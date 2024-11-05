People are the key to a successful phishing attack, and they are also the key to preventing one, David Fine, supervisory special agent at the FBI, reasoned during a Nov. 1, 2024 session at the HIMSS Healthcare Cybersecurity Forum, held in Washington.

Fine's presentation focused on the psychology of social engineering and how cyberthreat actors take advantage of human nature to successfully execute their attacks.

Phishing and other types of social engineering schemes remain a top cyberthreat in healthcare and other sectors. The FBI's Internet Crime Complaint Center received nearly 300,000 phishing complaints in 2023, more than any other category of internet crime complaints.

An October 2024 alert by the HHS Health Sector Cybersecurity Coordination Center underscored the risk of sophisticated social engineering attacks by exploring the threat of Scattered Spider cyberthreat actors, who have targeted healthcare and other sectors repeatedly. Specifically, Scattered Spider has been observed using AI to spoof the voices of victims and obtain initial access to victim organizations.

A 2024 report by Mandiant found phishing to be one of the most common initial infection vectors. The report noted that contemporary phishing tactics have been able to challenge traditional security paradigms and reach a wider range of people via targeted schemes through multiple mediums.

Despite the known rise in social engineering attacks across the internet, when it comes to phishing emails, Fine said, it is human nature to assume that an email sender is not being deceitful.

"Assuming that an email is a genuine email -- we are wired to think that way," Fine said. "Why would someone send me an email that's lying to me? It goes against a social default position that we are all wired with in every aspect of our lives."

In fact, the best phishing emails do not provoke the recipient to scrutinize it at all.

"When you get a phishing email, it has been carefully crafted to prevent critical thinking. That's the goal," Fine stated.

"They will do that by leaning into the unconscious biases and the heuristics, but also preexisting trust relationships."

Essentially, cyberthreat actors find success in phishing by blending in. In the past, a cautious recipient might have received an email with blatant errors or a strange link and steered clear. Now, hackers are using technology like AI to craft phishing emails that look indistinguishable from a legitimate email, coercing even a skeptical user to click on a malicious link or scan a QR code.

"So the real challenge here is that a phishing email no longer looks any different than any other email that people receive in any other context."