Health workers are top of phishers' target lists thanks to data value

And HR folks aren't far behind, says Proofpoint strategist


Interview Nurses are among the groups most heavily targeted by email scammers because of the value of the data they can access, according to email security biz Proofpoint's Adenike Cosgrove.

Cosgrove, an infosec strategist for Proofpoint, told The Register that not only are nurses and other frontline healthcare professionals at the top of phishing target lists, but that a healthcare worker asked her for advice on security best practice – rather than her own organisation's security team.

Explaining how the worker had watched a video of a public talk she had given about infosec, Cosgrove says: "This lady personally had to call all of the patients affected by [a previous] incident. First time she'd ever engaged with security in any way. She reached out to me and said, 'We've got an annual meeting of our key clinicians across the country, meeting in London; we'd really appreciate it if you could speak to our nurses, doctors, dentists and all sorts, about cybersecurity."

With today seeing the UK's GCHQ unit NCSC issue fresh warnings over phishers using the current coronavirus situation as fresh bait to lure targets into opening malware-laden email attachments, Cosgrove's description of this incident ought to have corporate infosec teams paying more attention to how approachable they are to their own colleagues.

Making the point, Cosgrove says: "She didn't feel she could reach out to her security team and ask someone internally to deliver this presentation, and identify someone that was speaking in a language she could understand."

Proofpoint, says Cosgrove, found that "for hospitals and for surgeries, nurses and A&E and all of that, nurses are the most targeted roles. Why? Again, they have access to all of the data. The first people you see in a hospital is a nurse. They're looking at your records, updating your records. They're then directing you where you need to go within the hospital."

Proofpoint itself, an email security firm, has published research into phishing and some of its findings were rather topical.

Cosgrove described one such incident: "One interesting threat that we've seen is criminals pretending to be a hospital in Nashville, Tennessee. There's an Excel document within the email, which says 'Here are your HIV results; open the Excel document to view the results'."

She added:

The vast majority of people who do blood tests on a regular basis are going "oh my god, I need my results". They download the spreadsheet, enable macros, etc. The user doesn't know they've compromised themselves; their organisation doesn't know they've downloaded a remote access trojan; they're not doing anything that's going to trigger any alerts just yet. It's quietly monitoring all the credentials of the user. When the criminals steal those creds, they now have legitimate access to that person's webmail, enabling internal phishing from a real email address.

It's not just healthcare people either, Cosgrove told us: "Criminals are targeting HR professionals too. Their job is to open those emails, open those Word documents. Their job is to enable the macros so they can read the CVs!"

Linking this with the earlier example of the healthcare organisation whose staffers didn’t feel they could talk to their own IT security team, she says: "We blanket-train people into saying don't enable macros, don't open Word documents, yet HR professionals get emails they're not expecting every single day. Their job is to open them! So now you're telling me that I shouldn't do my job? This is why security loses credibility with the business."

"As a profession," she enthused, "we could get closer to the end user. We need to speak their language. We need to understand how they work. And we need to help them do their jobs securely. Again, telling HR not to open Word documents? That's pointless advice. But telling HR 'Hey, we've developed tech to sandbox attachments so you can safely open that email', that's more realistic."

While the covid-19 coronavirus pandemic continues infecting humanity, the other style of infection that Reg readers are used to hearing about (no, not Cupid's measles) continues unabated. Keep your teams alert and your co-workers in the loop. ®

Narrower topics


Other stories you might like

  • EU-US Trade and Technology Council meets to coordinate on supply chains
    Agenda includes warning system for disruptions, and avoiding 'subsidy race' for chip investments

    The EU-US Trade and Technology Council (TTC) is meeting in Paris today to discuss coordinated approaches to global supply chain issues.

    This is only the second meeting of the TTC, the agenda for which was prepared in February. That highlighted a number of priorities, including securing supply chains, technological cooperation, the coordination of measures to combat distorting practices, and approaches to the decarbonization of trade.

    According to a White House pre-briefing for US reporters, the EU and US are set to announce joint approaches on technical discussions to international standard-setting bodies, an early warning system to better predict and address potential semiconductor supply chain disruptions, and a transatlantic approach to semiconductor investments aimed at ensuring security of supply.

    Continue reading
  • US cops kick back against facial recognition bans
    Plus: DeepMind launches new generalist AI system, and Apple boffin quits over return-to-work policy

    In brief Facial recognition bans passed by US cities are being overturned as law enforcement and lobbyist groups pressure local governments to tackle rising crime rates.

    In July, the state of Virginia will scrap its ban on the controversial technology after less than a year. California and New Orleans may follow suit, Reuters first reported. Vermont adjusted its bill to allow police to use facial recognition software in child sex abuse investigations.

    Elsewhere, efforts are under way in New York, Colorado, and Indiana to prevent bills banning facial recognition from passing. It's not clear if some existing vetoes set to expire, like the one in California, will be renewed. Around two dozen US state or local governments passed laws prohibiting facial recognition from 2019 to 2021. Police, however, believe the tool is useful in identifying suspects and can help solve cases especially in places where crime rates have risen.

    Continue reading
  • RISC-V needs more than an open architecture to compete
    Arm shows us that even total domination doesn't always make stupid levels of money

    Opinion Interviews with chip company CEOs are invariably enlightening. On top of the usual market-related subjects of success and failure, revenues and competition, plans and pitfalls, the highly paid victim knows that there's a large audience of unusually competent critics eager for technical details. That's you.

    Take The Register's latest interview with RISC-V International CEO Calista Redmond. It moved smartly through the gears on Intel's recent Platinum Membership of the open ISA consortium ("they're not too worried about their x86 business"), the interest from autocratic regimes (roughly "there are no rules, if some come up we'll stick by them"), and what RISC-V's 2022 will look like. Laptops. Thousand-core AI chips. Google hyperscalers. Edge. The plan seems to be to do in five years what took Arm 20.

    RISC-V may not be an existential risk to Intel, but Arm had better watch it.

    Continue reading

Biting the hand that feeds IT © 1998–2022