HPH Sector Warned About Business Email Compromise Attacks
The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health (HPH) sector about business email compromise (BEC) attacks. BEC is a form of spear phishing that uses social engineering and deception to trick individuals into disclosing sensitive information or making fraudulent wire transfers. While these attacks tend not to cause the level of disruption as malware ransomware attacks, they are one of the most damaging and expensive types of cybercrime and cost businesses billions of dollars each year. According to the Federal Bureau of Investigation (FBI) Internet Crime Complaints Center (IC3), there were 277,918 domestic and international incidents reported between October 2013 and December 2022 resulting in more than $50 billion in losses, including 137,601 incidents in the United States and more than $17 billion in reported losses.
BEC attacks target human weaknesses, such as the tendency to trust authority figures, act impulsively, and respond emotionally to urgent requests. These attacks often start with a phishing email and the theft of credentials, although spoofing is also used to impersonate an authority figure without access to their email account. The alert details five types of BEC attacks – attorney impersonation, CEO fraud, data theft, account compromise, and false invoices, and provides examples of each and the substantial losses caused.
As with other types of spear phishing attacks, BEC attacks target individuals and attempt to get them to take action without questioning the request, which usually involves the impersonation of an authority figure such as an attorney, the CEO, or another C-Suite member. Attorney impersonation BEC attacks see the attacker pose as a lawyer or member of the legal team and pressure the victim into sending sensitive data or making a fraudulent wire transfer. The emails are marked as confidential and urgent and rely on individuals acting on the request to avoid any negative consequences.
CEO fraud is another type of BEC attack, where the CEO or another C-suite member is impersonated and a request is made to send sensitive data, purchase gift cards, or make a fraudulent transfer. These attacks take advantage of employees’ unwillingness to question requests from members of the C-suite. One example of CEO fraud in an attack on a healthcare organization involved the impersonation of a contractor constructing a new campus. The attacker spoofed the contractor’s domain and the firm’s CFO was impersonated. A request was made to change the bank account details for upcoming payments, resulting in millions of dollars being sent to the attacker’s account.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Some BEC attacks target sensitive data, such as employee information. HR and finance personnel are targeted and requests are made to send employee data such as W2 forms, which contain the information needed to commit identity theft. Account compromise is commonly used in BEC attacks, where access is gained to a legitimate email account through phishing or other means. The email account is then used to request payments on behalf of vendors. False invoices are common, especially when working with foreign suppliers. The attackers present themselves as a vendor and use official invoice templates with the account details changed.
In contrast to standard phishing attacks, BEC attacks involve considerable research and planning. Targets are researched using publicly available information from a variety of sources and the information is used to craft phishing emails to gain access to the email system. Email accounts contain a wealth of information that can be used in the scam, with the attacker often using one email account to conduct phishing internally to gain access to the credentials of the CEO or another executive. The attacker can look at emails in the accounts and learn about the writing style of the account holder and internal protocols, then emails are sent to targeted individuals within the company requesting sensitive information or wire transfers. BEC attacks can span days or weeks and may involve a request in a single email or communication over a series of emails to build trust. In the case of fraudulent transfers, once the transfer is made, funds are rapidly transferred to other accounts and withdrawn, making it difficult to recover fraudulent payments.
Since these attacks often involve sending emails from compromised internal email accounts and those of trusted vendors, email security solutions may fail to detect the emails as malicious, especially as malware and malicious links are not used. Email security with AI and machine learning capabilities may be able to identify and block these messages or apply warning banners to alert employees to potential scams. To prevent spoofing, email authentication protocols should be used such as DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC), and multi-factor authentication should be implemented on all email accounts to prevent stolen credentials from granting access to accounts.
These attacks target employees, so the first line of defense is a well-informed workforce. Employees should receive regular training to educate them about the risks of BEC attacks, social engineering, and phishing, and simulations of phishing and BEC attacks should be sent to workforce members to reinforce training and give them practice at identifying and reporting BEC and phishing attempts. Any failure to correctly identify and report such an attack allows targeted training to be provided.
Speed is of the essence if an organization falls victim to a BEC attack. The appropriate financial institution should be contacted and told to block the payment and contact the recipient financial institution, a complaint should be filed with IC3, and the local FBI field office and Secret Service field office Cyber Fraud Task Force should be notified. The Secret Service and FBI have been able to successfully block and recover funds when notified promptly about fraudulent wire transfers.
Related Content
