Portal-based communication systems have become the latest targets of cybercriminals, despite their popularity for convenience and security. In a recent report, Cofense Inc. shows how attackers bypass these systems using trust in leading email security providers like Proofpoint, Mimecast, and Virtru.
What the evidence shows
The Cofense report details a wave of phishing attacks that impersonate the branding and workflows of trusted email security providers. Building on the credibility of well-known companies, attackers have managed to dupe users into leaking sensitive information via fake email attachments, phishing links, and credential-harvesting tactics.
How attackers exploited portal-based systems
Proofpoint impersonation
Attackers sent emails that spoofed Proofpoint's secure email branding, including malicious links and HTML attachments. These links directed victims to counterfeit login pages that resembled Proofpoint portals. Victims who entered their credentials inadvertently granted attackers access to sensitive accounts.
Mimecast spoofing
Emails claiming to originate from Mimecast included fake attachments and sophisticated language to appear legitimate. Subtle red flags, like mismatched sender domains or the use of free email services (e.g., Gmail), were overlooked by recipients.
Virtru imitation
Phishing emails used Google Docs links styled with Virtru branding. The links directed users to fake secure email portals designed to harvest credentials.
Why portal-based communication is vulnerable
Dependence on credentials
Portals require usernames and passwords to access content. This dependence makes them prime targets for phishing, where attackers replicate portal login pages to harvest credentials. Moreover, many users reuse passwords across platforms, increasing the fallout of a single breach.
Exploitation of brand trust
The attackers use trusted brand logos, colors, and layouts to exploit users' inherent trust. In this case study, victims would likely click through malicious emails, as these looked like familiar providers.
Unencrypted email
Portal notifications still often show up by email which attackers use for phishing. These emails can contain embedded malicious links or attachments camouflaged as routine notifications like accessing a secure document.
Secure email gateway (SEG) limitations
Even though SEGs work to filter out malicious emails, they are not error-free. According to Cofense, in 2023, malicious emails that bypassed SEGs increased by 104.5%. More specifically, the report notes that Mimecast impersonation attacks succeeded partly because SEGs did not flag cleverly disguised phishing emails.
User complacency
Most users tend to act before they think when branding recognition or familiar workflows are involved. For example, when the victims in the case study entered credentials into fake portals only because their design and branding were so convincing.
What we can learn from the Cofense report
Attackers' sophistication is increasing
The report showed a 49% increase in credential phishing attacks from 2022 to 2023, showing how attackers' success rates increase when portal systems rely on user authentication.
Techniques like embedding phishing links in Google Docs, as seen with Virtru, and using HTML attachments, as seen with Proofpoint, show how attackers adaptable attackers are. These strategies bypass traditional defenses, as evidenced by:
- A 104.5% increase in malicious emails bypassing SEGs.
- A 331% rise in phishing campaigns using QR codes to direct victims to counterfeit portals.
The healthcare industry is at risk
While other sectors also use portals, those related to healthcare and finance are the most targeted because of the high value of protected health information (PHI). More specifically, the report mentions an 85% increase in SEG bypasses in healthcare.
How to mitigate portal vulnerabilities
The report warns, "It only takes one breach to damage a company's financial status, brand reputation, and customer trust."
So, instead of using risky patient portals, providers should use HIPAA compliant emails for user-friendly, convenient, and secure patient-provider communication.
HIPAA compliant email solutions, like Paubox, offer encryption that eliminates unnecessary logins while reducing the risk of credential phishing. It also offers advanced threat detection to identify anomalies in email content.
Furthermore, it uses multifactor authentication (MFA) to reduce the likelihood of attackers using stolen credentials.
Ultimately, it allows providers to share information with patients and among care team members, leading to better coordination of care and improved health outcomes.
Go deeper: Why patient portals are inconvenient: An evidence-based perspective
FAQs
What are HIPAA compliant emails?
HIPAA compliant emails are secure email platforms that adhere to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA) to protect patients’ protected health information (PHI).
Can HIPAA compliant emails include attachments, like medical images or documents?
Yes, HIPAA compliant emails can include attachments containing medical images, documents, or other sensitive information, protecting patient privacy and preventing unauthorized access during transmission and at rest.
Can patients request additional support via email?
Yes, patients can directly email their providers for clarification, their provider can then respond with a HIPAA compliant email, offering support while maintaining patient privacy.
