Criminals who engage in social engineering — the art of manipulating people into giving up confidential information — usually hunt for passwords and bank account information, or even for direct access to a computer so that they can secretly install malicious software. They take advantage of a person’s inclination to trust others. One of the primary reasons I decided to focus on the veterinary industry as a cybersecurity consultant is because of the people it employs. Their empathy, trust and integrity are second to none. However, those qualities are exactly what hackers look for.
Cybersecurity is all about knowing who and what to trust. In the case of social engineering, you as a potential victim need to know when to take people at their word. You need to know when and how to validate their legitimacy. The same can be said about your online activity. Is the website where you shop for personal protective equipment a trustworthy seller? Will it protect your credit card information?
Whenever I train hospital staff to recognize cybersecurity risks, I always get this question: What is the weakest link in the chain that a hacker will exploit? The answer is simple: It’s the human who accepts any person or scenario at face value. All the layers of protection you put in place won’t matter when someone on your team trusts a masked hacker.
How to Spot an Attack
The easiest way for someone with criminal intent to enter the hacking world is by email. Entire password databases can be found online. Don’t believe me? Google the phrase “Google Hacking Database.” The database shows the search operators, or commands, that can find all sorts of information online. Now, type “Password” into the search field. With a bit of technical ability, you can customize the search operators to focus on the veterinary practice you want to hack.
Once I have your email password, I likely have the email address and password associated with a majority of your practice’s accounts. This is because most people and practices use one password everywhere. And now that I control your email account, I can email all your contacts, post to your social media pages and do much more.
The emails that hackers send from your account generally contain a link. Because the email came from you, your clients and colleagues think it’s legitimate. The likelihood that they click the link is much higher because they trust you. Clicking on the link often downloads malicious software without the user’s knowledge. The process then starts again as the hackers gain access to your friends’ and colleagues’ accounts.
If the hacker email doesn’t contain a link, a downloadable file, such as a photo, song, movie or document, might be present. These aren’t ordinary files. They contain embedded malicious software designed to give the criminal access to the recipient’s computer.
Another danger involves emails from another trusted source. They don’t have to originate at your clinic, meaning I can hack one of your clients to access your practice’s computer system. These phishing attacks are a subset of social engineering in that they imitate a trusted source. According to an annual Verizon report, social engineering attacks are responsible for 93% of successful data breaches.
A Real-World Example
A South Texas pet owner’s email account was compromised. Once inside the account, the hacker saw communication between the client and a veterinary practice manager over disputed charges for a dental extraction. The practice manager had sent copies of the dental radiology images. The hacker emailed the practice manager from the client’s account and asked her to review an attached file. Because of the trust established between the client and practice manager, the manager downloaded the file to her computer and opened the image. She saw a photo of a dog, but it wasn’t the client’s pet. Thinking a mistake had occurred, the practice manager closed the file and went about her work.
Nothing happened for about three days. Then, it happened. She logged into QuickBooks and noticed that hundreds of invoices had been sent to clients and were requesting payment to an account that wasn’t the hospital’s. She also realized that she hadn’t received emails in about two days.
All this activity was the work of a keylogger. The image opened three days earlier contained a malicious program that recorded everything the practice manager typed and reported it to the hacker. Now, the hacker had the usernames and passwords to all her accounts. The hacker set up an inbox rule automatically moving new emails to the trash folder. The hacker sent thousands of emails from the account in an attempt to perform the same social engineering hack on all her contacts.
Don’t Become a Victim
While social engineering attacks are rampant, short-lived and need only a few users to take the bait, you can protect yourself. Here are five tips:
- Slow down. Hackers want you to act first and think later. If an email conveys a sense of urgency or uses high-pressure tactics, be skeptical. Never let urgency influence your careful review.
- Visit VirusTotal. Raise your hand if your hospital is hiring people. I’ve seen countless practices get hacked through fake emailed resumes. Before you open any file or attachment, run it through virustotal.com, a free and simple analysis tool that could save your practice from spending thousands of dollars to repair your computer system.
- Review your backups. Do you know how your practice’s computer data is protected? How long would you need to restore all your data if you were socially engineered?
- Be skeptical about antivirus programs. When I got into the technology field, you could install antivirus software and be on your merry way. Not anymore. Today, you need layered security. Look into getting complete endpoint security that includes some form of artificial-intelligence protection.
- Update your computer network. One of the easiest and most cost-effective actions is to always make sure your hospital’s computers and the applications used are up to date. Technology professionals can do this for you behind the scenes and after hours. If you are a do-it-yourself type, pick one day a week to check that all your computers, operating systems and applications are current.
The Google Hacking Database documents search queries, also known as dorks, to call attention to potentially sensitive information available to the public.