HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3).

In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016.

The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk.

What are Business Email Compromise Scams and How Do They Work?

A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization, the request is much less likely to arouse suspicion. Further, since a CEO, CTO or CFO email account is often involved, the email recipient is less likely to question the request.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Business email compromise scams often start with a phishing email. The aim of the phish is to obtain login credentials to email accounts, which can be provided by employees directly via a phishing website or obtained using malware.

Once access to an email account is gained, the attackers send an email request to another individual in the company requesting a bank transfer or asking for sensitive data to be emailed. This year has seen an increase in the latter during tax season. Email requests have been sent to HR and payroll departments requesting W-2 tax statements for all employees. Numerous healthcare organizations have been fooled into sending the data.

The majority of fraudulent transfer requests ask for payments to be sent to foreign bank accounts in China and Hong Kong. Just because a healthcare organization does not make wire transfers to Asia, does not mean they are not at risk. IC3 reports that fraudulent transfers have been sent to bank accounts in 103 countries. Even if wire transfers are not made and checks are issued, organizations are still at risk. The attackers choose the payment method most commonly used by the targeted organization.

Typical Business Email Compromise Scams

There are many different variants of business email compromise scams, although the most common scams reported to IC3 are:

Bogus Invoice Scams

A compromised email account is used to gather information on frequently used suppliers. An email is then sent to a member of the billings/finance department requesting a transfer be made to that supplier, including a change to the usual bank account. The typical transfer amounts can be checked from past invoices and set accordingly so as not to arouse suspicion.

Business Executive Scams

Business executive scams involve an email being sent from a compromised executive email account to a member of the payroll/billings department requesting a bank transfer be made. This could involve a new supplier or an existing supplier.

Vendor Invoice Scams

In this scam, the victim is a vendor or client. The compromised email account is scanned and details gathered on clients and vendors. An email containing an invoice is then sent to the vendor/client requesting urgent payment.  Vendors/clients may lack awareness of BEC scams and make payment.

Friday Afternoon Scams

Typically performed on a Friday afternoon after financial institutions have closed, or at the end of the business day, these scams often involve the impersonation of an attorney or law firm used by the organization. Time-sensitive payments are requested with the targets often pressured into keeping the payments secret.

Data Theft Scams

Compromised email accounts are used to send requests to payroll/HR departments requesting tax summaries for all employees who worked during the past fiscal year. Other PII of employees may also be requested. In the case of healthcare organizations, similar scams may be performed requesting patients’ PHI and can be sent to any individual who has access to EHRs.

How Can Organizations Mitigate Risk?

Raising awareness of business email compromise scams is essential, especially with the employees most likely to be targeted – payroll, billings and HR department employees. Internal prevention techniques should also be implemented to block the initial phishing attempts to prevent access to email accounts being gained.

Internal policies and procedures should be implemented that require a two-step verification process before any new transfer request or request for sensitive information is processed. IC3 recommends setting up non-email based out-of-band communication channels to verify significant transactions. Digital signatures should also be used by parties on each side of a transaction to verify identities. A secondary sign off policy should be implemented for all requests to send sensitive data via email.

Two-factor authentication should be considered for all email accounts to protect the account in the event that a password is compromised. To reduce the risk of passwords being guessed, password policies should be implemented ensuring only strong passwords can be set.

All requests to send data or make transfers should be very carefully scrutinized. Any out-of-the-ordinary request or change to business practices should prompt the recipient to independently verify the request or suggested change to business practices.

Spam filters and intrusion detection systems should be configured to flag or quarantine all emails using extensions similar to the company’s email to prevent spoofing.

Organizations should encourage all employees never to use the reply option when responding to email requests, instead using the forward option and manually typing in the email addresses or selecting the email address from a contact list.

A culture of security should be developed, with training provided to all staff warning of the risks of opening emails, attachments and clicking hyperlinks sent from unknown senders. The risks of business email compromise scams should also be clearly explained to all staff.

A system of reporting suspect emails should also be implemented to allow action to be taken to prevent other employees from falling for the same scam.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.