Unexpected Ways Email Can Be Hacked and How to Stop Them

According to HIPAA Journal, nearly 45 million medical records were compromised across the 600+ breaches in 2021, making it the second-worst year for healthcare data breaches.

There are many different ways attackers can infiltrate a healthcare organization's network, but many involve email. 

This article will look at some of the more unexpected ways your medical practice can be hacked through email and the steps you can take to prevent this from happening.

Unexpected Email Attacks You Should Be Aware Of

The email attack is the most common vector for malware infection. An alarming 92% of malware is delivered through email, according to IT company PurpleSec.

Attacks can come in many different forms and from many different sources. Cybercriminals and spammers are always coming up with new ways to hack, trick, and fool you into opening and triggering an email. 

Most of the time, you can get away with not opening them. But in some cases, those emails can permanently damage your system. Here are a few unexpected attacks you should be aware of.

Password Hash Theft

People often use the same password for multiple accounts. This makes it easier for an attacker to infiltrate other services that a person may have access to, like an email or social media account.

If an attacker gains access to your email account, they can often view other logins that you have on other services. They can also use this to access your medical records.

Some email services, like Gmail, have a setting that will notify you if someone tries to sign in to an account with an email that you have on file. Make sure to enable this setting to know when someone is accessing your email through any of your other accounts.

Clickjacking

Similar to how a website can be hacked through its content, an email can also be manipulated to perform a malicious action. For example, an attacker could add an iframe to the email that has a URL that leads to a website with malicious content. 

An iframe is an HTML element that allows you to embed content from another web page within a parent web page. It can be used to insert advertisements or make it possible for web pages to load content from external sources.

When someone clicks the link in the email, their browser is loaded into the iframe. The attacker can now control the user's computer.

Another way an email can be malicious is by using a URL that contains a hyperlink that leads to an attachment that the email sender knows is unsafe. When the attachment is opened, the user's computer is infected with malware.

A hyperlink can appear in an email in several ways, like an attached document with a malicious link, an email copied and pasted, etc.

Password Sprays

Password sprays are programs that can collect passwords from a user's computer and then send the credentials to a remote attacker.

The reason that people use the same password over and over again is that they think it's unlikely for their password to be guessed. However, a sophisticated password spraying program has a decent chance of guessing your password.

To protect against a password spraying attack, ensure that your password policy is strict. Require at least 8 characters, include special characters, and enforce regular password change.

Rogue Recoveries and Rogue Forms

A rogue form or recovery can be sent to a computer without the user's permission.

A rogue recovery is a system that allows the user to reset their password if they forget it. It’s typically used when a user's login information is incorrect, but they have not yet been banned from the system.

Hackers often deliberately put email accounts into recovery mode and then breach them using the recovery method.

About 20% of recovery questions can be answered on the first try. It’s because many people base them on readily available information, like the name of their school or pet, which can be found on their social media profiles.

A rogue form is a fraudulent document that claims to be legitimate. It could come from anywhere, even from a doctor's office.

Be careful when sending sensitive information like social security numbers, health records, or financial data through email. If the sender looks trustworthy, the user may accidentally click the link.

Routing Hijacks

Routing hijacks occur when an attacker modifies the routing information on an email so that the email ends up in the spam folder instead of the inbox.

Spam filters are critical to the efficient operation of email systems. If the spam filters learn that a large volume of emails with similar content is coming in, they will start to lump these emails into a different category called Spam.

Some victims won't know about it until someone complains that they aren't getting any email. Typically, it would need hours or even a day to resolve such an attack.

To prevent your emails from being routed to the spam folder, include a valid return email address in your signature. If the recipient's email address is incorrect, they can easily contact you directly.

Web Beacons

Web beacons are tiny graphics files that are included in an email. Depending on the email service, they may be used for tracking behavior or to target ads.

Some email services, like Gmail, have a settings option that will automatically block web beacons from being sent to your inbox. You can also use an email service that doesn't allow web beacons, like Hotmail, to prevent this type of attack.

How to Enhance Your Protection Against These Email Threats

Ensure Passwords Have Enough Complexity to Withstand Cracking

Password complexity requirements vary from site to site. Still, most require that you use at least eight characters and ideally include some mix of upper and lower case letters, numbers, and symbols. 

It’s best to use a password generator that includes randomness to ensure that your password will not be the same as those of another user.

Block Outbound Authentication Logins at the Perimeter of Your Network

When running an email security solution, you should consider blocking outbound authentication logins from the web. This includes SMTP logins, pop3 logins, and telnet logins.

When someone tries to log into your mail server, it opens up a connection back to your mail server. If someone is able to get onto your mail server, they can then start to exploit the vulnerabilities on the server.

Protect Online Portals With VPNs

VPN stands for Virtual Private Network, and it allows users to connect to the Internet through a secure connection instead of being connected directly to the Internet. This is an especially useful feature if you have multiple devices accessing the same WiFi network.

With a VPN, all of your Internet traffic is encrypted, which makes it very difficult for hackers to intercept. This means that no one can see what you are doing online, whether you are shopping, sending a message, searching for information, or anything else.

Because of this, VPNs are often recommended when working online. Medical practices can benefit from this, especially if they have a hybrid workforce.

Enable Account Lockout Threshold Policy

Your email's account lockout threshold policy dictates how many failed sign-in attempts will result in an account being locked. 

It limits the number of failed login attempts allowed before a user has to change their password. More importantly, it prevents brute force attacks by locking out users if they have made too many sign-in attempts.

When an attacker sends a message to the server with an invalid username and password, they will receive an error message saying that the account has been locked. If the attacker tries to sign in again, they will be unable to do so and will receive a message saying that their account has been locked. 

Many email service providers (ESP) have this feature enabled by default, but it may be disabled if you’re experiencing high volumes of spam. If you are seeing a high volume of emails from suspicious sources, you should immediately contact your email provider.

Enable Email Monitoring to Detect Attacks

Email monitoring is the process of regularly scanning and reviewing all incoming emails. It can help you identify malicious attachments, compromised email servers, and spam.

It’s possible to identify and stop attacks at the email level. However, this requires careful planning and setup. If setting up an email security system on your own seems overwhelming, you may want to consider a hosted email security solution designed for healthcare.

These types of solutions can monitor and filter messages on your behalf, so they can catch and block dangerous emails before they have a chance to cause serious damage.

Minimize Posting of Phone Numbers and Addresses

As much as possible, don’t post sensitive information on social media. This includes landline and mobile numbers as well as your home address.

Social media is a valuable tool for sharing content, but there are many reasons why you shouldn’t post sensitive information.

If someone wants to steal your personal information, they’ll try to find ways of getting access to your social media accounts. For example, they may be able to find your phone number and address, and they may eventually gain access to your email account.

Require Multi-factor Authentication (MFA)

Multi-factor Authentication (MFA) may not be all-encompassing when it comes to cybersecurity. Some incredibly skilled hackers are certainly capable of bypassing MFA.

Nevertheless, many of the threats mentioned above can be prevented by deploying MFA at the very least. 

MFA is a method of verifying your identity. It’s often used to confirm your identity when logging in to a service, but it can also be used to verify who you are by answering a challenge.

In MFA, you are posed with a challenge that needs to be answered before you’re granted access to a resource. This is often a secret code or a series of questions that you need to answer before you can access the resource.

In other words, MFA requires the user to provide more than one type of authentication to gain access to a service, account, or system. It’s a powerful defense against phishing attacks, brute force attacks, and account takeover.

Deploying MFA and educating your personnel will make a significant difference in keeping your practice safe from most threats. 

This leads us to our next point.

Comprehensive Cybersecurity Training

Email is an essential part of everyday life. If you’re using it for work, you must ensure you’re following best practices, which can be easily learned through cybersecurity training.

Cybersecurity training is a huge component of keeping your practice safe. However, many healthcare organizations still don’t know where to start when it comes to cybersecurity. 

There are many courses available that can help you learn the basics, but you may need more specialized training if you’re dealing with specific issues. 

Additionally, given the value of medical information, the health sector faces particular cybersecurity threats, so it's crucial to have cybersecurity training tailored primarily to healthcare organizations.

Supplement In-House IT With Healthcare Cybersecurity Specialists

Email is the primary method of communication for healthcare professionals, and it’s often the weak point in the security of some medical practices. This is especially true for small practices, where the majority of the IT staff may be limited to a single person.

You’ve probably worked with your in-house IT for quite some time. You trust them because you’ve been working with them for years. While it’s essential to have an IT team within your organization, they may not have the skills required to effectively protect a medical practice against complex threats. 

The good news is that there are managed security service providers (MSSPs) that understand the nuances of healthcare. Plus, an MSSP is available to protect your systems 24/7!

A lot of innovation is needed to stay on top of the ever-changing threat landscape. MSSPs have the expertise, tools, and resources to keep up with evolving threats. They allow your in-house IT team to take care of the day-to-day operations, while MSSPs handle the bigger picture. 

Having Difficulty Implementing Email Security? Let ER Tech Pros Handle IT

Medical practices that fail to protect their data may face a massive financial loss, along with penalties from government agencies, lawsuits, and even criminal charges.

No one wants their sensitive patient information to end up in the wrong hands. After working with hundreds of medical professionals, our experts at ER Tech Pros deliver top-notch support to numerous healthcare organizations.

Schedule a quick no-obligation cybersecurity assessment with us and see how we can help you fight cyber threats.