Recognizing and Reporting Phishing Attempts

Since the advent of widespread work-from-home conditions, phishing has increased markedly. In phishing, cybercriminals pose as trusted entities to steal money or information that can be used or sold for personal gain. According to Verizon's 2021 Data Breach Investigations Report, around 25% of all data breaches involve phishing and 85% of data breaches involve a human element. A study conducted by IBM Exit Disclaimer: You Are Leaving www.ihs.gov  found that the healthcare industry, though not always right at the top of the “most breached” lists, suffered the most in terms of the cost of a breach.

Common forms of phishing Exit Disclaimer: You Are Leaving www.ihs.gov  include:

• Email phishing: The most common type of phishing uses email to try to get its targets to download malicious code either by saving and opening a file or clicking on a link. Phishing emails may contain poor grammar or spelling.
• Spear phishing: This common type of attack uses information about its target, usually gathered from the dark web, to create a convincing message. These messages may claim to be from your Human Resources or Information Technology departments. According to Security Boulevard Exit Disclaimer: You Are Leaving www.ihs.gov , 95% of all attacks that target enterprise networks are caused by successful spear phishing.
• Whale phishing: Also known as CEO phishing, this method targets wealthy individuals or highly placed corporate officers or claims to be from those highly placed corporate officers, using their authority to trick recipients. If you receive an email or text from an Agency official, you should verify its authenticity before acting on it.

• Smishing: Uses mobile phone text messages in an attempt to get personal information like passwords, social security number, or bank account or credit card information.
• Vishing: Uses the telephone, often using recorded messages, generally claiming to be a government agency or high-profile company to try to get money or information from its targets. Remember, The IRS will normally initiate contact through an official letter and anyone who asks you to provide payment in gift cards is not legitimate.
• Angler phishing: Also known as social media phishing, angler phishing uses claims of being customer service to lure its targets to contact them. This method imitates legitimate companies and its web site can be extremely convincing. When interacting with a company’s customer service department, never use a link. Look up their official contact information and either call them or type in their web address yourself.

The FTC Exit Disclaimer: You Are Leaving www.ihs.gov  website provides the following contact information for reporting phishing attempts:

• If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org.
• If you got a phishing text message Exit Disclaimer: You Are Leaving www.ihs.gov , forward it to SPAM (7726).
• Report the phishing attempt to the FTC at ReportFraud.ftc.gov Exit Disclaimer: You Are Leaving www.ihs.gov .

In recent years, phishing attacks against healthcare providers have increased markedly as health information is extremely valuable on the black market. The single most common way phishing succeeds is human error, so it’s important to be able to spot phishing attempts and report them when you do. To minimize your risk of being the victim of a phishing attack and exposing yourself or the Agency, keep these tips in mind:

• Remember that phishing attacks rely on a sense of urgency in an attempt to get you to respond quickly, without thinking things through. Even a message claiming to be from a boss, coworker, or loved one may be an attempt to get you to send money to a scammer. Never send money, especially electronically or in a non-refundable manner like gift cards or using your cryptocurrency key, unless you are absolutely sure you know who you’re sending it to. If a message claims to be from someone you know, call that person and verify that they made the request.
• Be aware of emails or texts that have poor grammar or spelling that may indicate they are not legitimate.
• Hover over links without clicking on them to see where they lead, and read the link carefully to make sure that it doesn’t have misleading characters, like two V’s instead of a W.
• Make sure that the sender’s email address matches the purported sender. If you receive an email that says your Amazon purchase is delayed, but the return sender is iamabot172384293823@gmail.com, the chances of the email’s being a phishing attempt are 100%.
• Don’t answer phone calls from numbers you don’t recognize. If it’s important, the caller will leave a message.
• Never click a link Exit Disclaimer: You Are Leaving www.ihs.gov  or download a file you aren’t absolutely sure about. Even if it appears to be from someone you know, it’s a good idea to verify that the email came from that person.

IHS personnel are critical to protecting the Agency from phishing attacks, by staying abreast of current phishing trends and methods so that they can spot and report phishing attempts to Incident@ihs.gov. Visit www.fortinet.com Exit Disclaimer: You Are Leaving www.ihs.gov  to see examples of nineteen types of phishing and expertinsights.com Exit Disclaimer: You Are Leaving www.ihs.gov  to see fifty phishing statistics that you should know. Visit Microsoft.com Exit Disclaimer: You Are Leaving www.ihs.gov  to learn about some new trends in phishing.