Throughout the COVID-19 pandemic, criminals have used the crisis as a basis for increased attacks on computer systems, including phishing campaigns. These attacks are organized and often specifically target healthcare systems or individuals to collect sensitive business or personal information.
Phishing is a constant threat, but there is also a seasonality to cyberattacks, with more coming during traditional vacation times, when criminals assume defenses are lowered and staffing may vary due to time off. As organizations, including MedStar Health, navigate a new normal, experts anticipate new email phishing attacks attempting to exploit changes, such as adjustments to revised workflows and remote working arrangements.
Associate vigilance is among our best defense strategies for savvy attackers who prompt associates to provide personal information or passwords, click on or open malicious links or attachments, or transfer money. Attacks can come through phishing emails, texts or voice calls to a workstation, smartphone or other device.
Malicious senders may spoof a known source for COVID-19 information, such as the Centers for Disease Control and Prevention (CDC), MedStar Human Resources, or a local school district or government office. Phishing attempts may also come from from vendors purporting to have or sell Personal Protective Equipment (PPE).
To avoid these risks, always follow these important recommendations:
- Take your time when reviewing email or text messages. Use caution before you click!
- Be alert for phishing messages in your email inbox. Since phishing emails arrive from outside of the network, determine whether the email is legitimate. All external emails include a tag of [EXTERNAL] in the email subject line and a banner:
** ATTENTION: This email originated from outside the MedStar network.
** DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
- If you don’t know the sender and it looks suspicious, delete the email. Do not click on any attachments or links within the body of the email.
- Look for spoofed addresses. For example, if an email appears to come from an associate and the sender’s address is not @medstar.net, it is not a legitmate email.
- If you receive a text message from a number you do not know, delete the text message. Do not click on any links within the text message.
- Report suspicious emails to firstname.lastname@example.org. Call the IS Service Desk at 877-777-8787 with any questions.
Thank you for your efforts to protect our network, data, systems, and organization.