A BEC scam leads to a healthcare data breach
Feb 17, 2020
BEC (Business Email Compromise) scams are an ever present problem in the business world. This scam consists of impersonating someone important within an organisation’s structure in order to trick an employee into making a fraudulent bank transfer. According to the Financial Crimes Enforcement Network (FinCEN), these scams generate around £232 million every month, or £2.7 billion every year.
A medical center in New York: victim of a BEC scam
On December 30, 2019, a medical center in New York City reported that it had suffered a BEC attack. The victim, who works in the VillageCare Rehabilitation and Nursing Center (VCRN), received an email that seemed to come from a senior staff member at the institution requesting information about VCRN patients.
According to the Notice of Data Privacy Incident statement published on the center’s website, “The unauthorised actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”
Thanks to this ruse, the attacker exfiltrated information on 674 patients, including names and surnames; dates of birth; and medical insurance information, including the name of the provider and ID number.
VCRN explains that, “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”
The medical center has stated that it is unaware of any of the patient information having been used in any malicious activity since the incident. The VCRN has said that it intends to carry out a review of its cyber security.
Healthcare: a sector vulnerable to data breaches
Healthcare is one of the sectors that suffers most when dealing with the consequences of a data breach. According to the Ponemon Cost of a Data Breach Report, healthcare is the sector with the highest data breach costs: an average of £4.95 million per breach. What’s more, the cost per file in a healthcare sector breach is also the highest: £330 per files, 60% higher than the average cost.
It is possible to protect yourself against BEC scams
As we’ve seen, BEC scams can have serious repercussions for a company falls victim to one, even if no money is stolen. As well as financial loss or information theft, a cyber attack of this type can have a negative impact on an organisation’s reputation.
The most important thing to protect against BEC scams is to have a zero-trust stance. This means not trusting any emails that seem out of the ordinary. If you have even the slightest doubt about the legitimacy of anything, don’t open it, don’t reply, and don’t open any attachments.
Even though the final phase of a BEC scam is an act of social engineering, malware is often employed in the attack as well. The messages must seem to come from trusted email addresses; for this reason, cyber attackers use spyware to steal credentials. This information is then used to create emails that are believable both in form and content, which can convince the victims that the request is legitimate.
This use of spyware or other kinds of malware means that it is vital to use an advanced cyber security solution. Adaptive Defense constantly monitors all activity on the network. This way, you can be sure that neither spyware nor any other kind of advanced threat will endanger your organisation.
Book a Free Cyber Clinic
While this kind of scam generally aims to steal money, we have also seen cases where cyber criminals have other ends in mind. The latest such case was in New York.
On December 30, 2019, a medical center in New York City reported that it had suffered a BEC attack. The victim, who works in the VillageCare Rehabilitation and Nursing Center (VCRN), received an email that seemed to come from a senior staff member at the institution requesting information about VCRN patients.
According to the Notice of Data Privacy Incident statement published on the center’s website, “The unauthorised actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”
Thanks to this ruse, the attacker exfiltrated information on 674 patients, including names and surnames; dates of birth; and medical insurance information, including the name of the provider and ID number.
VCRN explains that, “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”
The medical center has stated that it is unaware of any of the patient information having been used in any malicious activity since the incident. The VCRN has said that it intends to carry out a review of its cyber security.
The center has taken measures to inform the patients that have potentially been affected, and has advised them “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”
Healthcare is one of the sectors that suffers most when dealing with the consequences of a data breach. According to the Ponemon Cost of a Data Breach Report, healthcare is the sector with the highest data breach costs: an average of £4.95 million per breach. What’s more, the cost per file in a healthcare sector breach is also the highest: £330 per files, 60% higher than the average cost.
In the sector, the consequences of a data breach also go beyond the financial aspect: abnormal customer turnover in healthcare after an incident of this kind is also the highest of any sector: 7% of customers are lost.
As we’ve seen, BEC scams can have serious repercussions for a company falls victim to one, even if no money is stolen. As well as financial loss or information theft, a cyber attack of this type can have a negative impact on an organisation’s reputation.
The most important thing to protect against BEC scams is to have a zero-trust stance. This means not trusting any emails that seem out of the ordinary. If you have even the slightest doubt about the legitimacy of anything, don’t open it, don’t reply, and don’t open any attachments.
Even though the final phase of a BEC scam is an act of social engineering, malware is often employed in the attack as well. The messages must seem to come from trusted email addresses; for this reason, cyber attackers use spyware to steal credentials. This information is then used to create emails that are believable both in form and content, which can convince the victims that the request is legitimate.
This use of spyware or other kinds of malware means that it is vital to use an advanced cyber security solution. Adaptive Defense constantly monitors all activity on the network. This way, you can be sure that neither spyware nor any other kind of advanced threat will endanger your organisation.
BEC scams are a trend that is showing no signs of slowing down. What’s more, cyber criminals are finding ever more innovative ways to keep compromising the systems of organisations all over the world. Make sure your company isn’t the next victim.
It is important to test your systems
Even if you have the most advanced cyber security solutions in place, hackers will always find a way to get in. We can stay on top of this by regularly testing your systems to ensure vulnerabilities are discovered and patched. We can also perform BEC attacks against your business to see if your staff can spot unwanted emails.
Book a Free Cyber Clinic today to see how we can test your systems and Defend Your Business.
Follow Us
Be the first to know
You might also like
‘Hacking’ refers to activities performed by a threat actor (a ‘hacker’) that seeks to compromise digital services, such as computers, smartphones, and networks. Hackers are usually characterised as only being unlawful, motivated by financial gain, information gathering, or even just for the thrill of having a challenge.
Penetration testing is a form of an ethical hacking simulation conducted in accordance with industry guidelines, which aims to closely mimic real-world targeted attacks that organisations face daily. By actively testing your organisation’s defences, you can understand your security posture while also improving your defences, reducing the likelihood of experiencing a cyber-attack, ensuring confidentiality, integrity, and availability
A penetration test ultimately seeks to answer the question “How effective is my organisation’s security controls against a skilled human hacker?” while determining the security posture of your organisation.