By Kevin Beatty
Whether you run a multi-campus medical center or a small private practice, you must be aware of this fact: Every day, cybercriminals are exploiting widespread fear and uncertainty generated by the COVID-19 pandemic to target healthcare organizations of all kinds. The losses can be staggering, affecting millions of patients and costing millions of dollars. In fact, in 2020 the health sector leads all industries in annual data breach costs – with a global average of $7.13 million!
Ironically, most of these catastrophic events begin in the business world’s most innocuous, everyday process: reading email. Here’s a list of the latest fraud trends and a few of the most basic steps you should take to mitigate these risks.
The Underestimated Risk
Since the onset of the pandemic, you likely have more employees accessing protected networks from home – but are you fully aware of the additional risks generated by insecure remote access? For instance, if any point within your network becomes compromised, the attacker can gain access to a legitimate email address from which to launch other attacks. The fraudster can then lie in wait, scanning email messages for details around financial transactions or patient data, then stage a full-blown attack when sufficient information or access has been gathered. Next thing you know, your healthcare organization is in the news as a victim of a system breach, ransomware demands or malicious exploit.
The Known Risk
The most well-known email fraud is one you’ve heard of: Phishing, or sending mass emails trying to trick recipients into taking an action that provides the scammers access to your systems. Since the beginning of 2020, healthcare-related phishing targets have included hospitals, research laboratories, healthcare providers and pharmaceutical companies. The World Health Organization (WHO) said that they have experienced a fivefold increase in phishing and ransomware attacks in 2020. The U.S. Department of Health and Human Services reports that it is under attack on a daily basis. Threat actors have been impersonating reputable institutions, like the WHO and the Centers for Disease Control, and enticing recipients with plausible, pandemic-related claims about healthcare treatments or informational webinars to share personal information.
The phishing industry is so lucrative for scammers because the barriers to entry are low relative to potentially huge payouts. With botnets-for-hire and Malware as a Service (MaaS), cyber criminals have an impressive arsenal of tools at their disposal to propagate their campaigns. As email security has evolved and improved, so have scammers and the messages they send, to the extent that phishing is now commonplace. Malicious emails, attachments and links now appear legitimate, sometimes tricking even the most meticulous user. Here are a couple of popular formats.
Unrecognized Risk #1: Spear-phishing
Think of this one as Phishing 2.0: The goal is still to trick your employees into taking an action that will allow the criminal access to your network, but the target is more targeted. For example, in August 2019, Threatpost reported a spear-phishing attack that uses email claiming to be from the CEO of your own organization sharing important information with recipients. (It’s important to note the sender address doesn’t match your facility’s standard naming convention for email addresses.) Because the email is sent by a legitimate email service (in this case Google), it’s able to bypass Microsoft Exchange Online Protection on its way to users’ inboxes.
Unrecognized Risk #2: BEC
Business Email Compromise (BEC) goes beyond standard phishing techniques by exploiting human nature. In addition to the CEO impersonation mentioned above, BEC scammers use social engineering and other techniques to trick users in accounting, finance or other positions into transferring money into the scammer’s accounts. These attacks are well-executed and targeted at specific individuals, and often take more time to plan and launch due to the amount of research that goes into them. Cybercriminals harvest publicly available information on sites such as LinkedIn, Facebook and even the website of the healthcare organization to gain insight into the company’s business practices. They will even study the writing styles of the executive team, which allows the scammers to craft convincing emails that appear authentic. Because BEC attacks are so well-crafted and contain no malware or other malicious attachments, they are able to bypass standard security measures.
BEC is called the Billion Dollar Scam by the Federal Bureau of Investigation because these attacks generate around $301 million every month, or $3.6 billion every year, according to a 2019 report by the Financial Crimes Enforcement Network. Healthcare organizations must be aware of BEC, which has many variations and could result in substantial loss of money, data security, or goods such as prescription drugs.
Six Quick Tips to a Building a Defense
Because cybercriminals are always looking for new ways to bypass email security measures, ongoing user training must be a top priority for all healthcare organizations that use email. At the very least, your training should remind your users of the following points:
Things a legitimate company knows better than to do in an email:
- Ask for any sort of personal information – yours or anyone else’s.
- Ask for access to any sensitive business information or process like banking information or drug shipment details.
- Ask you to enable macros on a Word file.
- Send it out with poor grammar or spelling errors, or with too-general or incomplete greetings and signatures.
Things you should always think twice about and check three times before doing through an email:
- Download any files.
- Click any links – even in expected messages like shipping or payment confirmations.
Remember: When in doubt, all employees should pick up a phone and call the email sender for confirmation. Further, if anything about an email looks even slightly suspicious, don’t hesitate to report it to the IT administrator for further scrutiny.
Get the Email Security You Need from a Trusted Industry Expert
No healthcare facility is too big or too small to fall victim to email-borne scams and malicious attacks. In fact, cybercriminals often target smaller organizations based on the assumption that they’re less likely to have the latest security systems in place or adequate IT support. MDaemon Email Server and Security Gateway for Email Servers have been protecting healthcare organizations around the world using the latest technologies to prevent spam, malware and leaks of protected data. Learn more about our easy-to-use, cost-saving solutions at SecurityGatewayForEmail.com.
Kevin Beatty is an IT industry veteran and a partner with MDaemon Technologies, where he serves as VP of Marketing and Business Development. Kevin believes marketing should be used for good; to educate and inform customers. He enjoys craft beer and the artistry of tattoos; his MINI is named Heisenberg.