March 18th, 2019
A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years.
Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013.
These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack.
The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare.
Proofpoint analyzed more than 160 billion emails sent by organizations in 150 countries between January 2017 and December 2018. 473% more healthcare email fraud attacks were conducted in the last three months of 2018, 2018 than the first quarter of 2017.
Healthcare organizations were targeted in an average of 96 email fraud attacks every quarter. 53% of healthcare organizations were attacked more often and experienced between 200% and 600% more attacks. Within targeted healthcare organizations, an average of 65 staff members were attacked in the final quarter of 2018. None of the healthcare organizations studied experienced a decrease in email fraud attacks over the period of study.
On average, 15 healthcare staff members were spoofed in the attacks with 49% of organizations attacked using at least 5 identities. Over three quarters of healthcare organizations had more than 5 employees targeted in the attacks. The median number was 23. Most employees were targeted due to their role within the company.
95% of targeted healthcare organizations experienced attacks using their own trusted domain and 100% of attacked organizations had their domain spoofed in attacks on their business partners and patients. Proofpoint rated 45% of all emails sent from healthcare domains as suspicious in which 65% were sent internally to employees, 42% to patients, and 15% to business partners.
Proofpoint analyzed email fraud attack in multiple industry sectors. Healthcare was the only industry where there was a correlation between company size and the number of attacks, with larger organizations being targeted much more often than smaller healthcare organizations.
The most commonly used categories of subject line in the emails were ‘Payment’, ‘Request’, and ‘Urgent.’ Blank subject lines were also common. The emails were mostly sent during business hours, Monday to Friday. 70% of messages were sent between 7am and 1pm.
33% of emails were sent from free-to-use email accounts such those offered by Gmail, AOL, Inbox, RR, and Comcast, with the display name changed.
In addition to spoofing a healthcare domain, lookalike domains are often used – Those with misspellings, transposed letters, or additional characters added to the domain name. 67% of healthcare organizations experienced attacks using lookalike domains.
Protecting against email fraud attacks requires multi-layered defenses. Staff should receive training and taught to look for the signs of a possible email fraud attack. Email fraud attack simulations can also help to reinforce training and identify weak links – Individuals who require further training.
DMARC should be adopted to prevent impostors from spoofing domains and healthcare organizations should consider buying and parking variants of their domain. Domains similar to those used by healthcare organizations should be monitored as they may be registered by fraudsters and email filters should be configured to reject messages sent from those risky domains.