Email-based attacks continue to pose significant threats to organizations, with the FBI's Internet Crime Complaint Center (IC3) reporting a record 880,418 complaints in 2023, resulting in losses exceeding $12.5 billion. Understanding these attack types can help healthcare organizations protect sensitive patient data and maintain operations.
Business Email Compromise (BEC)
The FBI reported 21,489 BEC complaints in 2023, amounting to $2.9 billion in losses. These sophisticated attacks don't require extensive technical knowledge but rely on social engineering to compromise organizations. These attacks often include urgent requests designed to pressure victims into taking immediate action without proper verification.
Types of BEC attacks
According to Microsoft Security's comprehensive guide on business email compromise, there are five main types of BEC attacks that organizations need to be aware of:
- Data theft: Attackers initially target HR departments to steal company information such as employee schedules or personal phone numbers. This information is then used to make subsequent attacks more convincing.
- False invoice scheme: Criminals pose as legitimate vendors, sending fake bills that closely resemble authentic ones. Often, they modify only small details, such as changing a single digit in an account number or claiming payments must be sent to a different bank due to an audit.
- CEO fraud: Attackers either spoof or hack into executive email accounts to request purchases or wire transfers. A common variation involves requesting employees to purchase gift cards and send photos of serial numbers.
- Lawyer impersonation: This scheme involves compromising law firm email accounts to send fraudulent invoices or payment links to clients. While the email address is legitimate, the payment details direct funds to fraudulent accounts.
- Account compromise: Criminals gain access to finance employees' accounts, particularly those handling accounts receivable, to send fake invoices to company suppliers requesting payments to fraudulent bank accounts.
Phishing and spoofing
Research published in the International Journal on Advanced Science, Engineering and Information Technology states that phishing and spoofing attacks have become increasingly sophisticated, particularly during the COVID-19 pandemic. The FBI's 2023 Internet Crime Report confirms this trend, with phishing being the most reported cybercrime with 298,878 complaints. These attacks typically involve criminals impersonating trusted entities through carefully crafted emails, using social engineering tactics to steal credentials, financial information, or sensitive company data. Attackers often combine spoofed email addresses with urgent requests, making subtle changes to legitimate domain names to deceive recipients.
Spam
According to research published by the Australian Institute of Criminology, spam remains one of the major vectors for disseminating malware. In a study of over 13 million spam emails, more than 100,000 contained malicious attachments and nearly 1.4 million contained malicious web links. The research found that spam thrives through three main methods: website scraping, dictionary attacks combining random usernames with known domains, and purchased email lists from underground markets.
Account takeover
Research from Fudan University defines Account Takeover (ATO) as a type of malicious attack where fraudsters steal email accounts and passwords from normal users, causing both financial losses and exposure of personal information. The research found that 24 million households (22%) of U.S. adults have experienced account takeovers, with average financial losses of $12,000 in 2021.
Denial of service (DoS) attacks
Email-based DoS attacks overwhelm mail servers or individual accounts with a massive volume of messages, disrupting legitimate communication. These attacks can serve as smokescreens for other malicious activities or directly impact business operations by preventing normal email functionality.
Man-in-the-middle (MiM) attacks
In these sophisticated attacks, criminals intercept email communications between two parties. Healthcare organizations are particularly vulnerable to MiM attacks when using unencrypted email systems. Attackers can read, modify, or inject malicious content into intercepted emails without either party's knowledge.
FAQs
How can organizations identify BEC attacks?
Look for common indicators such as urgent requests for financial transactions, slight variations in email addresses, and pressure to bypass normal verification procedures.
What makes phishing attacks successful?
Phishing attacks succeed through sophisticated social engineering tactics and careful impersonation of trusted entities.
What makes healthcare organizations particularly vulnerable to email attacks?
Healthcare organizations are prime targets due to their valuable patient data, complex vendor relationships, and need for rapid communication.
