Safe Browsing Practices

Not all websites are what they appear to be. Criminals create fake websites that look identical to real ones in order to steal login credentials, install malware, or collect sensitive information. Here is how to identify warning signs before it is too late:

• Check the URL before entering any information — the domain name is the part just before the first single slash in the URL. 'https://cms.gov/billing-guide' has the domain 'cms.gov' — a real government site. 'https://cms-gov.billing-help.net/update' has the domain 'billing-help.net' — a completely different site with no connection to CMS. Attackers use domains that look similar to real ones: microsofft.com, cms-gov.net, paypaI.com (that is a capital 'I' not an 'l'). Always verify the exact domain before entering credentials.
• HTTPS (the padlock icon in the address bar) means the connection is encrypted — not that the site is safe. Many phishing sites now use HTTPS to appear legitimate. A padlock means no one can intercept the data between you and the site — but it says nothing about whether the site itself is honest. Do not trust a site simply because it has a padlock.
• Watch for urgent or threatening language — websites that say 'Your account has been compromised! Click here immediately to restore access' or 'Your computer is infected — call this number now' are almost always scams. Legitimate services do not demand immediate action through alarming popup messages. Close such pages without clicking anything and report them to IT.
• Pop-up windows claiming you have a virus are always fake — no website can scan your computer for viruses through a browser. These pop-ups are designed to frighten you into calling a fake 'support' number or downloading malware disguised as security software. Close the browser tab (use Task Manager if the tab will not close) and report the site to IT.

Your login credentials — username and password — are the keys to every system you access. Protecting them online is one of the highest-impact security habits you can develop:

• Never enter a password on a page you reached by clicking a link in an email — instead, open a new browser tab and type the website address directly. This ensures you are on the real site, not a fake one designed to look like it. This single habit prevents the vast majority of credential phishing attacks.
• Use a unique password for every work system — if you use the same password for your EHR login and your email, and one of those systems is breached, attackers immediately have access to both. Many healthcare data breaches are traced to credential reuse. Use a password manager (covered in Module 8) to manage unique passwords without memorizing all of them.
• Log out of sensitive systems when you finish — especially on a shared workstation. Leaving the EHR, insurance portal, or email logged in while you go to lunch means anyone who sits at that workstation can access patient data. Most clinical systems have short auto-logout timers, but you should always log out manually when you leave a workstation unattended.

Downloading files from the internet or opening email attachments are the most common vectors for malware entering an office network. Here is how to handle downloads safely:

• Only download files from sources you trust and have verified — the vendor's official website, an email from a known contact at a known organization, or a file shared through your organization's official system. If you are unsure about a download, ask IT before opening it.
• Be suspicious of unexpected files — if you receive an unexpected email with an attachment (even from a known sender), call or text the sender to confirm they actually sent it before opening. Attackers can spoof email addresses and compromise email accounts to send malware to your contacts.
• The file extension matters — .pdf and .docx files from trusted sources are usually safe to open. .exe, .bat, .vbs, .zip containing .exe, and .js files are higher risk and should only be opened if IT or your supervisor has specifically authorized them. A fake invoice in a .exe file is a common malware delivery method.