Online scams are nothing new -- but as email has evolved and improved, so have scammers and the messages they send. Nefarious emails, attachments and links now appear sophisticated and look legitimate, sometimes tricking even the most meticulous user.
Billions Lost to Business Email Compromise
Referred to as the “Billion Dollar Scam” by the Federal Bureau of Investigation, a very specific type of scam known as the Business Email Compromise (BEC) generates around $301 million every month, or $3.6 billion every year, according to a 2019 report by the Financial Crimes Enforcement Network. In 2020, threat actors have been leveraging widespread fears about the coronavirus pandemic to gain access to healthcare organizations around the world; they do this by impersonating reputable institutions like the World Health Organization and the Centers for Disease Control or by enticing recipients with plausible claims about healthcare treatments, informational webinars, bonuses for working through the pandemic, etc.
Hospitals and other healthcare facilities must be aware of the BEC scam, which has many variations and could result in substantial loss of money, data security, or goods such as prescription drugs.
Four Reasons BEC Scams Work So Well
Top 10 Business Email Compromise Protection Tips
BEC emails are advanced phishing scams, and they’re on the rise. But what makes a BEC attack so dangerous, and so effective?
BEC Scams Are Highly Targeted
These scammers aren’t blasting thousands of the same email. They’ve done the research, monitoring the company’s website and social pages. They sidestep basic security strategies such as email filtering by finding only the most appropriate targets and grooming them by sending multiple conversational emails.
They Contain No Malware
Unlike the old style of phishing where users are told to click on a link, BEC emails have no spammy links. This means they can sometimes evade spam filters, and the end user doesn’t see any red flags.
They Exploit Human Nature
BEC emails carefully impersonate an actual person, complete with authentic-looking email addresses, formatting, company names, and titles. The victim has unknowingly been emailing back and forth with the scammer and comes to trust they are who they claim to be. So when asked to send bank information, for example, the victim assumes the request is authentic and complies.
They Are Often Under-reported
Victims often don’t realize they made a mistake until much later. Even upon realization, many companies don’t report the incident for fear of damaging their reputation with their customers. Not reporting such incidents allows perpetrators to simply move on to their next victim.
Learn How to Protect Against BEC Scams
Preventing losses due to Business Email Compromise is the responsibility of all of your healthcare employees as well as your IT administrator. To stay protected, follow these tips:
- Double-check the sender email address and know how to recognize spoofing and other impersonation tactics. MDaemon Webmail displays the full email header to help users identify spoofed emails.
MDaemon Webmail: Full Email Header Display
- Don’t overshare on social media
- Don’t open email from unknown sources
- Verify all wire transfer requests via phone or face-to-face
- Know customers’ and vendors’ business practices
- Run antivirus software often
- Use two-factor authentication
- Forward, don’t reply; this ensures you manually enter the appropriate email address
- Enable reverse lookups to verify the legitimacy of the sender
- Use the antivirus features in MDaemon and SecurityGateway to scan all inbound and outbound email traffic
- Require users to use SMTP authentication
- Use SPF, DKIM & DMARC to secure your domain against spoofing
- Require two-factor authentication
- Require strong passwords
- Provide regular end-user training on all scam formats including BEC
- Run antivirus software often and make sure virus signatures are up-to-date
While traditional security measures such as network defenses and email gateways can be effective at blocking most varieties of spam, the bottom line is that the most critical part of stopping BEC attacks is user awareness and education. Take steps to protect your healthcare facility and its data today. Visit SecurityGatewayForEmail.com to sign up for hosted or on-premise email protection.