The Health Section

Phishing attacks are at an all-time high

You get an email that appears to be from your bank, saying there may be an unauthorized transaction on your account, and asking you to click on a link to verify your identity.

There was a 61 percent increase in phishing attacks from April through June 2016

Chances are the email was not sent by your bank. This is known as a phishing scheme, where a criminal attempts to get your personal information, according to the Federal Trade Commission (FTC).

There have been 873,488 unique phishing email campaigns and 755,436 unique phishing sites discovered from January through June 2016, according to the Anti-Phishing Working Group (APWG). There was a 61 percent increase in the amount of phishing attacks from April through June – an all-time high, according to APWG.

The number of phishing attacks also generally increases during the holiday season, according to APWG.

From January to June 2016:

873,488 unique phishing email campaigns discovered

755,436 unique phishing sites discovered

In addition to taking your personal information, successful phishing campaigns can also install malware on a victim’s computer. Malware includes viruses, spyware or any other unwanted software installed without consent, according to the FTC. The APWG found 18 million new malware samples from April through June – the equivalent of 200,000 new samples a day.

“There are millions of phishing emails sent out each day; it’s quite common,” said Jim Routh, Aetna’s chief security officer. “It takes about 1 minute 22 seconds for a phishing campaign to be successful.”

It’s a relatively quick process to determine if a phishing campaign was successful. On average, it takes about 90 seconds for a person to open a phishing email, read it, click a link and enter their log-in credentials.

How to spot a phishing attempt

The FTC has examples of common phishing emails. One of the most common techniques, Routh said, is called “domain spoofing.” This means the sender is using a forged email address to send the email. If the domain of the email does not match the context of the email, it’s likely a phishing attempt, Routh said.

For example, if you receive an email about your bank account and notice the sender’s email address includes a domain that’s different from the bank name, it’s likely a phishing campaign.

Aetna uses a “trusted email” capability, which prevents people from spoofing Aetna’s domain for phishing emails, Routh said.

“Any email from Aetna is from Aetna,” he said.

Another phishing technique involves the sender establishing credibility with an individual, Routh said.

“It takes about 1 minute 22 seconds for a phishing campaign to be successful.”

“As part of this campaign, a person may see five or seven emails and there’s nothing malicious about the emails,” he explained. “But by the sixth or seventh email, they put in a URL and that takes you to a site that downloads another session and installs malware or it takes you to a site to put in your credentials.”

A more sophisticated technique may ask a person to click on a link to watch a video. Although they may be watching a video after clicking the link, malware is being installed in the background, Routh added.

What you can do if you’re a phishing victim

If you suspect you were a victim of a phishing scheme, Routh advises changing your password. The FTC also recommends reporting the email to spam@uce.gov, as well as the company, bank or organization impersonated. People can also file a report with the FTC and visit the agency’s Identify Theft website since the stolen information could be used to commit identify theft.

18 million new malware samples discovered from April through June 2016 — or 200,000 a day

Routh emphasized changing your password and email is the “lowest bar of what should be done.” If a link was clicked on and malware was installed on the computer, it’s generally unknown to the user, Routh said.

“Malware is designed to be undetectable; that’s the problem,” he said. “Updating antivirus software and scanning your computer to determine if it’s infected or not should take care of it.”