According to the FBI, email fraud attacks on businesses have resulted in worldwide losses of at least $26bn (£21bn) since 2016 and are fast becoming the costliest form of cyberattacks to contend with. Email fraud occurs when cyber criminals send extremely well crafted and targeted emails to specific people within an organisation, often asking for money to be transferred or important information to be provided. Most concerningly, these emails can be almost indistinguishable from a legitimate request as cybercriminals spoof the identity of a trusted individual to trick unsuspecting victims going about their daily working life.
Every business is a target, and the healthcare sector is no exception. Recent research has shown that healthcare organisations were targeted with 43 imposter emails on average in just the first quarter of 2019, a massive 300 percent increase from the beginning of 2018. Criminals are developing sophisticated, complex attacks to better target important people across healthcare organisations to get around the checks that we’re used to.
Healthcare organisations are often complex and decentralised and hold highly sensitive information, making them a noticeable target for cybercriminals. As such, they face the increasing challenge of protecting staff, patients and stakeholders against an ever-evolving threat landscape. Whilst malware and other cybersecurity threats affect all sectors, email fraud is particularly damaging for the healthcare sector as cybercriminals prey on the most vulnerable segment of the population and the people dedicated to helping them. But how serious is the problem?
Assessing the problem
Increasingly, cybercriminals are using social engineering tactics to trick their victims. They simply take on the identity of a trusted organisation or employee and craft highly-researched, sophisticated phishing emails, making a request for funds or an attempt at harvesting login credentials.
Identity deception is key to email fraud, and our recent analysis into threat data targeting global healthcare organisations shows that the average impostor attack posed as 15 healthcare staff members on average across multiple messages in the first quarter of 2019.
Unsurprisingly, payment transfer fraud is the leading form of email attacks in healthcare; recent research shows cybercriminals mostly used email subject lines which included “payment”, “request”, and “urgent” to target healthcare companies.
Cybercriminals are also careful to pick their moment. Most email fraud attacks against the healthcare sector are sent on weekdays between 7:00am and 1:00pm in the UK, and designed to be seen by as many targets as possible during this time period in order to increase the chances of success. This makes sense as for instance, an external business supplier is less likely to request payment information to be updated after office hours or during a weekend.
This couldn’t happen to me…
So, what could a healthcare email fraud attack look like in reality, and why does this tactic work so well?
An attack targeting a member of staff could look like exactly like any other email coming from a well-known stakeholder in or outside the organisation. This could be an email from an accounts payable contact at a medical supply vendor informing you that their payment information has changed and that one of their invoices is overdue. Receiving an email from this contact wouldn’t raise any suspicion: you have been in communication with each other via email in the past and the request made is indeed within your job responsibilities. So you update your internal systems and get the invoice payment processed.
Eventually, the senior accounts payable contact from the supplier reaches out complaining that payment has not been received and that supply deliveries will be suspended until full recompense is provided; only then, you realise you have fallen victim to email fraud. So what approaches can healthcare organisations take to protect their staff, patients and stakeholders from this risk?
People-centric approaches to preventing email fraud in healthcare
Email fraud tactics are constantly shifting, however there is one constant: cybercriminals continue to focus on the human factor, targeting employees at all levels across organisations. This means that healthcare companies need to re-think their approach to cybersecurity.
By taking a people-centric view to cybersecurity defences, healthcare organisations can minimise the human risk of email fraud and better protect their employees, as well as their entire business ecosystem. This means understanding who is at risk within your organisation, and tailoring your strategy to each individual.
Today’s threat landscape requires a multi-layered defense strategy that encompasses people, processes and technology in equal measure.
Building employee resilience through training and awareness programmes is critical – without it, someone somewhere will always click! Training and awareness programmes are traditionally put in place to educate the employees of an organisation to be vigilant and act as the last line of defence against attacks targeting the company itself. Simulated phishing attacks and engaging ‘gamified’ programmes help employees to think twice and actively take part in protecting their company against cybercriminals, as opposed to becoming the latest victim.
In parallel, there has to be a level of prioritisation if which business processes need to be hardened. Some business processes (e.g. the transfer of funds) are of huge value/risk to all companies; others (e.g. engineering/production) are company-specific. Most importantly however, processes that are people-dependent are more vulnerable since people are prone to social engineering attacks; compromises to technical processes may be more pernicious but may only be achieved with a greater level of technical sophistication. Businesses should ensure that they are able to authenticate entities, people and devices that provide inputs into the business processes. If actions are taken and decisions made based on instruction/input from an entity whose identity has been spoofed, a business processes can be easily compromised. Companies should ensure that entities involved in the process are authenticated before their input into the process is trusted.
Finally, healthcare organisations need to implement multi-layered security strategy to shut down most avenues for cybercriminals. Technology such as Domain Message Authentication Reporting and Conformance (DMARC) can be used as a significant barrier to cyber criminals who are attempting to impersonate trusted figures within organisations. It stops criminals from spoofing businesses’ domains and sending emails on their behalf to unsuspecting recipients. Organisations should also consider dynamic email analysis to block display name spoofing at the gateway, and lookalike domain discovery to search for domains that have recently been registered by third parties as well as Data Loss Prevention (DLP) and encryption to protect their business-critical assets.
By Ryan Witt, Managing Director, Healthcare Industry Practice, Proofpoint