Is Your Practice Aware of Business Email Compromise (BEC) Attacks?

The healthcare industry is predicted to experience an unprecedented level of cyberattacks in 2021. That’s a pretty crazy thing to claim, considering healthcare has already been one of the most heavily targeted industries for decades. However, while healthcare providers and staff have become savvier on how to avoid such tricks over the years, cybercriminals have changed tactics time and time again, finding new ways to compromise data. In response to these ongoing threats, research also predicts the healthcare sector will spend upwards of $125 billion on cybersecurity from 2020-2025.

One tactic we are seeing a lot more of in recent times is known as Business Email Compromise (BEC). In this blog, we’ll take a look at the recent surge in BEC attacks, discuss how they work and tell you how to avoid falling victim to them.

BEC attacks that used invoice or billing scams increased by a staggering 155 percent in 2020

BEC Attacks on the Rise

According to current research, 2020 saw the start of an unprecedented surge in BEC attacks that has only continued through the first half of 2021:

• 65 percent of all organizations faced at least one BEC attack in 2020
• BEC attacks that used invoice or billing scams increased by a staggering 155 percent in 2020
• The average amount requested or taken during a single wire-transfer-based BEC attack increased in 2020, from $48,000 in Q3 to $75,000 in Q4

What are BEC Attacks?

BEC attacks are extremely dangerous because they are somewhat like spear-phishing attacks, but with an added layer of specificity that makes them far harder to identify. Criminals who use BEC attacks will do an extensive amount of research on a target before executing the scheme. They work hard to identify who knows who as well as take time to understand use of company logos and email signature styles to ensure a solid appearance that can be very difficult to recognize as a threat. Cybercriminals will also use this knowledge to exploit a target’s well-established relationships, both B2B and person-to-person, and use it to create an email that looks legitimate and encourages the recipient to send an invoice payment or other funds to a false account. When you click on a link or download an attachment from a BEC email, there is also the risk of being hit with ransomware.

According to the FBI’s definition, a BEC attack involves a criminal sending an “email message that appears to come from a known source making a legitimate request,” such as in the following examples:

• A vendor that your company regularly deals seems to have emailed an invoice with an updated mailing address and/or new bank account number.
• You receive an email from the company CEO asking you to purchase dozens of gift cards to send out as employee rewards as well as a request for you to reply with the serial numbers from the cards so they can be emailed out to recipients right away.

How to Avoid BEC Attacks

The FBI also offers the following tips on how to deal with a BEC attack, which are somewhat similar to how you should protect yourself from any other email-based cyberattack scheme:

• Be careful with what you share online, especially on social media. By openly sharing things like pet names, schools you attended, links to family members, your birthday, etc., you give scammers all the information they need to guess your password or answer your security questions.
• Don’t click on anything in an unsolicited email or text message, especially if it is asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one provided in the email) and call the company to confirm the request is legitimate.
• Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don't know.
• Be wary of any email attachments forwarded to you, even from someone you know.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Verify all email payment and purchase requests in person, if possible, or by calling the person directly (again, don’t use the number provided in the email) to make sure it is legitimate.
• Verify any changes in account number or payment procedures with the person making the request.
• Be especially wary if the requestor is pressing you to act quickly or is writing with an extreme tone of urgency.

On this blog, we do our best to keep our readers up to speed on new cybersecurity threats as well as tactics for keeping data safe and secure. If you’d like to learn more, we have a wealth of articles available at this link. Be sure to stay vigilant. Because the healthcare sector is likely to stay a primary target for bad actors over the foreseeable future.

To discover how Nextech can help your practice implement a secure cloud solution that has successfully completed a SOC 2 TYPE 2 audit, simply fill out this form and a member of our team will be in touch soon!