Phishing email as a form of social engineering is still a rather simple yet effective way of gaining access to a person’s private information, login credentials or the likes. As people tend to fallible, we often trust emails that look very much like the ones we might get from our tech team, friends or family, especially if they have a similar domain name or a known brand that we are accustomed to.
It has happened before
For the Cancer Treatment Centers of America, a third-party gained unauthorised access to an employee’s email account between March 10 and March 11, 2019. The employee had provided the network login credentials in response to a phishing email, which led to unauthorised access. The worst part – it has happened before. Did they learn their lesson? Apparently not.
Although, this time around the data accessed was rather more private since it pertained to specific medical details on patients including names, phone numbers, addresses, medical record numbers, health insurance information, government IDs, and medical information.
Upon learning the incident, CTCA Information Security Department promptly changed the employee’s email password. CTCA also conducted an extensive investigation and hired a nationally recognised forensics firm to assist them in the investigation. The healthcare organisation is evaluating security measures to train its employees in identifying suspicious emails. It has also requested its patients to review their account statements for any suspicious activity.
2FA would have prevented it
Here’s hoping that implementing a Strong Customer Authentication (SCA) process consisting of multiple layers is also implemented since it would have been one of the tools that would have prevented the breach. Phishing emails lose their effect when multiple authentication steps are in place.
So, in this case, if an SMS code would have been required to login from another device that the perpetrator used to access the information with the information gained, he would have been stumped as the phone would still be in possession of the employee.
It would also have indicated to the employee that someone is trying to access their account remotely and without her authorisation. In this case, they could have changed their password and regained control of the account without any information lost.
Multiple layers help us with our fallibility since they require multiple actions, multiple points of thought and multiple occasions to see issues that might be unclear when we only have one level of security. Once the password is out there, there’s no getting it back so if no additional steps are required, the account is compromised.
With multiple steps, we have a window of opportunity as long as the second step is in place to think back if that email might have been suspicious or if the information we provided may lead to harm. So, whenever available, turn on 2FA and ask for it from your employer or service provider and demand it from yourself.