This message comes from Ballad Health’s IT team. Here is a mock scenario in which someone is victimized by a cybercriminal impersonating a company executive.
George, a social engineer or “hacker,” knows healthcare organizations make it a standard practice to send out press releases for leadership promotions and appointments. He Googles several health systems until he finds Acme Healthcare, which recently hired Elizabeth as the new CEO for Acme’s flagship hospital. Peter works at the hospital and reports up through Elizabeth.
George is preparing a “spear phishing” campaign against Acme Healthcare. Spear phishing is a type of phishing attack where hackers like George target the account of someone in authority in order to get team members working under that person to take action.
The Hack
George does some digging online until he finds the naming convention of Acme Health’s email addresses. He sends an email to Peter pretending to be Elizabeth after spoofing her email address, making it appear the email is internal and coming from Elizabeth.
George (as Elizabeth) asks Peter to send him a list of all hospital team members who have access to the organization’s electronic medical record. He says that he is performing a security exercise on behalf of the organization that is designed to ensure only the right people have access to the EMR. Peter sees the email, and it looks legitimate, so he follows the instructions and sends back the list, thinking he is sending it to Elizabeth.
George now has a targeted list of individuals who have access to patient information. His next move is to phish these individuals to try to get their login credentials. Using these credentials, George has several nefarious options. He could alter patient records to cause harm to patients and steal patient information to sell on the black market. He could even infect the electronic medical record with malware, crippling it or bringing it down altogether, and then ask for a ransom to restore it. The third option would take more work on George’s part, but he is an experienced hacker capable of taking the right social engineering steps to elevate his secure privilege.
Don’t Take the Bait
How to avoid this outcome:
- Since Peter received a “new” request from a leader who has never engaged him before, he should have hovered over the leader’s email address to validate it. If he had hovered over the spoofed email address, it would have shown both the spoofed email address and the originating email address. This would have alerted Peter that something could be wrong. Peter should then have used the “Phish Alert” button to report the nefarious email to IT Security.
- Stop and think about what you are being asked to do. If you receive an email (or other type of communication) from an individual you don’t normally receive requests from, take the time to verify the message. For example, reach out to the person through the phone or MS Teams.
