I’m embarrassed to admit I almost fell for a scam.
I read a lot about cybersecurity and like to think I know more about online tricks and scams than most people do. I write blogs about it! But the scammers are good.
Two things have come across my email and text messages in the past week, reminding me that scammers are busy this time of year. Cybercriminals are motivated by profit, are relentless, and know how to get inside our heads.
The holiday season is incredibly profitable for cybercriminals and dangerous for individuals who are busy, distracted, and online – working, shopping, and communicating with friends and family.
For businesses, including healthcare and public health, phishing is ramping up. Employees must know how to recognize phishing and what to do if targeted.
The scams are sophisticated and use specific signposts familiar to the recipient, causing them to seem real. The scammer may have even intercepted the recipient’s previous communications and is using that information to design a message tempting a response.
Shopping, Banking, Utilities, Other Familiar Websites
The first reminder was a November 15, 2023 email from Amazon warning customers of the surge of impersonation scams during this time of year. Impersonation scams are a form of phishing where the bad actors are trying to obtain personal information. Sometimes called imposter scams, these criminals are pretending to be someone else. The email or text may sound like it comes from a government agency (the U.S. Post Office or the Department of Public Health, for example) or a website like Amazon you may have visited or shopped from.
I’ve received emails and texts from scammers pretending to be Geek Squad, Netflix, Network Solutions (our email and website hosting company), and a regional electric utility. In the past, these have been relatively easy to detect. But they’re getting more sophisticated.
Impostors Eerily Target Real Concerns
The second reminder came two days ago via text. This was about 20 hours after my text exchange with a family member asking whether their package had been delivered yet and expressing concern about whether it would be delivered on time.
The scammer’s message said:
“The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours.
https://usps.xxxxxxx.top (not the actual website from the text)
(Please reply to Y, then exit the SMS, open the SMS activation link again, or copy the link to Safari browser and open it)
The US Postal team wishes you a wonderful day.”
It was uncanny, and I was tempted to click on the link, thinking it may have been the package we sought. Instead, I paused and looked up the website the text provided without clicking through, and it was different from the actual U.S. Post Office.
Cybersecurity Awareness Training and Strong Cyber Defenses Can Stop Scammers
- Amazon has some good tips for helping recognize scams. Their tips are practical for all online activity, not just Amazon impersonators. Read their entire tip sheet, but here are some highlights:
- Trust Amazon-owned channels (or the channel of your store, bank, credit card, etc. Close the suspicious email or text and use your browser to go directly to their website or app to investigate)
- Be wary of false urgency.
- Never pay over the phone.
- Verify links first.
- Verify email senders.
- The Cybersecurity Infrastructure Security Agency (CISA) issued an alert last year Ransomware Awareness for Holidays and Weekends. CISA noted that cyber criminals may see holidays “as attractive timeframes to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.”
- Use CISA’s StopRansomware Guide.
You can strengthen cybersecurity awareness today by following easy steps.
- Focus on top priorities.
- Confirm you have an up-to-date HIPAA risk analysis completed. If it’s over a year old, review it in light of your current infrastructure, equipment, staffing, etc.
- Follow a risk management plan to address the gaps uncovered in the risk analysis.
- Refresh your workforce training. Use Fight Phishing with Awareness to get started. Use the CISA resources and the Amazon Tip Sheet.
The HIPAA E-Tool® has answers if you need help shoring up cybersecurity defenses or strengthening HIPAA compliance.