Email-based cyberattacks against the healthcare industry have surged in the first half of 2023, and experts believe this is only the beginning. Business email compromise (BEC) scams are becoming increasingly sophisticated and can cause massive damage to medical providers.
In this blog, we’ll examine the recent surge in BEC scams, how these sophisticated cyberattacks are evolving, and what medical practices can do to protect themselves.
BEC Scams and Fraud Surge
Advanced email attacks against healthcare have experienced a 167% increase so far in 2023, according to Abnormal Security. BEC scams have seen the biggest jump, up 279% from last year.
While BEC scams are far less prevalent than other email attacks like malware, they have the potential to cause massive financial damage; the FBI estimates that losses are about $125,000 on average. Identifying these attacks has become increasingly difficult, given that they come from legitimate domains, can appear to be sent by familiar colleagues, and lack traditional indicators like suspicious links.
The most commonly known BEC scams, which have mostly targeted the corporate sector, tend to involve fraudsters impersonating high-level executives and requesting that employees transfer large sums of money. The emails usually emphasize confidentiality and urgency, claiming that the money is needed for some huge acquisition or other purchase that could fall through unless it’s received promptly.
But in healthcare, BEC scams are a bit more nuanced. Abnormal Security noted cybercriminals recently have been disguising themselves as healthcare leadership and requesting aging reports from their accounts receivable (A/R) departments. For example, in August, the CEO of a healthcare network with over 200 locations across the United States appeared to request that an A/R employee send contact and invoice information for patients whose payments were 30-90 days past due. Had the employee responded with this information, they would have compromised thousands across the network. That attacker would have then been able to send fake emails to each patient about outstanding payments, requesting that they send money immediately to a fraudulent account.
The bottom line is, that healthcare professionals always need to be on alert when using email, because it only takes one mistake to give cybercriminals what they need. “BEC scammers rely on staff not paying close enough attention when sending sensitive information,” noted Adam Grantz, director of enterprise customer support for Rectangle Health.
And it’s not just the large health networks that are being targeted. The FBI’s Internet Crime Complaint Center (IC3) issued a statement in June that businesses of all sizes are being targeted, even small ones. IC3 also noted that, between October 2013 and December 2022, BEC scams have been responsible for more than $50 billion in losses worldwide.
Evolving with Cybersecurity Technology
Deepfake audio and video is another growing cybersecurity concern and may be the next evolution of the BEC scam. Criminals are using this technology to impersonate executives and request money transfers from unknowing employees. Deepfake audio has been used in some high-profile crimes; in 2020, it was used to steal $35 million from a bank in Hong Kong.
While this type of scam has yet to be reported in the healthcare industry, experts believe it is only a matter of time.
In 2022, IC3 warned of an uptick in cybercriminals exploiting virtual meeting platforms like Zoom for BEC scams. The fraudsters used these platforms in several different ways:
- After compromising the email of an executive-level employee, they would set up a virtual meeting with employees. The criminal would then use a still photo of the executive in place of a video, as well as no audio or deepfake audio, and claim their video/audio isn’t properly working. They would then instruct employees to transfer funds via the platform or in a follow-up email.
- After compromising an employees’ email, fraudsters could attend virtual meetings to gather information on day-to-day operations.
- After compromising an executive’s email, criminals would send emails to emails to employees, requesting money transfers because the CEO is supposedly stuck in a virtual meeting.
Lee Kim, senior principal for cybersecurity and privacy at HIMSS, told healthcare news publication Chief Healthcare Executive that deepfakes “will make a significant entry point into healthcare” eventually.
Generative artificial intelligence (AI) is also a concern. Fraudsters can use AI to impersonate employees in emails more convincingly, noted Mike Britton, chief information security officer of Abnormal Security, told Chief Healthcare Executive. AI can send automated emails, and AI-generated responses can pull more data from their targets. These AI responses can be very convincing and can dupe employees into providing private information. While AI-powered emails are not yet widespread, Britton is seeing it happening.
Identifying BEC Scams and Data Breaches
When BEC scams first emerged as credible threat, employees were told by cybersecurity firms and law enforcement to always be vigilant and call any person requesting ePHI, an unexpected payment, or money transfer to ensure that they are legitimate. That advice still holds true; like the aging report example, if you receive a suspicious email request that could potentially compromise your patients’ data, the best thing you can do is call the person making the request directly and verify.
But in a rising threat environment where criminals are going beyond email and calling employees over the phone or a virtual meeting platform with software that allows them to impersonate someone, what good does a phone call do? Would you even think to verify the transaction over the phone?
Yes! Pick up the phone, call a trusted number that you already have on file—not a number that the person making the request has just given you—and verify that the request is real. Or, if you’re in the same building, walk down the hall and ask them directly. It might seem silly, especially if you work for a smaller medical provider and the individual making the request is someone that you know well, but it’s preferable to compromising patient data or losing thousands of dollars.
Here are some additional tips on identifying BEC scams:
- Check to see if the email domain (the part that comes after the @ symbol) is associated with the organization that the sender claims to be from.
- Look out for hyperlinks that contain misspellings of the actual domain name.
- Verify the sender’s email address by ensuring that it appears to match who it was supposedly sent from.
- Keep an eye out for extremely “urgent” requests to send money or sensitive information.
- Verify the legitimacy of any virtual meeting request that utilizes a platform that your team doesn’t typically use. For example, if your office always uses Microsoft Teams for virtual meetings but you suddenly get a request to meet over Zoom, call the employee making the request.
IC3 also provided some proactive steps that organizations can take to ensure that staff members can recognize the latest threats:
- Never send login information or personal identifiable information (PII) in an email.
- Make sure the settings on employees’ computers enable full email extensions to be viewed.
- Monitor financial accounts on a regular basis for any irregularities.
- Implement a policy of using two-factor authentication for verifying any requests.
For more tips on cybersecurity, be sure download Rectangle Health’s new eBook on cybersecurity for medical practices. We review the latest threats and provide tips on how to protect your patients and data. Also be sure to explore our security and compliance solutions and learn how they can help your practice.
- Britton, Mike. (2023, Sept. 26). “Healthcare Organizations Experience 279% Increase in Business Email Compromise in 2023.” Abnormal Security. https://abnormalsecurity.com/blog/healthcare-organizations-email-attacks-2023
- (2023, June 9). Business Email Compromise: The $50 Billion Scam. Federal Bureau of Investigation, Internet Crimes Complaint Center. https://www.ic3.gov/Media/Y2023/PSA230609
- Brewster, Thomas. (2021, Oct. 14). “Fraudsters Cloned Company Director’s Voice In $35 Million Heist, Police Find.” Forbes. https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/?sh=187b51287559
- (2022, February, 16). Business Email Compromise: Virtual Meeting Platforms. Federal Bureau of Investigation, Internet Crimes Complaint Center. https://www.ic3.gov/Media/Y2022/PSA220216
- Southwick, Ron. (2023, Sept. 26). “Emerging cybersecurity threats in healthcare.” Chief Healthcare Executive. https://www.chiefhealthcareexecutive.com/view/emerging-cybersecurity-threats-in-healthcare-special-report