Business email compromise (BEC) attacks are quickly evolving, with ransomware and credential harvesting becoming primary objectives of these types of attacks, according to Microsoft’s latest Digital Defense Report. These highly targeted attacks are becoming incredibly effective, accentuating the need to employ cybersecurity best practices in order to avoid falling victim to them.
Prior research from Barracuda Networks determined that BEC attacks account for only 7% of spear-phishing schemes but are three times more successful than conventional phishing methods. In fact, 3 out of 10 users are effectively duped into clicking on a BEC email attempt.
A hacker poses as a trusted email recipient of the victim, such as a vendor, an employee within the organization, a business partner, or another known entity. Typically, the cyberattacker will request a wire transfer or other personally identifiable information from the victim or similar individuals with access to sensitive data.
BEC attacks are especially difficult to distinguish since they seldom include a URL or a risky attachment. Dispatching a handful of targeted emails versus spamming scores of intended victims also allows hackers to better track responses from their targets.
Hackers hope to generate a response from a victim prior to requesting a wire transfer or soliciting other personal information. Thus, an overwhelming majority of BEC attacks begin with a straightforward message – for example, “I need your help” or “Do you have a minute?”
Given the degree of effort involved in customizing emails to specific targets, this type of attack technique is employed less often than traditional phishing. Nonetheless, the FBI estimates that BEC attacks have generated more than $26 billion in losses over the past four years, far exceeding cybercrime losses in all other sectors.
Microsoft reported that BEC attacks and other forms of phishing have a growing number of more advanced kill chains (ways to understand the sequence of events involved in an external attack on an organization’s IT environment). Since healthcare is the sixth-most targeted sector for BEC attacks, it’s critical for institutions to make certain they’ve implemented the appropriate tools to ward off these meticulously tailored attacks.
By utilizing multi-factor authentication (MFA), it’s possible to prevent 99.9% of automated attacks. In their report, Microsoft emphasized that robust authentication measures, such as MFA or password-less authentication, can decrease the threat of data breaches as well as the bulk of identity attacks.
Indeed, practically every Department of Homeland Security threat alert identifies MFA as the number-one strategy to thwart these types of attacks. The National Institute of Standards and Technology (NIST) regards MFA as an essential security enhancement tool which enables users to submit two forms of credentials when logging on to an account.
Multi-factor authentication makes it possible for a healthcare organization to verify that it’s the user, and not a cybercriminal, who’s trying to log on to a device. There are a number of acceptable credentials a user can supply in order to substantiate their identity, ranging from personal identification numbers (PINs) to certain physical identifiers.
Most MFA methods will “remember” a device after the initial login. Accordingly, if you return to the site using the same smartphone, computer, or table, the website will automatically recognize your device as the second identifying factor. Between device recognition and data analytics being performed in the background – for example, detecting a new login after half an hour that originates from halfway around the world – more often than not, the only parties who have to do any additional work are the bad actors attempting to hijack your account.
Dedicated Leadership and Employee Training
The ultimate aim of business email compromise attempts is to fool the user into believing they’re communicating with a known associate. But as documented by researchers, certain functions – such as human resources or accounting – may require the user to have or gain access to PDFs.
Consequently, organizations need to establish processes that will permit the user to promptly authenticate the legitimacy of the email or request, while educating other users on how to pinpoint spear-phishing emails. Organizations should appoint a designated leader who’s capable of verifying the authenticity of emails and to serve as a point person to handle routine threats. These methods should incorporate backup channels on the occasion that the regular point of contact is otherwise engaged, which will also assist employees in making more informed decisions under pressure.
Studies have demonstrated that not only is security training critical in building a strong and resilient workforce, it also effectively minimizes overall risk to the organization. Employee education should include phishing simulations, in-person workshops, and e-learning activities.
Users must understand the significance of validating the sender’s email address to make certain that it corresponds with who the sender claims to be, especially on mobile devices. Administrators should also advise employees to talk about phishing emails that they receive with their fellow coworkers.
The more adept users become at identifying spear-phishing attempts, the less likely the organization is to be compromised by a cyberattack. Board and management influence are crucial in the creation and distribution of prevention initiatives in order to make these efforts more impactful to employees and deem them as a priority.
Having said that, many senior-level staff members lack a basic awareness of the perils of spear-phishing, thus unwittingly placing themselves as primary targets for attackers. An intuitive user experience – which makes it simple to highlight suspicious emails and which alerts the user to potentially malicious content – could considerably help users remain vigilant and make the appropriate decisions when confronted with a phishing campaign.
As with any business tool, it’s imperative to make sure email security platforms are kept up-to-date with the necessary patches, as well as that hardware and software updates are made in a timely fashion.
Healthcare organizations, in particular, should consider security tools engineered to secure email platforms as well, such as machine learning or spam blockers, along with having the latest antivirus software installed.
All systems – especially email – should require strong, unique passwords, including the use of multi-factor authentication where appropriate.
While all sectors and industries can be susceptible to BEC attacks, healthcare organizations are among the most vulnerable, due to the sheer number of potential entry points. By following the cybersecurity best practices outlined above, institutions and their employees can be better equipped to defend against these malicious cyberassaults.