In November, at least 35 healthcare facilities in the U.S., U.K. and Canada were targeted by cybercriminals executing Business Email Compromise (BEC) campaigns. The organizations, which included hospitals, specialty care providers, walk-in clinics and pharmaceutical companies, were defrauded by attackers who impersonated executives within the organizations.
Cybercriminals are drawn to and attack the healthcare industry for many reasons, but primarily because they allocate a bulk of their resources to patient care and innovation, which often leaves information security underfunded. However, by becoming educated about BEC scams and the tools available to mitigate this threat, healthcare organizations can drastically reduce email fraud and associated financial losses.
BEC is defined by the FBI as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments. As such, BEC scams typically involve an attacker hacking into or spoofing an official business email account to request a fraudulent wire transfer of funds from that business to a bank account the attacker controls.
To pull off their scams without arousing suspicion, fraudsters often conduct research via the targeted company’s website and social media to secure organizational charts that indicate employees’ titles and roles, as well as the chain of command within a company. Some attackers even call their target’s human resources department to obtain personal information about employees that may help them better position their requests for fraudulent payment. With this research in hand, attackers are able to piece together enough intricacies of an organization to understand under what auspices to request the transfer and who the initiating and receiving parties should be.
The main forms of BEC include:
- The Bogus Invoice Scheme: Often referred to as “The Supplier Swindle” or “Invoice Modification Scheme,” attackers identify vendor partners of their target and pose as these vendors via email to request payment on an invoice.
- CEO Fraud: Known alternately as “Business Executive Scam,” “Masquerading” or “Financial Industry Wire Frauds,” this form of BEC involves a cybercriminal impersonating a member of the executive team within the target organization and using this spoofed email account to initiate a wire transfer to an account the attacker controls.
- Account Compromise: This version entails a fraudster hacking into an employee’s email account and sending email requests to multiple vendors for invoice payment to be made to an attacker-controlled account.
- Attorney Impersonation: To execute this form of BEC, attackers contact employees within the target company claiming to be a legal entity handling confidential, time-sensitive matters that require a transfer of funds into an account owned by the attacker.
- Data Theft: Cybercriminals seek out HR representatives or administrators with access to personal employee information and use this intelligence as a jumping-off point for the aforementioned forms of BEC.
Targeting the Healthcare Industry
As organizations within the healthcare industry place much of their focus and financial resources on patient care and working toward advancements in medicine, they often neglect to allocate the necessary portion of their budgets to cybersecurity. These security vulnerabilities make healthcare organizations the perfect target for BEC scams. For these specific cyberattacks, two main BEC strategies have been identified:
- In the first tactic, attackers spoof the “From” field on an email to make it appear as though the email is being sent by an executive while the “Reply To” field contains the attacker’s email address. Although the employee intends to respond to the executive who they believed sent the email, their reply containing sensitive information is actually sent to the attacker.
- The second tactic entails fraudsters utilizing a domain name that is similar to that of the targeted healthcare institution — often varying only by one letter that is not readily detectable by the recipient. For example, cybercriminals used this technique on several National Health Service (NHS) institutions with the copycat domains appearing as <name of hospital> co instead of nhs.uk.
In both strategies, attackers utilize a simple subject line conveying a sense of urgency that encourages the recipient of their spoofed email to act quickly. Some examples of the subject lines used in BEC schemes include:
- Extremely Urgent
- Treat as Urgent
- Due Payment
- Urgent Payment
This push for quick action — coupled with the fact that the email appears to be sent from a high-level member of their company — discourages employees from fully considering and verifying the details of the request. In turn, many inadvertently reply to the attacker, providing them with the account information needed to fraudulently obtain the organization’s funds.
Unfortunately, since there are many variations of BEC scams — and fraudsters work hard to create credible, inconspicuous email messages — BEC is particularly difficult to monitor and mitigate without employee awareness of the threat and the advanced cybersecurity solutions. Traditional security software typically does not detect BEC tactics because these spoofed emails don’t contain typical malicious content such as URLS within an email and email attachments.
To combat BEC scams and other emerging threats, healthcare chief information security officers (CISOs) should invest in a comprehensive layered defense that includes an advanced cybersecurity solution that detects and blocks social engineered attacks and advanced malware. These solutions should utilize machine learning to inspect behaviors of socially engineered emails to prevent them from reaching their endpoints.
Additionally, CISOs must develop an executive training program focused on advanced threats. They need to educate employees on the threat of BEC attacks and encourage them to verify all details in an email request for wire transfer, no matter the level of urgency communicated. Employees can also help mitigate the risk of fraudulent transfers by using the Forward function, rather than Reply, to type in their intended recipient’s email address to ensure their response is sent to the correct party.
Finally, healthcare organizations should review their accounting policies and operational controls to validate that proper verification procedures are in place. Employees should use phone confirmation as part of fund transfer request procedures, and vendor payment location changes should have a secondary sign-off system.
With the right tools, employee training and vigilance, most healthcare organizations can substantially diminish the risk of BEC attacks. Ultimately, by investing in the resources up front, they can avoid heavy financial losses in the end.
The author of this piece, Ed Cabrera, is the chief cybersecurity officer for Trend Micro.