10. 23. 23
Email-based cyberattacks against the healthcare industry have surged in the first half of 2023, and experts believe this is only the beginning. Business email compromise (BEC) scams are becoming increasingly sophisticated and can cause massive damage to medical providers.
In this blog, we’ll examine the recent surge in BEC scams, how these sophisticated cyberattacks are evolving, and what medical practices can do to protect themselves.
Advanced email attacks against healthcare have experienced a 167% increase so far in 2023, according to Abnormal Security. BEC scams have seen the biggest jump, up 279% from last year.
While BEC scams are far less prevalent than other email attacks like malware, they have the potential to cause massive financial damage; the FBI estimates that losses are about $125,000 on average. Identifying these attacks has become increasingly difficult, given that they come from legitimate domains, can appear to be sent by familiar colleagues, and lack traditional indicators like suspicious links.
The most commonly known BEC scams, which have mostly targeted the corporate sector, tend to involve fraudsters impersonating high-level executives and requesting that employees transfer large sums of money. The emails usually emphasize confidentiality and urgency, claiming that the money is needed for some huge acquisition or other purchase that could fall through unless it’s received promptly.
But in healthcare, BEC scams are a bit more nuanced. Abnormal Security noted cybercriminals recently have been disguising themselves as healthcare leadership and requesting aging reports from their accounts receivable (A/R) departments. For example, in August, the CEO of a healthcare network with over 200 locations across the United States appeared to request that an A/R employee send contact and invoice information for patients whose payments were 30-90 days past due. Had the employee responded with this information, they would have compromised thousands across the network. That attacker would have then been able to send fake emails to each patient about outstanding payments, requesting that they send money immediately to a fraudulent account.
The bottom line is, that healthcare professionals always need to be on alert when using email, because it only takes one mistake to give cybercriminals what they need. “BEC scammers rely on staff not paying close enough attention when sending sensitive information,” noted Adam Grantz, director of enterprise customer support for Rectangle Health.
And it’s not just the large health networks that are being targeted. The FBI’s Internet Crime Complaint Center (IC3) issued a statement in June that businesses of all sizes are being targeted, even small ones. IC3 also noted that, between October 2013 and December 2022, BEC scams have been responsible for more than $50 billion in losses worldwide.
Deepfake audio and video is another growing cybersecurity concern and may be the next evolution of the BEC scam. Criminals are using this technology to impersonate executives and request money transfers from unknowing employees. Deepfake audio has been used in some high-profile crimes; in 2020, it was used to steal $35 million from a bank in Hong Kong.
While this type of scam has yet to be reported in the healthcare industry, experts believe it is only a matter of time.
In 2022, IC3 warned of an uptick in cybercriminals exploiting virtual meeting platforms like Zoom for BEC scams. The fraudsters used these platforms in several different ways:
Lee Kim, senior principal for cybersecurity and privacy at HIMSS, told healthcare news publication Chief Healthcare Executive that deepfakes “will make a significant entry point into healthcare” eventually.
Generative artificial intelligence (AI) is also a concern. Fraudsters can use AI to impersonate employees in emails more convincingly, noted Mike Britton, chief information security officer of Abnormal Security, told Chief Healthcare Executive. AI can send automated emails, and AI-generated responses can pull more data from their targets. These AI responses can be very convincing and can dupe employees into providing private information. While AI-powered emails are not yet widespread, Britton is seeing it happening.
When BEC scams first emerged as credible threat, employees were told by cybersecurity firms and law enforcement to always be vigilant and call any person requesting ePHI, an unexpected payment, or money transfer to ensure that they are legitimate. That advice still holds true; like the aging report example, if you receive a suspicious email request that could potentially compromise your patients’ data, the best thing you can do is call the person making the request directly and verify.
But in a rising threat environment where criminals are going beyond email and calling employees over the phone or a virtual meeting platform with software that allows them to impersonate someone, what good does a phone call do? Would you even think to verify the transaction over the phone?
Yes! Pick up the phone, call a trusted number that you already have on file—not a number that the person making the request has just given you—and verify that the request is real. Or, if you’re in the same building, walk down the hall and ask them directly. It might seem silly, especially if you work for a smaller medical provider and the individual making the request is someone that you know well, but it’s preferable to compromising patient data or losing thousands of dollars.
Here are some additional tips on identifying BEC scams:
IC3 also provided some proactive steps that organizations can take to ensure that staff members can recognize the latest threats:
For more tips on cybersecurity, be sure download Rectangle Health’s new eBook on cybersecurity for medical practices. We review the latest threats and provide tips on how to protect your patients and data. Also be sure to explore our security and compliance solutions and learn how they can help your practice.