The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) is warning the healthcare and public health (HPH) sector concerning business email compromise (BEC) attacks. BEC attacks refer to a type of spear phishing utilizing social engineering to mislead individuals into sharing sensitive details or making bogus wire transfers. Although these attacks will not result in as much disruption as malware or ransomware attacks, the damage and cost to companies every year are substantial. The Federal Bureau of Investigation (FBI) Internet Crime Complaints Center (IC3) reports 277,918 global and domestic incidents from October 2013 to December 2022 resulting in over $50 billion in deficits. This figure includes 137,601 cases in the United States and more than $17 billion in reported costs.
BEC attacks take advantage of human vulnerabilities, like the tendency to trust authorities, act on impulse, and react emotionally to immediate requests. These attacks are frequently initiated by a phishing email and the theft of credentials, but spoofing is likewise used to act like an authority figure with no access to their email account. The advisory gives five kinds of BEC attacks (listed below) and offers examples of each and the considerable losses caused.
- False invoices
- CEO fraud
- Attorney impersonation
- Data theft
- Account compromise,
Just like some spear phishing attacks, BEC attacks focus on making people take action without questioning the request. This requires the impersonation of an expert, for example, an attorney, the CEO, or another C-Suite member. In attorney impersonation BEC attacks, the attacker acts as an attorney or a member of the legal team, and pressures the victim into transmitting sensitive data or making a fake wire transfer. The emails are marked as confidential and urgent and rely on people acting on the request to avert any adverse consequences.
In CEO fraud, the attacker impersonates the chief executive officer or a C-suite member and requests to send sensitive information, purchase gift cards, or make a fake transfer. These attacks exploit the unwillingness of employees to raise questions about requests from C-suite members. One instance of CEO fraud targeting a healthcare provider was the impersonation of a contractor building a new campus. The attacker spoofed the company website and impersonated the firm’s CFO requesting to modify the bank account information for future payments. This resulted in sending millions of dollars to the attacker’s account.
Certain BEC attacks target sensitive records, like employee records. The attackers single out HR and finance staff and request employee data including W2 forms. Compromised accounts are frequently used in BEC attacks to access a legitimate email account via phishing or other ways. The email account is subsequently employed to ask for payments on behalf of vendors. Fake invoices are typical, particularly when working with foreign suppliers. The attackers act as vendors and use official invoice templates with changes to the account details.
Unlike phishing attacks, BEC attacks require research and preparation. Attackers look for targets using publicly available data from various sources and use details to make phishing emails and access the email system. Email accounts consist of a wealth of data that may be utilized in the scam, with the attacker usually utilizing one email account to access the credentials of the CEO or another executive. The attacker can look at emails in the accounts and know the account holder’s writing style and internal practices. Then, he sends emails to targeted individuals of the company asking for sensitive information or wire transfers. BEC attacks may include one email sent over a string of emails to develop trust. As soon as a fraudulent transfer is made, funds are quickly transferred to other accounts and withdrawn, making it tricky to get back the money.
Given that these attacks frequently entail sending emails from compromised email accounts of trusted internal officers or vendors, email security applications may never identify the emails as malicious, specifically as malware and malicious URLs are not employed. Email security with AI and learning features could identify and stop these messages or use warning banners to notify workers of possible scams. To avoid spoofing, email authentication standards must be used and email accounts must be protected by multi-factor authentication.
These attacks pick workers, thus the initial line of defense is an employee with proper cybersecurity and HIPAA training. Employees ought to get regular training to instruct them about the dangers of BEC attacks, social engineering, and phishing. They must participate in simulation tests of phishing and BEC attacks to strengthen training and give them practice at identifying BEC attacks. Any failure to properly determine and report such an attack will allow targeted training.
Speed is very important if a business suffers a BEC attack. The proper financial organization must be contacted and advised to prohibit the payment and call the recipient financial company. A complaint ought to be sent to IC3. The Secret Service field office Cyber Fraud Task Force and the local FBI field office must be informed. The Secret Service and FBI have succeeded in blocking and retrieving funds when informed immediately regarding fraudulent wire transfers.
Photo Credit: Kiattisak / stock.adobe