Phishing is an attempt to get sensitive information, such as your username and password, through an email sent by what seems to be a trusted company or person. The email usually includes a link that downloads malicious software onto the user's computer or opens a login page made to look like a known website.
Phishing attacks can lead to data breaches of protected health information, so it is very important that everyone in your office can identify a phishing attack and knows what to do if they receive one, says security consultant Katie Lay co-author of TMA's publication, HIPAA Security: Compliance and Case Studies.
What may a phishing email message look like?
[from] Facebook (firstname.lastname@example.org)
[subject line] Your Account
As part of our ongoing effort to improve security, we regularly conduct user-activity reviews in our Facebook system. We are contacting you because we noticed some unusual account activity that may violate Copyright laws.
Please folow the link below to fill out our Copyright Law Form to confirm your legal right to use the images and text used in some recent status updates:
Note: If you don't fill out the form, your account will be permanently disabled.
Facebook Copyright Team
How can you spot a phishing attack?
- Suspicious sender email address in the "from" field: Reputable companies normally don't use public email services like Yahoo. Email addresses like this are a clear red flag that the email is fake.
- Spelling and grammar: Since many cyber attacks come from foreign countries, phishing email may have spelling and grammar errors. In the message above, "follow" is misspelled "folow."
- Links in an email: If you see a link in an email, don't click on it. Rest your mouse (but don't click) on the link to see if the address that appears in the email matches the address that will open in your browser. If you can't tell if a different address is embedded than is displayed in the email, copy the address and paste it directly into your Internet browser address bar.
- Threats: Threats to close your account or other action if you don't click on the link is a common trick cyber criminals use to get you to click on the phishing link.
- Also watch out for:
- Attachments. Never open an attachment in a email unless you are sure who the sender is. Attachments are another way to deliver malicious software.
- Uncharacteristic subject lines or messages: Phishing emails can come from the email account of someone you know, if that account has been hacked. If the subject line or message seems odd for that sender, view the email with suspicion.
What do you do if you suspect a phishing email?
Contact the company/person directly: If you are concerned that the request may be legitimate, contact the company or person directly through verified contact information, such as the contact information on the company's website.
Notify your information technology (IT) staff member/HIPAA security officer: Notify the appropriate person(s) of the phishing attack. Identifying whom to notify and how to prevent phishing attacks should be part of your HIPAA Security Risk Management Plan. Whoever handles your practice's IT can block email addresses and the website address in the phishing email to prevent future attacks from the same source.
For more information about elements of a comprehensive HIPAA compliance program, HIPAA Security: Compliance and Case Studies is available in the TMA Education Center.
Revised Jan. 9, 2018
TMA Practice E-Tips main page
Last Updated On
May 30, 2019