What is Callback Phishing?
CrowdStrike, a third-party cybersecurity firm, recently disclosed a new phishing tech support campaign. Hackers send out a fake email from a reputable cybersecurity firm (like CrowdStrike). The email falsely claims your business had a cybersecurity event and is working with the company’s security department to address a possible issue with the employee’s workstation. The letter asks the employee to urgently call a provided phone number to resolve the issue on their workstation.
If a call is made, the hackers will trick the caller into installing remote desktop software. Once given access, the hacker now has access to the user’s workstation and will attempt to move through the network to initiate a ransomware attack.
A New Version of an Old Scam
This tech support phishing attack is a new twist on an old scam. A May 2022 blog post discussed a FTC alert on Senior Tech Support Scams, which happened to a family member.
It is highly likely that these emails will get into an inbox because they contain no malicious links or attachments which diminishes the effectiveness of spam or anti-phishing filters.
Use your HIPAA training program to increase awareness
Training and education is the most effective method to prevent callback phishing attempts. A phishing reporting policy may be a worthwhile addition to your HIPAA and/or cybersecurity policies. Here are some simple training reminders:
- Do not call the number provided. Assume any email from a well-known cybersecurity firm like CrowdStrike is a phishing email, especially if the email alleges a breach of your environment and requests an urgent call back.
- Follow your organization’s phishing reporting policy. Call or forward the email to your Security Officer and/or IT department and let them handle the matter. If it is legitimate, they will let you know.
- Pat yourself on the back, you just prevented a phishing attack.
Update your HIPAA Security Risk Analysis
Revisit and update your HIPAA Security Risk Analysis. Add callback phishing as a threat where appropriate. Document your anticipated mitigation strategies including training. Lastly, document when each mitigation effort has been implemented, and include dates so progress can be easily understood.
MPA can handle your HIPAA Security Risk Analysis
The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.