Following hard on the heels of the recent attack on the US Red Cross comes a report that text-based email attacks on the healthcare sector have risen almost threefold this year. Cybersecurity firm Abnormal Security reports that the healthcare industry has also seen an overall 167% increase in advanced email attacks in 2023, which includes credential phishing, malware, business email compromise (BEC), and extortion.
But it is the dramatic rise in text-based BEC attacks that should cause those working in the US healthcare sector the most concern. The cybersecurity industry defines a BEC attack as one that works by initiating an e-mail exchange with a company employee or taking over an existing one to gain an employee’s trust. Text-based BEC attacks do not have the volume of credential phishing or malware and represent less than one attack per 1,000 mailboxes. But their number is rising fast, says Abnormal Security. From January to August of this year, the number of attacks increased by 279%.
According to abnormal security: “While the volume of BEC is minimal relative to other email attacks, it remains the most dangerous attack type because it often leads to direct financial losses at an average of $125,000 per attack, according to the latest research from the FBI.”
While identifying and stopping BEC attacks is increasingly important, it is made all but impossible by the fact that they are frequently text-based, sent from legitimate domains, and do not show the usual red flags of a suspicious link or malicious attachment. So the advice generally given to staff to watch out for emails from previously unknown or suspicious-looking domains and to beware of opening links in unrequested emails is no defense against the new generation of BEC attacks.
A typical 2023 BEC attack on the healthcare sector could, for example, be intended to garner information for future attacks rather than to execute an immediate breach. Abnormal Security reports an example of such an attack that was blocked. In this instance, the attacker attempted to impersonate the president and CEO of a healthcare network with over 200 US locations and sent an email to a trusted member of staff asking that the recipient send an updated copy of all unpaid customer invoices from accounts receivable, something known in accounting circles as an ‘aging report’.
An attack could mean the immediate loss of millions of dollars
If the CEO in question responded to what appeared to be a purely routine request, the consequences could have proved to be highly damaging for the healthcare network concerned. The aging statements include patients’ email addresses from the accounts payables department. Added to any financial losses would also be the reputational damage suffered by the healthcare network.
Abnormal Security says that this: “would enable them to create realistic emails requesting that the outstanding payments be diverted into the account owned by the attacker. Given how large this health network is and how many patients they see each day, a successful attack like this could result in millions of dollars lost before the network realizes that there is an error in the payments their customers are sending.”
In order to defend against cunning and manipulative BEC attacks, Abnormal Security recommends using artificial intelligence and machine learning to create a baseline of good behaviors. By understanding what is normal, organizations can detect abnormal activity and block business email compromise, invoice and payment fraud, malware, and other email-based threats before they reach any staff members. However, it looks as if things will get worse in the coming months before they get any better.
“If 2022 is any indication, the healthcare industry should be prepared for an additional influx of attacks in the latter half of this year,” warns Abnormal Security.
