Business Email Compromise Attacks Alert Issued by HC3

The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning the healthcare and public health (HPH) sector against business email compromise (BEC) attacks. This kind of spear phishing employs social engineering and deceit to fool individuals into exposing sensitive data or making bogus wire transfers. Though these attacks won’t bring about the same disruption as malware ransomware attacks, they’re rather damaging and cost firms a lot of money yearly. As per the Federal Bureau of Investigation (FBI) Internet Crime Complaints Center (IC3), 277,918 international and domestic incidents were reported from October 2013 to December 2022 leading to costs of over $50 billion. This figure includes 137,601 incident reports in the U.S.A. and over $17 billion in reported costs.

BEC attacks take advantage of human flaws, for example, the inclination to believe in authorities, act on without thinking and behave emotionally to emergency requests. These attacks usually begin with a phishing email and the stealing of credentials. Spoofing is used as well to double as an authority figure without having access to their email account. The alert provides information on five forms of BEC attacks: CEO fraud, false invoices, data theft, attorney impersonation, and account compromise.

BEC attacks exploit people and try to get them to fulfill a request without question, which normally entails impersonating a lawyer, the boss, or another officer. In lawyer impersonation BEC attacks, the attacker poses as a legal counsel or a member of the legal staff and compels the victim into giving sensitive information or making a bogus wire transfer. The emails are designated as private and urgent and depend on persons working on the request to prevent any bad consequences.

In CEO fraud, the attacker impersonates the CEO or a C-suite member and requests to send sensitive information, buy gift cards, or make a fake transfer. These attacks exploit the unwillingness of employees to bring up questions concerning requests from C-suite members. One case of CEO fraud in a healthcare company saw the impersonation of a contractor developing a new campus. The attacker spoofed the company domain and impersonated the CFO requesting changes to the bank account data for new payments. This resulted in transmitting a large amount of money to the impersonator’s bank account.

A few BEC attacks target sensitive records, like employee data. The attackers target HR and finance workers and submit requests to transmit worker information including W2 forms, which consist of the data necessary for identity theft. Account compromise is typically used in BEC attacks, where access is obtained to a legitimate email account using phishing or other methods. The email account is afterward utilized to demand payments on behalf of vendors. Bogus invoices are common, particularly when dealing with foreign suppliers. The attackers pose as a supplier and utilize official invoice templates with changed account information.

BEC attacks entail extensive research and organizing. Targets are investigated using publicly accessible data from different sources and the details are employed to create phishing emails to get access to the email system. Email accounts have a wealth of information that could be utilized in fraud, with the attacker frequently using one email account for phishing internally to obtain access to the information of the CEO or another officer. The attacker could view emails in the accounts and master the account owner’s writing style and internal practices. Afterward, he sends emails to specific persons inside the organization requiring sensitive data or wire transfers. BEC attacks can take days or weeks sending one email or message in a sequence of emails to establish trust. When it comes to fraudulent transactions, when the transfer is finished, the money is quickly transmitted to other accounts and cashed out, making it hard to retrieve fraudulent payments.

Considering that these attacks usually send emails from breached email accounts of trusted internal employees or vendors, email security programs may not recognize the emails as malicious, specifically as malware and malicious hyperlinks aren’t employed. Email security with AI and learning functions might be able to identify and stop these messages or implement warning ads to warn staff about prospective fraud. To stop spoofing, email authentication standards ought to be used like Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and DomainKeys Identified Mail (DKIM), and multi-factor authentication ought to be integrated into all email accounts to keep stolen credentials from permitting accounts access.

These attacks focus on workers, hence the primary line of defense is a well-advised staff. Employees must acquire regular training to teach them about the challenges of BEC attacks, phishing, and social engineering. Employees should undergo simulations of BEC and phishing attacks to boost training in discovering and reporting BEC and phishing attacks. Any inability to accurately recognize and report this kind of attack surely needs more cybersecurity and HIPAA training.

Speed is very crucial in case of a BEC attack. A financial organization must be called and instructed to prohibit the payment. The recipient financial company must be called as well. A complaint must be submitted to IC3. The Secret Service field office Cyber Fraud Task Force and the community FBI field office ought to be alerted. The Secret Service and FBI have prevailed in stopping and getting back funds when advised immediately concerning fraudulent wire transfers.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at