknown sender? Was it expected or unsolicited? Are there grammar or spelling errors? A "yes” to any of these questions could mean a phishing email.
  • examine the domain name. Some attackers modify domains to catch targets off guard. For example, if the correct domain was www.example.com, the phishers may register “examp1e.com” or “example.co”, hoping the recipient won’t notice the subtle difference.
  • verify the sender. Do you recognize the sender’s name and domain? If not, verify the message is legitimate with a quick phone call.

Writer: George Bailey, 765-494-7538, baileyga@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.