When people think of cyberattacks, they often have an impression of malevolent hackers using highly sophisticated technology to break into a computer network and steal sensitive information. However, the truth is, most hackers use rudimentary methods to achieve their malicious goals.
Today, business emails are the most common target of attacks because they often present easy targets. In the last year, nearly half of all reported cyberattacks involved a type of phishing attack known as business email compromise. Over the last three years, US company losses due to business email compromise totaled more than $5.3 billion. Fortunately, there are simple steps you can take to protect your practice from this type of attack.
WHAT IS BUSINESS EMAIL COMPROMISE?
Business email compromise is a type of scam that exploits the fact that so many people rely on email to run their company or medical practice. The hacker’s goal is to gain access to the email inbox of an individual or executive, which opens the way to their organization’s data and wider network of contacts. Once access is gained, the hacker will search the inbox for “high-value” threads, which include information that can be used to launch additional attacks against other employees or third-party suppliers. In most cases, the attacker looks for ways to transfer company funds to their accounts. By the time a business realizes something is wrong, it is often unable to recover what was lost or stolen.
Financial gains are almost always the goal in business email compromises, with over 65% of all targets being in a financial role (such as chief financial officer, director of finance, or accountant). Once a criminal gains control of an email account, there are numerous ways the hacker can leverage this access to transfer funds. The hacker might send a company email to patients that instructs them to make future payments to a new bank account, which is controlled by the criminal. The hacker could send an email pretending to be the business owner or CEO, asking an employee to transfer company funds. In one version of the scam, the faux CEO asks a secretary to purchase dozens of gift cards and email back the serial numbers, so the cards can be distributed to employees as rewards. If an HR employee’s email is compromised, the email account could be used to request personal information from other employees, such as their social security number. In all these instances, the criminal access to an email account can result in serious financial damage.
I recently worked with a medical practice that had experienced such an attack. The primary business owner, a physician, had his email account compromised. The attacker diligently scanned through his emails to gain an understanding of how the company’s finances worked, then sent several requests, via email, to the operations manager, asking her to purchase equipment for the practice from a particular vendor. From the operations manager’s perspective, these emails looked legitimate. They came from her boss’s email account, included his signature, and was for equipment that was similar to other devices the practice had previously purchased. Six months went by before the office staff discovered that $200,000 in payments had been sent to a bogus account, without the equipment in fact being received. A quick analysis determined the cause was a business email compromise.
PROTECT YOUR PRACTICE
Independent medical practices are at risk of business email compromise if they have not invested in protective measures or trained employees to recognize this sort of attack. Two measures that are simple to implement and extremely effective can help your practice prevent business email compromise.
First, all users of the practice’s email system and network should activate multifactor authentication. An “authentication factor” is a credential used to verify identity. The use of multiple authentication factors make a hacker’s job much harder. Multifactor authentication requires users to log in to their email with at least two of the following:
- Something they know, like a password, a PIN (personal identification number), or a security question;
- something they are—an inherent characteristic, as measured through a biometric scan (fingerprint or retina), facial recognition software, or a voice recognition program; and
- something they have, such as a smartphone. The subscriber identity module (SIM) card serves as the security token.
In a multifactor system, each time a user wants to access her email account she will have to enter login credentials (username and password), and then refer to her smartphone which will (via an authentication app) provide her with a one-time password (OTP) code to enter. Such a system will prevent over 99% of business email compromises. Even if the attacker has the username and password, it will not be enough to get into the system if multi-factor authentication is implemented.
A second strategy that practices should use is security awareness training. If staff is not taught how to detect suspicious emails, they may unintentionally click on links that can allow hackers to gain access to the email system. Annual online training is cost-effective and simple to implement, and these programs educate employees about what the different types of attacks and what to look for.
After the initial training, it’s useful to have a network security person occasionally send test phishing emails to employees, without alerting them that they’re coming. Test phishing campaigns allow security providers to see who clicks on malicious links or provides sensitive information. With this knowledge, targeted training for the employees who were most susceptible to phishing can be conducted. This sort of follow-up testing has been proven to reduce the likelihood that a real phishing attack will succeed.
In addition, consider supplementing annual training with quarterly newsletters that describe recent or common threats to your industry. The threats change rapidly, so regularly raising awareness of security issues can give your staff the tools they need to serve as the first line of defense against hackers.
Preventing business email compromise requires investment and willingness to build a security culture within your practice, but it’s worthwhile, as these scams can have huge financial ramifications for a medical practice, as well as reputational damages should the attacker gain access to sensitive patient information. Any reputable managed service provider (MSP) should be able to implement multifactor authentication for your email network. NRP
![]({"src":"/media/xxsn0dnv/cover_nrp_1022.jpg","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})
