Email has evolved into a mission-critical business function for many senior living organizations, and for this reason, it has also become the key mechanism used by cybercriminals to gain access to protected systems. One of the primary methods used is a simple technique called “phishing,” which is an attempt to acquire sensitive information by masquerading as a trustworthy source.
In January 2017, American Senior Communities fell victim to phishing when the scammer requested employee W2 forms.
“The payroll processor responded to the authentic-looking e-mail by furnishing the requested information,” American Senior Communities’ statement said.
Phishing scams have become increasingly sophisticated over time and now almost always look legitimate, which makes it much harder for employees of senior living facilities to know which emails are safe to interact with and which are not. With one click, you could open an attachment or click on a link that allows cybercriminals to access confidential patient and facility information.
Learning to navigate the depths of cyber security isn’t impossible. Here are some red flags to watch for that will help you stay free of the phishing net:
If any of the statements below are true, delete the email or use extra caution before opening it:
• You do not know the sender of the email.
• The email asks for personal or financial information.
• The email asks you to respond immediately or makes an urgent request for information.
• The email includes upsetting or exciting statements, which are usually false, and requests that you act quickly.
• The email asks you to open an attachment or click on a website link that was not expected. This could be to view an article or video pertaining to any number of intriguing topics such as current social events, news tragedies or holiday sales. Other forms include a notification of fraudulent charges on a credit card or warnings that a cell phone or email account has been locked.
The easiest way to avoid falling victim is to delete any emails that could be identified as suspicious. If an email looks legitimate or is from a valid sender, consider the following safety tips:
• Never send financial or personal information (account numbers, social security numbers, credit card numbers, ID’s and passwords, tax identifier numbers, etc.) via email unless a form of email encryption is being used. This is a special type of email that scrambles information so that only the recipient can read it.
• Verify that links embedded in emails are directing you to the correct website. Do this by placing the cursor over the link (without clicking on the link). Hovering over the link will show you the real website in a pop-up.
• Contact the sender to verify that the email was legitimately sent to you.
• Instead of clicking on the link provided in the email, contact the sending party to obtain their legitimate website and manually type it into the web browser.
• Consider using separate email accounts: one for business, one for financial institutions, one for friends and family and one for subscriptions and registrations.
• Run firewall and anti-virus/anti-malware detection programs on computer systems. These are subscription-based services, and it is important to keep them up-to-date.
• Use different and complex passwords for each account that utilizes email addresses. Using the same password across multiple accounts will compromise all of the accounts if the credential is stolen.
• Never reply to a suspicious email as this will validate your email address as active.
• When using hosted email services (Yahoo, Gmail, Outlook, etc.) enable two-step verification. This means that when the password is entered, a prompt will appear asking you to enter a randomly generated code that is sent to a mobile device.
If you or an employee becomes victim of a phishing scam, don’t panic. These strategies may help:
• Notify the IT department or vendor of your organization to enact any Incident Response Plans (IRP) that may be in place.
• Scan the system with an anti-virus or anti-malware software.
• Change any account passwords that utilized the compromised credentials.
• Monitor any compromised accounts for suspicious activity or fraudulent charges.
• If financial account credentials were compromised, notify the appropriate financial institution or organizational representative.
It is important for senior living organizations and their employees to know that they are not immune to cyber criminals. Knowing the realities of this risk and having a contingency plan that all employees understand can keep you and your organization free of the phishing net.
Shawn Nelson is the Glatfelter Insurance Group Director of Information Security.
