Business Email Compromise (BEC) , Fraud Management & Cybercrime , Standards, Regulations & Compliance

HHS Warns Health Sector of Business Email Compromise Scams

Agency Spells Out Measures to Avoid Falling Victim to Costly Schemes
HHS Warns Health Sector of Business Email Compromise Scams
Image: Getty

Healthcare organizations should take steps to avoid falling victim to evolving threats involving costly business email compromise scams and related phishing schemes fueled by social engineering, warned the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center.

Business email compromise attacks - a type of spear-phishing scam designed to trick someone into sending money or divulging confidential information - are among the most damaging and expensive types of phishing attacks, costing U.S. businesses billions of dollars each year, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center said in a threat brief issued Thursday.

See Also: CISO Guide to Generative AI Attacks

These attacks are a persistent threat across many sectors, not just healthcare. Between October 2013 and December 2022, nearly 138,000 U.S. victims reported business email compromises to the FBI's Internet Crime Complaint Center, with total losses totaling more than $17.3 billion. Direct losses from business email compromises average about $125,000 per attack, the FBI reports.

The healthcare industry over the last year - May 2023 to May 2024 to-date - experienced an increase in advanced email attacks, which include BEC, credential phishing, malware and extortion, said Mike Britton, CISO at security firm Abnormal Security.

According to the company's data, BEC attacks in the healthcare specifically are continuing to rise as well, up by about 81% during that same time frame, he said.

"The most dangerous types of BEC attacks are text-based, sent from legitimate domains, and lacking traditional indicators of compromise like a suspicious link or malicious attachment," Britton said. "In many cases, threat actors use these emails simply to look for information that can be used for another attack."

Abnormal Security also has noticed an increase in the number of requests for aging reports, such as when an attacker impersonates the president and CEO of a healthcare network with more than 200 locations throughout the U.S., Britton said.

"The email requests that the recipient send a copy of all updated customer account aging statements, including the email addresses for the corresponding account payables department," he said.

"This information is then leveraged to attack the healthcare network's customers using this valid information as a social engineering pretext to collect fraudulent payments," he said.

The five most common types of business email scams in the healthcare sector involve attorney impersonation, CEO fraud, data theft, account compromise and false invoices, HHS HC3 said.

The overall types of phishing attacks in 2024 are also evolving, HHS HC3 said.

So far this year, they include the more traditional email phishing schemes; voice phishing or vishing, in which fraudsters make a phone call to steal information; clone phishing, in which a hacker sends an identical copy of a message the recipient has already received but adds “resending this" along with a malicious link in the email; smishing, which involves some form of a text message or SMS; and quishing, which uses a QR codes to redirect victims to malicious websites.

Over the last three years, there has also been a massive increase in phishing threats that use techniques such as adversary-in-the-middle that can bypass multifactor authentication, said Justin Safa, enterprise incident management consultant at security firm Optiv.

"MFA bypass techniques have become well-documented and very simple for unsophisticated cybercriminals to conduct, he said. "With the rise of single sign-on, credential harvesting attacks like AiTM are enabling access to very sensitive applications that were generally not readily available for cybercriminals to access in a handful of mouse clicks," he said.

The healthcare industry is particularly susceptible to traditional phishing attacks simply due to the massive volume of attacks targeting this industry, relative to others, Britton said. "Healthcare is a very attractive target for attackers for a number of reasons. Health systems are a gold mine for valuable data, including private patient information that can be worth a lot if cybercriminals can sell it.

"Phishing is often the first step to launching a ransomware attack, and criminals know that healthcare companies are likely to pay ransoms due to how important it is that they keep their operations up and running for patient health and safety," he said.

Taking Action

While the level of sophistication in social engineering attacks is on the rise, not all healthcare organizations are keeping up with training and awareness needs, said Keith Forrester, practice manager at Optiv. "Role-based training and awareness is key, and organizations need to tailor their training content to address current threats and trends," he said.

For example, organizations should have access to sophisticated threat intelligence services that are collecting and analyzing real-time data on cyberthreats and actors, and then provide more details and specific information to the user population that may be affected, he said. "Give details and examples about attack patterns, and then update phishing campaigns to determine if their awareness efforts are working."

Healthcare entities can take other steps to help avoid falling victim to business email compromises and other related phishing scams, some experts said.

The steps include tuning email security gateways to adapt to an organization by configuring its mail delivery and threat detection policies in order to prevent the delivery of advanced phishing threats at a mail flow level, Safa said.

Britton said entities should consider leveraging email security tools that can identify and block new types of attacks, including solutions that leverage AI and machine learning. Those will be able to detect malicious intent by looking for deviations from typical user behavior, he said.

HHS HC3 recommended that healthcare organizations take a number of measures to help prevent business email compromises. They include setting network access rules to limit personal device use and prevent information sharing outside the network's perimeter; updating their infrastructure to ensure all applications, operating systems, network tools and internal software are up to date and secure; deploying an anti-phishing solution capable of identifying the red flags of BEC emails - such as reply-to addresses that don't match sender addresses; and using machine learning to analyze email language for indications of an attack.

HHS HC3 also advised organizations to implement a separation of duties to avoid falling victim to BEC attacks that try to trick employees into taking a high-risk action - such as sending money or sensitive information.

"Implementing policies for these actions that require independent verification from a second employee can help to decrease the probability of a successful attack," HHS HC3 said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.