Phishing, vishing, smishing: How are cybercriminals finding their way in?

The healthcare industry loves a good buzzword-fest, and the cybersecurity community is the perfect place for jargon aficionados to indulge in the hobby. 

For example, neologism lovers have really gone to town when it comes to describing the various ways cybercriminals can use social engineering to gain entry into restricted networks.

“Phishing” is now a commonly understood term describing the act of creating a fraudulent communication to trick someone into revealing sensitive information or clicking a poisoned link. But have you heard of vishing? Or smishing? What about whaling? 

These are all ways to categorize the newest generation of cyberattacks that rely on the fallibility of humans to open up digital doors that ought to stay closed.  Let’s take a closer look at some of these strategies and how they pose significant risks for the unwary healthcare organization. 

Phishing

A classic tactic by now, phishing is a leading cause of data breaches. Targets receive an email or other communication that looks like it’s from a legitimate sender, and are encouraged to click a link or download a file that seems to be relevant to their relationship with that sender. These include requests to reset account passwords or log into portals to address unpaid bills.  

While there are often tell-tale signs that the communication is fake (misspellings and grammatical errors, incorrect sender addresses, or missing security details), these emails can be reasonably convincing to someone who isn’t paying attention or doesn’t know what to look for.  

And they can be incredibly costly. The average cost of a successful phishing attack in 2021 was $14.8 million, which can include fines and settlement money paid to the Office of Civil Rights if the government finds certain faults with an organization’s infrastructure or response.  

Whaling and business email compromise

While the majority of phishing targets the general workforce, whaling and business email compromise (BEC) put executives in the firing line.  Categorized as a type of “spear phishing,” which targets a specific person or persona, whaling involves a C-level executive or other influential person.  

This type of attack may include sophisticated tactics such as impersonating other high-profile colleagues, with the perpetrator even going so far as to mine the supposed sender’s public communications or spy on personal conversations to mimic their writing style. 

Putting in all that effort can bring big payouts, often in the tens of millions of dollars as CEOs and other leaders typically have the authority to deal with significant amounts of funding.  

In a similar vein, cybercriminals may engage in BEC, which involves spoofing communications from the C-suite to other members of the enterprise, often directed to those lower down the org chart who are likely to comply with a request from the “big boss,” even if it seems like something strange, such as buying gift cards and sending her the serial numbers. 

Smishing and vishing

Smishing and vishing use text messages (SMS) and voice messages, respectively, to extort information from the victim.  

Smishing can take the form of a text from a bank or credit card alerting the target of a fake attempt to authorize a large purchase, a notification of a misdelivered package, or a message from a retail company, such as Walmart or Amazon, offering prizes or deals. It could even be a message, purportedly from a colleague, asking to borrow login credentials to a sensitive system for convenience’s sake. 

Vishing is even more insidious, especially as deepfake technology becomes more advanced. Vishing uses voice communications to try to extort information or money from a target. Such a call could sound exactly like a coworker (or even a loved one) asking for money, login credentials, or other sensitive data.  

Deepfake video chats are even becoming a threat in some situations. In Hong Kong, a worker at a multinational finance firm was tricked into sending $25 million to cybercriminals after the fraudsters used AI technology to clone the voice and appearance of the company’s Chief Financial Officer and colleagues, all known to the victim, during a video chat. 

Clone phishing

Among the most challenging to detect at a glance, clone phishing takes a real email sent to a victim and directly replicates the message – but then adds a corrupted link or attachment. The attacker may claim that they forgot to add the attachment originally, or are sending a corrected link, which are both common practices in everyday email communications. 

Spotting clone phishing requires the target to look closely for differences in sender email addresses and know how to identify a hyperlink that doesn’t match the URL it’s pointing to.  

Pop-up phishing, social media phishing, angler phishing, evil twin phishing…

…the list goes on. There are dozens of different variations on the theme, with criminals getting more creative and sophisticated every day.  

Cybersecurity leaders need to keep up by constantly refreshing their employee security training to account for the newest trends in cybercrime – and delivering this education to the workforce in a way that keeps them alert to potential fraud across multiple communication modalities. 

As the number of scams increases exponentially, healthcare organizations should consider providing cybersecurity training more than once a year, and implement strategies to create a culture of awareness and responsibility for protecting the integrity and security of the organization. 

Security leaders should supplement this education with investments in industry standard technologies and protocols, such as multi-factor authentication, advanced permissioning and credential management, and regular patching of potentially vulnerable systems. 

This combination can reduce the likelihood of a successful phishing attack and keep the organization secure from bad actors.  

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.