The following is written by Marion K. Jenkins, PhD, FHIMSS, founder and CEO of QSE Technologies.
Do you have a scanner that can direct documents to your email? Do you use electronic faxing, or fax to email? Have you recently filed an insurance claim with your carrier, either for personal or business lines? Do you file your taxes electronically or do you make or accept ACH (automated clearing house) or wire transactions? Do you handle any of the following function(s) for your company or organization: human resources, safety, risk management, banking, finance, office leasing, channel marketing or procurement?
If the answer is yes to any of the questions above, and chances are good that that's the case in at least one of the instances, you may be vulnerable to a kind of email scam known as Spear Phishing — targeted phishing emails that are designed to trick you into going to a bogus site and entering in your banking, personal and/or financial information. They differ from the generic phishing scams like the Nigerian Widow and its variants, which just target the general population. (As an aside, can you believe you still get those Nigerian Widow phishing emails? Do you know why? Because they still work.)
Here is how the scanner version of this scam works. Let's say you have a scanner or MFP (multi-function printer) that scans to your email. Depending on your system and how it's set up, you will typically get a rather cryptic email that says something like, "Document from HP Scanner" (or Xerox or Ricoh or Kyocera, depending on the brand). The scanned document will be attached, which of course you would normally open and/or save to your hard drive.
The problem is that the bad guys know more and more people have these types of technologies and use them all the time, and knowing the most popular printer company names, they can craft an email that looks like it comes from your scanner when it does not. Similarly, with the other scenarios listed in the first paragraph, since those are such common transactions, and knowing who the largest banks, insurance companies and other institutions with which you likely do business, they can simply craft an email that seems legitimate. For example, if they correctly guess that you have recently filed an insurance claim with USAA, then they know you are likely to click on a link or attachment without really checking its validity.
They could also troll your social network posts and possibly determine your job function — human resources, for example — and then craft an email that would appeal to an HR professional, such as something about new state or federal regulations governing employees and benefits.
You can never fully prevent these emails from coming through. You have to apply common sense before clicking on any links or opening any attachments. A legitimate email coming from your insurance carrier or financial institution will typically not have an actual login screen; it should point you to their generic website where — if you've really done business with that company — you will be able to navigate around to the right place and log in manually.
You should also ensure that the website where you are entering any account information starts with https:// (the "s" means secure).
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ambulatory surgery centers and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com or contact Marion at marion.jenkins@qsetech.com.
More Articles Featuring QSE Technologies:
Server 2003 and Windows XP: Time for a Technology Refresh
Section 179: Last Call for Large CapEx Deductions in 2011