Editor's note: This popular story from the Daily Briefing's archives was republished on July 16, 2019.
By Allyson Vicars, Consultant, Health Care IT Advisor
In 2016, a staggering 98% of all patient records compromised (according to HHS' Wall of Shame, which tracks data breaches that affected at least 500 patients) were due to hacks. Many of those attacks started in the same way: with an innocuous-seeming "phishing" email that tricked a too-trusting insider into downloading malware, clicking a suspicious link or otherwise surrendering confidential information.
What makes today's attempts at phishing so dangerous? They are increasingly sophisticated. Gone are the days when a perilous email could be easily disregarded due to odd spelling or requests from Nigerian princes. Today's phishing emails are intentionally designed to seem personal, like they come from a colleague or boss, and structured to evoke a sense of urgency so that recipients respond quickly and without much thought.
These trends are reflected in a new analysis from cybersecurity company Barracuda Networks, which looked at the subject lines of over 360,000 phishing emails sent over a three-month period.
The analysis found that, despite the increasing creativity of phishing scams, certain subject lines still pop up time and time again. In fact, nearly 60% of the emails contained the same 50 subject lines—and the most common subject line, "Request," was the subject for over a third of all messages.
Here are their 12 most common subject lines (and the percentage of emails that used them):
- Request (36%);
- Follow up (14%);
- Urgent/Important (12%);
- Are you available?/Are you at your desk? (10%);
- Payment Status (5%);
- Hello (4%);
- Purchase (4%);
- Invoice Due (3%);
- Re: (3%);
- Direct Deposit (2%);
- Expenses (2%); and
- Payroll (2%).
Notably, the top email lines play on a sense of familiarity (like asking "Are you at your desk?"), refer to the sender's personal finances (like their direct deposit or payroll), or create a sense of urgency (like "Important" or "Invoice Due") to worry recipients that they may lose money, or their boss's respect, if they don't respond quickly.
Why phishing is particularly hazardous in health care
Phishing emails are a top security threat for health care organizations because of the sheer value of patients' medical identity and protected health information (PHI).
What's more, health care lags behind similarly vulnerable industries in fending off hackers. A 2016 SANS Institute IT Security Spending Trends report revealed that while organizations in the financial services sector tend to spend over 10% of their IT budgets on security efforts, health care organizations spend an average of just 4% to 6% on the same efforts.
Health care is often also, ironically, a victim of its own trusting culture. Hospitals and health systems often rely a spirit of openness and helpfulness in which staff are highly motivated to help others. While this has plenty of benefits, it makes it easier for a scammer to take advantage of trusting health care employees.
Three ways to keep your organization safe
Technology can definitely help reduce the risk of a successful phishing attack, and organizations absolutely should consider antivirus software, email filters, and blacklisting and whitelisting sites. (To learn more about some of these strategies, view our cheat sheet here).
But technology alone is not enough. You need each of your employees can make sound decisions in how they navigate the internet and their email. Here are three key ways to build this "human firewall":
- Train all staff on cyber awareness often (more than once a year), and ensure training is relevant by providing regular updates on the latest phishing techniques. Don't just rely on bulletin boards and memos. Implement test phishing campaigns as a way to internally test staff against the latest scam tactics.
- Conduct special training on phishing for senior leadership and finance staff. Staff who have access to the most sensitive, valuable information should have personalized, role-specific training.
- Train staff on what to do as soon as they realize they've fallen for a phish. For example, some organizations instruct their employees to immediately disconnect and unplug their workstation or device and notify IT security personnel (that is, to "isolate and escalate").
It may also be helpful to share real-world examples of phishing attacks that will resonate with staff. Several universities have created online libraries of phishing ploys that can be useful for this purpose, such as Lehigh University's Recent Phishing Examples library. For an infographic you can use to remember key lessons in cybersecurity, download "How to be Cybersecurity Sentinel."
Want to learn more about what you should be doing to bolster your organization's cybersecurity strategy? Check out our cybersecurity cheat sheet series, which outlines what executives in every role should do—and the key questions they should ask—to help their organizations stay secure.