Health workers are top of phishers' target lists thanks to data value

Interview Nurses are among the groups most heavily targeted by email scammers because of the value of the data they can access, according to email security biz Proofpoint's Adenike Cosgrove.

Cosgrove, an infosec strategist for Proofpoint, told The Register that not only are nurses and other frontline healthcare professionals at the top of phishing target lists, but that a healthcare worker asked her for advice on security best practice – rather than her own organisation's security team.

Explaining how the worker had watched a video of a public talk she had given about infosec, Cosgrove says: "This lady personally had to call all of the patients affected by [a previous] incident. First time she'd ever engaged with security in any way. She reached out to me and said, 'We've got an annual meeting of our key clinicians across the country, meeting in London; we'd really appreciate it if you could speak to our nurses, doctors, dentists and all sorts, about cybersecurity."

With today seeing the UK's GCHQ unit NCSC issue fresh warnings over phishers using the current coronavirus situation as fresh bait to lure targets into opening malware-laden email attachments, Cosgrove's description of this incident ought to have corporate infosec teams paying more attention to how approachable they are to their own colleagues.

Making the point, Cosgrove says: "She didn't feel she could reach out to her security team and ask someone internally to deliver this presentation, and identify someone that was speaking in a language she could understand."

Proofpoint, says Cosgrove, found that "for hospitals and for surgeries, nurses and A&E and all of that, nurses are the most targeted roles. Why? Again, they have access to all of the data. The first people you see in a hospital is a nurse. They're looking at your records, updating your records. They're then directing you where you need to go within the hospital."

Proofpoint itself, an email security firm, has published research into phishing and some of its findings were rather topical.

Cosgrove described one such incident: "One interesting threat that we've seen is criminals pretending to be a hospital in Nashville, Tennessee. There's an Excel document within the email, which says 'Here are your HIV results; open the Excel document to view the results'."

She added:

The vast majority of people who do blood tests on a regular basis are going "oh my god, I need my results". They download the spreadsheet, enable macros, etc. The user doesn't know they've compromised themselves; their organisation doesn't know they've downloaded a remote access trojan; they're not doing anything that's going to trigger any alerts just yet. It's quietly monitoring all the credentials of the user. When the criminals steal those creds, they now have legitimate access to that person's webmail, enabling internal phishing from a real email address.

It's not just healthcare people either, Cosgrove told us: "Criminals are targeting HR professionals too. Their job is to open those emails, open those Word documents. Their job is to enable the macros so they can read the CVs!"

Linking this with the earlier example of the healthcare organisation whose staffers didn’t feel they could talk to their own IT security team, she says: "We blanket-train people into saying don't enable macros, don't open Word documents, yet HR professionals get emails they're not expecting every single day. Their job is to open them! So now you're telling me that I shouldn't do my job? This is why security loses credibility with the business."

"As a profession," she enthused, "we could get closer to the end user. We need to speak their language. We need to understand how they work. And we need to help them do their jobs securely. Again, telling HR not to open Word documents? That's pointless advice. But telling HR 'Hey, we've developed tech to sandbox attachments so you can safely open that email', that's more realistic."

While the covid-19 coronavirus pandemic continues infecting humanity, the other style of infection that Reg readers are used to hearing about (no, not Cupid's measles) continues unabated. Keep your teams alert and your co-workers in the loop. ®