• Are Your Employees Easy Marks for Phishing Scams?

  • Recently, Saint Joseph’s Healthcare System in New Jersey announced that more than 5,000 employees at some of its facilities may be at the risk of identity theft following a phishing scam which potentially compromised their information.

    Saint Joseph’s Vice President of External Affairs Kenneth Morris Jr. stated “patient data and medical information were not affected, but employee’ names, social security numbers and employee earnings of 2015 and 2016 were potentially accessed.”

    This was a big pay day for the perpetrators of this crime. This treasure trove of information represents the golden keys for financial gain on many fronts. Tax refunds from the Internal Revenue Service and/or State Agencies, loans, credit cards. 

    What is phishing? Wikipedia’s definition is: “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”

    So how does one prevent a phishing act? Education! Many of my clients have started to create a 140 character rotating informational “pop-ups”. The pop-ups are scheduled when an employee logs onto their computer. Another client has created a rotating banner with a single message. To ensure employee engagement many of my clients have also created a weekly contest with questions from the rotating pop-ups. There are gift card prizes for the first and second place winners.

    Who is the real winner here? I believe it is the organizations who are taking proactive approaches to stemming these crimes. Data statics tell us that over 68 present of all intrusions are due to employee actions. 

    The Federal Trade Commission (FTC) published a consumer educational piece dated September 2011. They identified the following as examples of known phishing emails messages:

    • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."

    • "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."

    • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

    The FTC asks that a report be filed with them if you have been tricked by a phishing email. The report can be at www.ftc.gov/complaint.

    Additionally, the FTC recommends that you forward the phishing email back to the company, bank or organization which was impersonated in the email and report the phishing attack to spam@uce.gov andreportphishing@antiphishing.org.

    In all my educational seminars, I close with this mantra: “Knowledge is Power”! Take back the power and provide your staff members with education. 

    Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter atwww.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult