Four Traits of Social Engineering Attacks

Social engineering is a scam which attempts to have a person perform an action which is against their own self interests. Usually, the action is to provide confidential information (e.g., login information) or to execute malicious trojan horse content.

Most social engineering attacks have four common traits, which if present, signal a far higher likelihood of a scam being involved. If they are present, you should confirm the request using an additional, more trusted method before performing any action

1. Does the message arrive unexpectedly?
2. Is it the first time the sender is asking you to perform a requested action?
3. Does the request demand you do it now?
4. Can the request harm your interests?

Not every message with these four traits is absolutely a social engineering scam. Our email inboxes, voice mail, text messages and postal mailboxes can contain unexpected requests. But when these four traits are present, confirm the request using some other guaranteed-to-be-safe method before performing it. Think before you act.

Source: https://blog.knowbe4.com/answer-4-questions-to-avoid-a-social-engineering-attack


HR and LinkedIn Phishing Clicks are Spiking

There has been a significant rise in phishing email attacks related to HR topics, especially those regarding new policies that would affect all employees throughout many types of organizations. With more employees returning to the office, they are concerned about new policies that affect their everyday situations at work, which is why we are seeing a rise in these types of phishing attacks. These days, it is especially important for all end users to take a moment to double check a link or attachment and to question whether the email is expected or unexpected. Employees are critical to an organization’s defense.

LinkedIn phishing messages have dominated the social media category for the last three years. Users may perceive these emails as legitimate since LinkedIn is a professional network, but it could pose significant problems because many LinkedIn users may have their accounts tied to their corporate email addresses.

Source: https://www.KnowBe4.com


Postcard Disguised as Official OCR Communication

OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment” and they are directed to send their risk assessment to www.hsaudit.org. The link directs individuals to a non-governmental website marketing consulting services.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services. This communication is from a private entity – it is NOT an HHS/OCR communication. HIPAA covered entities and business associates should alert their workforce members to this misleading communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s hhs.gov email address. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html , and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.


IRS Scams

With tax season upon us, it is important remember that the IRS doesn’t initiate contact with taxpayers by email, text message or through social media. ALL communication in these forms can be considered bogus if the communication was not initiated by the taxpayer. The same applies to unsolicited phone calls purportedly from the IRS.

If you are concerned about any contact you’ve received regarding your taxes, you should call the IRS at 800-829-1040. Don’t use any other method of contact (including phone numbers or websites included in questionable communication).


Social Engineering Awareness Tips:

  • Always be cautious when using email, text, social media, and the web and be careful of how much information you share online publicly.
  • Watch tone of requests and ask why am I receiving this? Be wary of urgent requests or demands. Slow down and take time to verify.
  • Never click on links or open attachments of unexpected/suspect emails. Go directly to websites instead of clicking on links in email.
  • Check the sender’s email address closely before taking any action. If suspicious, report the email to a supervisor or IT.
  • Always call to verify requests to send money or grant access to someone else.
  • If you did not request any assistance from the sender, consider offers a scam.
  • Do not share your usernames and passwords with others. Change the password immediately if you have accidently shared a password.
  • Do not plug in unknown USB drives, they may contain malware or viruses.


COVID-19 - Business Operations (Houston, TX)

Dear OnlineMedSys subscribers, we are keeping abreast of ongoing developments regarding the novel COVID-19/Coronavirus. OnlineMedSys.com’s business operations remain intact, with no material impact on our systems. The OMS equipment is housed in a Tier 4 (the highest level) data center with 100% uptime service level agreement on power. Their Business Continuity Management System has received the ISO 22301 certification which is tested annually as part of the compliance process. The WHO, CDC, and OSHA’s guidance is utilized as it relates to pandemic preparedness and mitigation.

Our apps are web based and always available from Windows computers with Chrome and Internet Explorer browsers. We offer a PM4 view-only app on the iPhone for surgeons and an Android app is coming soon. (Note: Please only enter and save data from a Windows computer.) If remote access to an office computer is needed, we can recommend a business remote access solution for a reasonable monthly cost with the doctors’ approval.

DrFirst is our partner for e-prescribing and they offer a mobile app for Apple and Android devices. If you aren’t already signed up for e-prescribing and need access, let us know. They also offer HIPAA compliant telehealth web and mobile apps for secure video calls with patients, chats and file sharing for a modest annual fee with a two year term. As well, access to a new beta web app for email, chats and file uploads, developed by one our OMS surgeons, is also available at no cost to use during the pandemic.

Finally, events like coronavirus lead to cyber criminals preying on fears in hopes that victims will open phishing scam emails, enter sensitive credentials, or download computer viruses, malware or ransomware. Please continue to be suspicious of any emails you aren’t expecting. When in doubt, do not click on links or open attachments, instead go directly to the website or call the sender.

As always, contact us with any concerns or questions at support@omsp.com. Take care and stay safe.


What happens when Windows 7 support ends?

“Windows 7 support will end on January 14, 2020. If you continue to use Windows 7 after support has ended, your PC will still work, but it will become more vulnerable to security risks and viruses because you will no longer receive software updates, including security updates, from Microsoft.”

Source: https://support.microsoft.com/en-us/help/4467761/windows-what-happens-when-windows-7-support-ends

If there are still some Windows 7 computers or Windows 2008 servers (or earlier versions) running in your practice, please reach out to us or your local IT vendor to make sure the necessary updates are done as soon as possible for security compliance.


Email Spoofing

There has been a rash of ‘email spoofing’ where the bad guys forge the sender’s address to mislead the recipient. Spoofing comes in two forms:

  • The From field lists the employee’s name with a different email in brackets. For example:
    Jane Doe <actor1@scam-artist.com>
  • The From field lists the employee’s name and the correct email address: Jane Doe <jane.doe@omsp.com>

We should be blocking spoofed emails where the employee’s name and email address appear correct (#2 above) from our spam filter.

However, it’s harder to block the first type of email where the employee’s name and email address are different than expected. Thankfully, this spoof is easier to spot because the email address is displayed in the From field.

The goal of nearly all spoofed emails is to gain something of value, such as money, a credit card number, user credentials, etc. Anytime you receive an email requesting something of value, take a second to read the From field before proceeding. If the email appears to be from a vendor or another practice, but doesn’t display the regular email address, always call them to verify before complying with the request.

If you have any questions, feel free to contact us.


Risky Invoices

There is another rash of malicious emails disguised as Microsoft Word documents. These emails almost universally prevent themselves as an invoice due for payment. There are a few, simple precautions we can take to prevent these emails from causing damage:

  • If you are not the person or department that manages the payment of invoices, consider it a malicious document and delete it.
  • If you ARE the person or department in charge of payments, pay close attention to the sender. If you don't recognize the name of the sender, delete it.

Most importantly, if the invoice looks legit and you open the document, NEVER choose Enable Editing or Enable Content.

The malicious payload is launched when you select “Enable Editing” or “Enable Content”.

Thank you for your vigilance and cooperation!


New Jump Page

This page has been re-designed to complement our other recently updated apps.


Beware of Free Gift Cards

People cannot resist the lure of free things. Cyber criminals set up phony websites where victims can select the gift cards just for providing some seemingly benign information.

Once on the site, the victim answers questions and is put through various actions to prove they're not robots. Each step of the way, the victim clicks through and provides information to eventually collect a code they can enter for their worthless gift card.

For very little effort, the scammers get paid. They sell their victims' information to third parties, and are paid for each click the victim makes chasing the free gift card.

  • Remember there is no such thing as a free lunch. If the product is free, YOU are the product.
  • Always check the HTTPS connection and domain name when visiting a webpage, especially if you are entering sensitive personal information.
  • Never share your sensitive data.
  • Do your friends a favor and do not share questionable links.
  • Check if the offer for free stuff is legit by contacting the company making the offer.

In the end, the scammer has made a few bucks and the victim wasted time and shared information that they'll never get back. And there is no gift card.