Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Having a Wonderful Time, Wish Your Data Were Here

    Stu Sjouwerman | Aug 13, 2020

    Social Engineering PostcardThe US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an alert warning that someone is impersonating the OCR and sending fraudulent postcards to healthcare organizations around the country, the National Law Review reports. The postcards are addressed to organizations’ HIPAA Privacy and Security Officers and purport to come from the non-existent “Secretary of Compliance, HIPAA Compliance Division.”

    The cards inform the recipient that their organization is due for a mandatory risk assessment, and they contain a URL, a phone number, and an email address for the recipients to set up such an assessment. Notably, the contact information doesn’t belong to the HHS or OCR, and neither does the return address. According to the OCR’s alert, the URL in the postcards leads users to “a non-governmental website marketing consulting services.”

    The cards contain other social engineering tactics as well, such as a note outlining the financial penalties faced by organizations that violate HIPAA. The OCR says healthcare organizations should warn their employees to be on the lookout for these cards.

    “HIPAA covered entities and business associates should alert their workforce members to this misleading communication,” the OCR stated. “This communication is from a private entity – it is NOT an HHS/OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available on the OCR website, and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail @hhs.gov. Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.”

    So who needs email when the phish hook can be in an old-school postcard? New-school security awareness training works against old-school threats, too. It can teach your employees to be skeptical of any urgent notice that induces them to visit an unknown URL, however legitimate it might appear on the surface.

    Topics: Social Engineering

    See KnowBe4 Security Awareness Training in Action

    See how you can efficiently safeguard your organization from sophisticated social engineering threats.

    Request a Demo

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All