Embedded Files
Your Mission Should You Choose To Accept It
It's Friday afternoon and after a busy week you can't wait to start the weekend, and then the phone rings; it's a contractor you've dealt with recently. The contractor has received an email from one of your employees, offering to share a file through a popular file-sharing platform... “thought you might want to know in case it's something malicious”.
It's not uncommon for employees in your business to share files through various online platforms to 'get the job done', but you're not sure why the employee would be dealing with this contractor. In speaking with the employee they inform you that they have no idea who you are talking about and they certainly didn't send any such email. The employee is a practice coordinator who communicates by email with every patient and practitioner who interacts with the service.
You obtain a copy of the email from the contractor, and they've highlighted your colleague's work email address in the details, it looks legitimate. You ask your Managed Service Provider (MSP) to investigate and they demonstrate a couple of hours later that the link goes to a page that looks like a genuine login page for your webmail with username and password fields. The URL however is bogus.
After investigation you discern that:
The email was sent to at least 750 external recipients (that you know of) including suppliers, other practices and patients
The email is a type of phishing scam to harvest user credentials
You don't have any form of multi-factor authentication (MFA) in place
But you do have a robust password policy, the latest anti-virus and a modern security appliance
Reception staff admit receiving phone calls over the last few days from people who have received a confusing email
A few employees admit receiving the same email a few weeks ago, clicked on the link and entered their credentials (the file they accessed wasn't particularly interesting though)
Your MSP is continuing to look for clues but can't see any obvious activity by 'bad actors'
There's a lot of confusion about the email and its impact.
The practice owner has asked you to manage the situation - so much for your weekend.
Please Decide Whether to Activate Your Data Breach Response Plan Now
Didn't bring your Data Breach Response Plan?
Don't worry!
Please use this sample plan taken from the ACNC website. This plan has been selected as it is 'typical' of what our consultants see in practice.
NB: Please do not use this template in your practice.
Page updated
Report abuse