A friendly reminder to all employees to be vigilant + aware of phishing emails. Below are tips on how to spot phishing emails and how to protect yourself (and the corporation) from becoming a victim.

Recently, many employees have been receiving fraudulent emails claiming to be from YKHC Leadership, asking for information such as passwords or financial data. Organizations like YKHC have also been receiving spoofed invoice payment notices appearing to have come from ANTHC. These types of emails are social engineering attacks — messages aiming to trick employees into thinking a trustworthy individual or organization is asking for sensitive data. 

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. It is a scam to get information that may be valuable to the attacker. An attacker may seem respectable, possibly claiming to be a new employee, repair person, or researcher and even offer credentials to support that identity. By asking questions, the attacker may piece together enough information to infiltrate an organization’s network. If they are not able to gather enough information from one source, they may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering that use email or malicious websites to collect personal information by posing as a trustworthy individual or organization. For example, an attacker may send email seemingly from a bank that requests account information, often suggesting there is a problem or a password needs to be changed. When users respond with the requested information, attackers can use it to gain access to the funds in the credit card or bank accounts.

Phishing attacks may also appear to come from other types of organizations, such as partner organizations like ANTHC.

Attackers are currently taking advantage of the COVID-19 pandemic.

There are more specific types of phishing such as spear-phishing or CEO Phishing. 

What is a spear-phishing attack?

Spear-phishing is a form of social engineering that targets specific individuals, usually because of their position or title in the organization. At YKHC, they most often target Dan Winkelman (CEO) and Lisa Wimmer (VP of Finance & CFO), but other employees are also targeted. Often, the person conducting the spear-phishing attack is financially motivated and is looking for a way to have YKHC send money to a bank account they have set up or purchase gift cards from online retailers.

What is CEO phishing?

CEO phishing is a form of social engineering where the attacker fakes a message from the CEO or other individuals within senior management, that tricks others at the organization into wiring funds, providing user credentials or giving up other pertinent company information to the attacker. The email will appear to come from the senior management, with the address having their name, but not necessarily coming from a YKHC.org email address. Instead, such attacks may come from an email such as Jim_Sweeney@gmail.com.

How do you avoid being a victim?

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company that person claims to work for.
• Check the From address of suspicious email messages – this can be done in Outlook by double clicking the From address at the top of the message. A box will open with an email address under the heading ‘Send Email’. If the email address does not end in @ykhc.org then the message is NOT from a YKHC employee.
• All email received from external sources is tagged at the top with [ External email message – this is not from YKHC ]. Any email showing an @ykhc.org email address that has this tag is NOT coming from a YKHC employee.
• Do not provide personal information or information about YKHC, including its structure or networks, unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email requests for this information. This includes clicking on links sent in email. Be especially careful with email messages stating they want assistance with handling a large sum of money and they need your help.
• Do not send sensitive information over the Internet before checking a website’s security. Secure websites will display a small padlock in your browser next to the website address and that address should begin with ‘https://’.
• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

If you are unsure whether an email request is legitimate, send a copy of the message to Mark Jones.

What do you do if you think you are a victim?

If you believe you might have revealed sensitive information about YKHC, report it to Edward Corp, Privacy Officer, at privacy_officer@ykhc.org.

If the information was revealed through an email message, in addition to contacting the Privacy Officer, send a copy of the message to Mark Jones.

If you believe your financial accounts may be compromised, contact your financial institution immediately and discuss appropriate actions – such as:

• Closing or freezing any accounts or credit cards compromised.
• Watch for unexplainable charges to your account.
• Immediately change any passwords you might have revealed.
• If you used the same password for multiple websites or accounts, change the password for each account and do not use that password in the future.
• Try using a unique password with more than 16 characters for important or sensitive websites, such as your bank. A good way to create a long password is to use a phrase that you can easily remember, like: MylittlegirlwasborninMarch2012; MyanniversaryisJan9th; or ireallyHATErainydays. 

Who do I contact for more information?

If you have additional questions about these types of emails or would like to learn more, contact YKHC Information Security at InformationSecurity@ykhc.org.