Business Email Compromise (BEC) is the most financially damaging of online crimes according to the Federal Bureau of Investigation. Between June 2016 and June 2019 companies reported to the FBI $26.2 BILLION in losses because of such cybercrime. It is a costly and pervasive problem.
BEC takes many forms including invoice fraud, payroll diversion and gift card scams among others. The attacks all use some level of social engineering to fool the target recipient into revealing confidential information or redirecting funds to a threat actor-controlled account. Organizations small, medium, and large are all vulnerable to BEC.
According to Microsoft, the healthcare industry is the 6th most targeted by BEC attacks[1]Microsoft Digital Defense Report, September 2020. It is not surprising given the explosion of changes that occurred since the onset of COVID-19 in the U.S. in 2020. Both private and public healthcare organizations scrambled to manage the deluge of infected persons and inhibit transmission of the virus. Thousands of administrative personnel turned to remote work, requiring networks to pivot to allow access to work tools while securing the networks themselves. Unfortunately, in many cases, workers relied on personal email accounts and equipment exposing those networks to potential attacks.
Agari by HelpSystems says that the COVID-19 pandemic amplified security risks. In a March 2020 blog, Agari said ransomware attacks rose 350% during Q4 of 2019 and HealthITSecurity.com reported 759 workers fell victim to phishing attacks in 2019, each attack averaging $41,000. In addition, email scams that bypassed security protocols increased 25% at the same time.
The threat actor preys on the healthcare industry because it is such a data- and finance-rich environment. The Ponemon Institute reports that data breaches at U.S. healthcare organizations cost an average of $13 million per incident with more than 40 million patient records compromised[2]3 Must-Haves in Your Cybersecurity Incident Response, 2022. When you consider regulatory fines and legal compensation for not protecting personal health information these average costs skyrocket.
Malicious actors target employees with transactional authority (i.e., accounts payable, check signers, authorized individuals) as well as employees with access to systems managing Personal Health Information (PHI) or W-2 employment data. Compromise messages can be very convincing and usually convey a sense of great urgency to get the victim to act before thinking or double-checking credentials or source of the request.
Using impersonation, threat actors can convince a Chief Financial Officer that the Chief Executive Officer is requesting funds be wired to a new bank account (controlled by the threat actor). With the explanation that the CEO is busy in a meeting, the CFO could unwittingly fall victim to the malicious request not wanting to bother the CEO.
Requests for records from insurance companies are a daily occurrence. Impersonating an insurance employee requesting personal health information to process medical claims, threat actors can gain access to names, addresses, birth dates and even social security numbers. Scammers can use the information themselves or sell it on the dark web.
Cyber threats to the healthcare industry put patient health, business continuity, and IT systems at risk leading the U.S. Department of Health and Human Services to establish a task force to develop and routinely update health industry cybersecurity practices. The full booklet is available here, but some of the highlights include:
- Provide social engineering and phishing training to all employees
- Establish a policy on suspicious email and ensure suspicious email is reported
- Ensure outside email is automatically marked before being received in the network
- Apply patches and updates as soon as they are released
- Implement an Intrusion Detection System and keep signatures and rules updated
- Employ spam filters, block suspicious addresses at a firewall and keep it updated
- Implement whitelisting technology to ensure only authorized software is allowed to execute on the network
- Implement and maintain a modern antivirus solution
- Implement access control on the principle of least privilege – this means giving a user account the minimum amount of access needed to perform their job functions.
A key takeaway to note about BEC protection solutions and employee training is that most executives mandate training for all employees but don’t participate in training themselves. This is a problematic trend since executive accounts are high-privilege, highly vulnerable, and highly attacked. The entire organization should be aware of the threats and thoroughly and routinely trained to prevent a breach.
Ramsey Consulting Services has helped numerous organizations identify vulnerabilities and craft personalized, thorough and effective protection solutions. Contact us today to learn how we can help protect your organization from business email compromise.
References
