As big businesses spend millions of dollars to plug holes in their technology and block cyber criminals from databases of private consumer information, hackers are increasingly targeting a different weakness: employees.
They are sending official-looking e-mails to large health systems, banks, retailers, and vendors to try to trick employees into giving up passwords or other credentials. Armed with employee passwords, criminals can access mines of sensitive information and use it to steal identities and commit fraud.
That is how data from about 3,300 patients was breached last year at Partners HealthCare. Several employees responded to so-called phishing e-mails and mistakenly allowed access to patient names, addresses, health insurance information, and Social Security numbers.
It turns out that tricking an employee to give up a password is easier than hacking, cyber-security specialists said.
“They go for the people, the human vulnerability,” said Dr. John D. Halamka, the chief information officer at Beth Israel Deaconess Medical Center. “This is why we’re seeing a massive upswing in phishing.”
Phishing e-mails are blamed for several big data thefts in recent years, including the 2013 breach at the big-box retailer Target Corp., which affected nearly 1 million consumers in Massachusetts alone. One of the biggest bank heists in the world — the theft of $1 billion from dozens of banks around the world, starting in 2013 — began with phishing e-mails, according to Kaspersky Lab, a Russian computer security company with offices in Woburn that reported on the bank breach earlier this year.
During the first half of 2014, there were 123,741 unique phishing attacks worldwide, the most since the second half of 2009, according to the Anti-Phishing Working Group, an industry organization that is made up of security experts and companies affected by such scams. In the health care industry, about 9 in 10 organizations have been targets of phishing attacks, according to the Ponemon Institute, a Michigan research company.
Things like requests from Nigerian princes for bank account information used to be tip-offs for a phishing attack, but the operations have become much more sophisticated and targeted in recent years, cyber-security experts said. Criminals gear their attacks toward specific individuals, including chief executives as well as employees who may handle financial data.
The hackers are doing more reconnaissance on their victims, culling the Internet and social media sites, such as LinkedIn, for tidbits of personal and professional information that can be used to make the phishing e-mails appear legitimate. They know where their victims work, whom they do business with, the names of their bosses, and e-mail addresses. The tactic is called spear phishing.
“It’s an increasingly narrow spear,” said Doug Johnson, senior vice president of payments and cyber-security policy at the American Bankers Association. “It’s much more surgical in effect.”
Companies spend millions on virus protection services and spam filters, but training employees to watch for suspicious e-mails or requiring them to pick up the phone and call the sender of the e-mail to verify the information can be more difficult than technical fixes, said Andy Obuchowski, a director at McGladrey LLP in Charlestown, which provides accounting and cyber-security services to businesses. “You have to educate the employees,” he said.
Beth Israel Deaconess Medical Center ramped up its technological defenses as well as its efforts to educate employees after an unencrypted laptop was stolen in 2012, leaving data about nearly 4,000 patients vulnerable. Warnings to keep information private follow employees to lunch, with signs in the cafeteria reminding them to “think before they click” as they fill their salad bowls or bite into a cookie.
“We put stickers on our cookies [wrappers]in the cafeteria so as you open your cookie it reminds you about phishing,” said Halamka, the hospital’s chief information officer. “It’s constant vigilance. People make mistakes.”
Partners, the largest health care system in the state, said it discovered its phishing attack in November. It investigated before notifying patients and the public on April 30. Partners said about 30 employee e-mail accounts were accessed, but the health records system was not compromised.
Jigar Kadakia, chief information security and privacy officer at Partners, said the organization has reinforced employee education and enhanced technical safeguards since the breach.
Partners declined to describe the phishing e-mails or divulge other information about the attack but has notified authorities, as required by state law. The attorney general’s office has investigated such cases in the past, and officials said they are reviewing the notifications from Partners.
“There’s an epidemic of phishing across the US,” Kadakia said. “Everyone is feeling the effects.”
Priyanka Dayal McCluskey
can be reached at email@example.com. Follow her on Twitter @priyanka_dayal. Deirdre Fernandes can be reached at firstname.lastname@example.org. Follow her on Twitter @fernandesglobe.