HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years.

Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013.

These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack.

The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare.

For the report, Proofpoint analyzed more than 160 billion emails sent by organizations in 150 countries between Q1, 2017 and Q4, 2018. 473% more healthcare email fraud attacks were conducted in Q4, 2018 than Q1, 2017.

Healthcare organizations were targeted in an average of 96 email fraud attacks every quarter. 53% of healthcare organizations were attacked more often and experienced between 200% and 600% more attacks. Within targeted healthcare organizations, an average of 65 staff members were attacked in Q4, 2018. None of the healthcare organizations studied experienced a decrease in email fraud attacks over the period of study.

On average, 15 healthcare staff members were spoofed in the attacks with 49% of organizations attacked using at least 5 identities. Over three quarters of healthcare organizations had more than 5 employees targeted in the attacks. The median number was 23. Most employees were targeted due to their role within the company.

95% of targeted healthcare organizations experienced attacks using their own trusted domain and 100% of attacked organizations had their domain spoofed in attacks on their business partners and patients. Proofpoint rated 45% of all emails sent from healthcare domains as suspicious in Q4, 2018, 65% of which were sent internally to employees, 42% to patients, and 15% to business partners.

Proofpoint analyzed email fraud attack in multiple industry sectors. Healthcare was the only industry where there was a correlation between company size and the number of attacks, with larger organizations being targeted much more often than smaller healthcare organizations.

The most commonly used categories of subject line in the emails were ‘Payment’, ‘Request’, and ‘Urgent.’ Blank subject lines were also common. The emails were mostly sent during business hours, Monday to Friday. 70% of messages were sent between 7am and 1pm.

33% of emails were sent from free-to-use email accounts such those offered by Gmail, AOL, Inbox, RR, and Comcast, with the display name changed.

In addition to spoofing a healthcare domain, lookalike domains are often used – Those with misspellings, transposed letters, or additional characters added to the domain name. 67% of healthcare organizations experienced attacks using lookalike domains.

Protecting against email fraud attacks requires multi-layered defenses. Staff should receive training and taught to look for the signs of a possible email fraud attack. Email fraud attack simulations can also help to reinforce training and identify weak links – Individuals who require further training.

DMARC should be adopted to prevent impostors from spoofing domains and healthcare organizations should consider buying and parking variants of their domain. Domains similar to those used by healthcare organizations should be monitored as they may be registered by fraudsters and email filters should be configured to reject messages sent from those risky domains.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.