Editor's note: This popular story from the Daily Briefing's archives was republished on July 16, 2019.
By Allyson Vicars, Consultant, Health Care IT Advisor
In 2016, a staggering 98% of all patient records compromised (according to HHS' Wall of Shame, which tracks data breaches that affected at least 500 patients) were due to hacks. Many of those attacks started in the same way: with an innocuous-seeming "phishing" email that tricked a too-trusting insider into downloading malware, clicking a suspicious link or otherwise surrendering confidential information.
What makes today's attempts at phishing so dangerous? They are increasingly sophisticated. Gone are the days when a perilous email could be easily disregarded due to odd spelling or requests from Nigerian princes. Today's phishing emails are intentionally designed to seem personal, like they come from a colleague or boss, and structured to evoke a sense of urgency so that recipients respond quickly and without much thought.
These trends are reflected in a new analysis from cybersecurity company Barracuda Networks, which looked at the subject lines of over 360,000 phishing emails sent over a three-month period.
The analysis found that, despite the increasing creativity of phishing scams, certain subject lines still pop up time and time again. In fact, nearly 60% of the emails contained the same 50 subject lines—and the most common subject line, "Request," was the subject for over a third of all messages.
Here are their 12 most common subject lines (and the percentage of emails that used them):
Notably, the top email lines play on a sense of familiarity (like asking "Are you at your desk?"), refer to the sender's personal finances (like their direct deposit or payroll), or create a sense of urgency (like "Important" or "Invoice Due") to worry recipients that they may lose money, or their boss's respect, if they don't respond quickly.
Learn more: Check out our cybersecurity cheat sheet series
Phishing emails are a top security threat for health care organizations because of the sheer value of patients' medical identity and protected health information (PHI).
What's more, health care lags behind similarly vulnerable industries in fending off hackers. A 2016 SANS Institute IT Security Spending Trends report revealed that while organizations in the financial services sector tend to spend over 10% of their IT budgets on security efforts, health care organizations spend an average of just 4% to 6% on the same efforts.
Health care is often also, ironically, a victim of its own trusting culture. Hospitals and health systems often rely a spirit of openness and helpfulness in which staff are highly motivated to help others. While this has plenty of benefits, it makes it easier for a scammer to take advantage of trusting health care employees.
Technology can definitely help reduce the risk of a successful phishing attack, and organizations absolutely should consider antivirus software, email filters, and blacklisting and whitelisting sites. (To learn more about some of these strategies, view our cheat sheet here).
But technology alone is not enough. You need each of your employees can make sound decisions in how they navigate the internet and their email. Here are three key ways to build this "human firewall":
It may also be helpful to share real-world examples of phishing attacks that will resonate with staff. Several universities have created online libraries of phishing ploys that can be useful for this purpose, such as Lehigh University's Recent Phishing Examples library. For an infographic you can use to remember key lessons in cybersecurity, download "How to be Cybersecurity Sentinel."
Want to learn more about what you should be doing to bolster your organization's cybersecurity strategy? Check out our cybersecurity cheat sheet series, which outlines what executives in every role should do—and the key questions they should ask—to help their organizations stay secure.
Create your free account to access 2 resources each month, including the latest research and webinars.
You have 2 free members-only resources remaining this month remaining this month.
Never miss out on the latest innovative health care content tailored to you.