Welcome back to Protecting Your Practice, a series of articles from Empathic Software dedicated to educating mental health providers about the importance of cybersecurity and simple steps you can take to keep your data safe.
In this article, we'll be discussing phishing, a common tactic used by cybercriminals to access sensitive client PHI. By learning to recognize signs of phishing scams, you can avoid cyberattack and ensure your practice remains HIPAA-compliant.
What is phishing?
Phishing is a cybercrime where someone posing as a legitimate institution lures individuals into providing sensitive data. Common mistakes employees make is either by disclosing their credentials or unknowingly downloading malware (malicious software) when responding to phishing emails.
Phishing can occur via text, email, or phone call. A scammer will usually pose as a colleague or business (such as a bank, insurance company, or vendor) that you trust.
Phishing is a leading cause of data security breaches in the healthcare sector. Therefore, it is vital that mental healthcare workers know how to recognize a potential phishing scam.
How to Spot a Phishing Scam
Some common ways to identify phishing include:
Spelling or grammatical errors: Professional institutions spell-check! If you receive a message riddled with typos and awkward formatting, this can be a sign of phishing.
Suspicious email address: If you receive a message from a sender whom you don’t recognize or whose email address doesn’t make sense (e.g. a random string of letters and numbers), be extremely careful: this is a telltale sign of phishing.
A request for sensitive information: The sender asks you to confirm sensitive information (e.g. Social Security Number, credit card information) without verifying first their own identity
Urgency: The sender emphasizes time-sensitivity or threatens to take drastic action if you do not comply immediately (e.g. “Your account will be closed in 24 hours if you do not reply.”) This behavior is not normal for a legitimate institution.
Suspicious links: Cybercriminals use links to install malware on your device when clicked. If you hover over a link and the preview looks suspicious or doesn't match the URL of the company they are claiming to be, it's likely part of a phishing scam.
How to Protect Yourself from Phishing
If you receive a message that seems suspicious, trust your instincts! Don't let threats or time-sensitive requests rattle you into providing your credentials or sensitive information.
Some steps you can take when faced with a potential phishing message are to:
Double-check the sender’s email address to see if it is coming from a legitimate source
Hover over links and see if they are going where they claim they go; do not click links that appear suspicious!
Do not provide any sensitive information without verifying the identity of the person contacting you
If you are still unsure about a message's legitimacy, contact the institution that the sender claims to be representing. Look up and use the official email/phone number, not the one provided in the suspicious message.
Phishing is getting more sophisticated, and mental healthcare professionals must be vigilant in protecting their practice and client data from cybercriminals. Take your time to verify requests for sensitive information and remember that legitimate organizations should never threaten or pressure you to give away sensitive information.
Comments