Business Email Compromise: In the Healthcare Sector

Referred to as the “Billion Dollar Scam” by the Federal Bureau of Investigation (FBI), Business Email Compromise (BEC) scammers use a spoofed email or compromised account to trick employees into initiating a money transfer to an alternate (fraudulent) account. The scammers almost always pretend to be a person of power within the organization, such as the CEO or CFO. The scam, which has increased 1,300% since 2015, has been so successful because the actors generally conduct some level of research on their targets first, know how to sound like the individual they are mimicking, and only send the email to a few people (generally those who handle finances), allowing the e-mail to sidestep basic security strategies such as email filtering. There are multiple variations of this scam, and it affects organizations in every sector and around the world. Hospitals and medical centers need to be wary of this type of scam, which has many variations and could result in lost money, PII/PHI, or goods such as prescription drugs.

Example

Instead of an example of someone falling victim to this type of attack, I’ll share an uplifting case. In 2015, a local medical center reported that they received a phone call from a pharmacy to confirm a large order of prescription drugs, over $500,000 worth. Upon investigation, it was determined the medical center had not placed that order, and it was in fact fraudulent. The pharmacy had only called to clarify because the shipping address for the medical center was different from that which they had on record, but all the other certificates and credentials checked out, including the Drug Enforcement Agency (DEA) ID number, doctor licenses, and pharmaceutical certificates. In this incident, a malicious actor had compromised the medical center’s credentials and was attempting to take out a large line of credit with the pharmacy to purchase drugs. The pharmacy’s act of calling the medical center to double check the order saved them from losing $500,000 in prescription drugs, and saved the medical center $500,000 being withdrawn from their account. The protocols in place were properly followed by the employee, (calling to confirm when there is a change on an account) and the scam was halted in its tracks.

Recommendations

If an individual in your company’s finance department received an email (seemingly) from your CEO tomorrow requesting a wire transfer or a goods purchase, would they make the transfer? Increased awareness and understanding around this type of scam is the best way to prevent employees from falling for them. Some companies also implant precautionary approval steps or hold money transfer requests for an additional period of time to verify legitimacy. Beware of sudden changes in previously standard business practices, such as addresses, both virtual and physical. If you generally communicate with someone from one email, and they request something from a “personal” email, use other forms of communication to verify you are still speaking with the legitimate business partner. For a robust list of best practices to defend against Business Email Compromises and other fraud scams, visit IC3. For general recommendations against phishing emails, view MS-ISAC’s Primer on phishing.