How to Protect Your Practice Against Common Phishing Techniques

We all like to feel confident that as technology evolves the threat to our data decreases. In a lot of ways, it has. There are countless recovery services and personal identification measures in place—so many that the idea of sharing the login to your favorite streaming service with a close friend doesn’t sound like much of a risk. Why would it, when cybersecurity has your back? But where there's cybersecurity there will always be cyber criminals waiting.  

Designed to deceive and defraud individuals or large businesses, cybercriminals often use a technique called phishing. Phishing sets out to retrieve confidential data such as passwords, credit card info, or social security numbers to gain access to your accounts.  

Phishing can come in many forms (emails, phone calls, texts, etc.) and the stories they may craft to convince you of their legitimacy will vary. There’s one thing, however, they all have in common: they’re relentless. Thousands of phishing attacks are released every day across the globe, posing as popular sites or reputable businesses, yielding more successful results than you might realize.  

To ensure their success, scammers like to take the easiest route possible. That’s why adequate defenses can deter even the most unyielding offenders. Keep reading to learn what to watch out for and how you can put these tactics in place.

🔒 Locking down your practice data

Today, phishing is the primary weapon used by cybercriminals. Proofpoint’s 2022 State of the Phish Report discovered that over three-quarters (78%) of organizations experienced an email-based attack in 2021. This report revealed that cybercriminals continue to “focus on compromising people, as opposed to gaining access to systems through technical vulnerabilities.” However, you should continue to safeguard your practice with the best tools to fight against a threat before it ever has the chance to pop up on your screen.  

In our previous article: Four Ways to Secure Your Practice Data, you might remember that the first line of defense usually starts with a password, but what if a password isn’t enough?  

One simple way you can strengthen your defenses is with Multifactor Authentication (MFA), also known as two-step verification. Along with a strong password, requiring a second form of verification provides an extra layer of protection against a potential threat and can often be configured in your account's security settings. Different search engines, social media platforms, and even your phone will have their own method of implementing MFA—ranging from instant verification codes sent to your smartphone or full facial recognition. 

In moments where maximum security may be needed, companies like Amazon Web Services (AWS) take it one step further by offering up to five authentication factors. Known as the most secure, HIPAA-compliant cloud-computing platform available, AWS has several authentication methods that can help both individuals and healthcare providers. That’s why Eyefinity is proud to offer unlimited cloud data storage on AWS, so you can securely access your data anywhere, anytime.

While it may seem excessive, if a cybercriminal gets ahold of your password, MFA makes it that much harder for them to access all your data. If you ask us, those extra steps don’t sound too bad.  

🔎 Spotting a phishing email – tricks to look out for 

One of the highest forms of defense begins with awareness. Cyberattacks often begin with the individual before heading straight for big business. Whether you’re contacted through email, text messaging, or called directly on the phone, always trust your gut—if something seems off, it’s probably because it is.  

Here are several ways to pinpoint the telltale signs that an email is probably phishing:  

1. “URGENT. CLAIM NOW!!!!” –  Loud subject lines like these often get flagged automatically and go straight to spam. Emails urging you to claim unsolicited funds or verify your account often threaten the loss of access to your data if you don’t. These false alerts are almost always an attempt to steal your information or download malware onto your system.                                                                                                                                                                                    
2. They forgot your name – A generic greeting doesn’t automatically mean it’s a scam, but if a first-time, unknown sender opens with “Hi” or “Hello Customer” with no other identifiable markers, it’s probably safe to send it to the trash.                                                                                                                                                                                                                                
3. Spellcheck – The difference between an honest mistake and a phishing message is often in the proofreading. Constant misspellings and grammatical errors are one of the easiest ways to tell that an email likely isn’t coming from a reputable source.                                                                                                                                   
4. Confirm your sources – Tap on the email address or hover over it with your cursor. Does the email match the domain it's coming from? If the answer is no, it’s probably a scam.                                                                                                                                                                          
5. Sources that request sensitive information through email – Don’t trust it, ever! 

Unfortunately, phishing emails are not always so obvious, so the next time you’re scrolling through your inbox, try to answer these key questions:  

• Is the content familiar?  
• Have you messaged this contact before?  
• Is the message a direct result of a recent conversation, transaction, or subscription?  

If the answer is “no” to any one of these—don’t click, just delete. It’s not worth risking your financial safety or security to discover what might be waiting for you on the other side.   

👥 Think you’ve already been phished?

Phishing is the most popular form of cybercrime because...well, it works. In 2021, Proofpoint also reported that “83% of survey respondents experienced at least one successful email-based phishing attack, up from 57% in 2020.” So, you’re not alone.  

If you’re uncertain whether patient data has been leaked or you have fallen victim to an attack, no need to panic. Here are a few ways you can act now and set up an IT Disaster Recovery Plan for later:  

1. Immediately change your passwords. Remember when we said your password is the first line of defense? We meant it. Though an attack can vary from case to case, changing your password the moment you notice misused information or access from an unknown location is the first step to minimizing further damage. And while you’re there, sweep through your other accounts—it might be time to update that streaming service login you may have shared (😉).                                                                                                                                                                                                                                                                                                                
2. The devil’s in the details. To the best of your ability, take note of every aspect of the attack/threat, such as the method they used to contact you, the company they’re impersonating, and their requests. It might not seem like a lot now, but this will certainly come in handy if you have to report back to the authorities in the future.                                                                                                                                                                                                     
3. If in doubt, send it to IT. Before a threat escalates, alert your IT support team. IT is no stranger to these types of breaches and can recommend the best mode of action and notify everyone who might have also been attacked.  Oh, and don’t forget to include your notes from step 2!                                                                                                                                            
4. No IT team, no worries. If any records are ever compromised, you can successfully back up your patient files in a cloud-based solution with a built-in disaster recovery plan. Eyefinity's cloud-based software offers 24/7 monitoring so that all security patches are covered – no IT maintenance necessary.  

Cybercriminals never stop, so make sure you’re always protected. Phishing messages can appear without warning, and as hackers set up new methods and refine their techniques, you can be ready to counter any attack. Staying alert, recognizing phishing signs, and installing an adaptable cloud-based solution are just a few ways you can prevent a cybercriminal from getting a foot in the door.  

The world of cybersecurity can be challenging to navigate – learn Four [More] Ways to Secure Your Practice Data and see how Eyefinity’s cloud-based software can help you layer your defenses and safeguard your practice data on and offline. 

Interested in seeing how Eyefinity’s cloud-based software keeps you in control? Request a demo or contact an Account Executive by calling 1.800.269.3666 option 2 for more information.