Business email compromise (BEC) remains one of the most costly cyber threats facing organizations, with the FBI's 2023 Internet Crime Report revealing $2.9 billion in reported losses from 21,489 complaints. Despite a slight decrease in incident numbers from 2022, financial losses continue to climb as attackers increasingly leverage cryptocurrency exchanges and third-party payment processors to quickly disperse stolen funds.
Related: What are Business Email Compromise attacks?
Healthcare organizations are particularly vulnerable to BEC attacks due to their complex payment systems, numerous third-party relationships, and access to valuable patient data. According to the Health Sector Cybersecurity Coordination Center (HC3), BEC attacks resulted in over $50.8 billion in exposed losses between October 2013 and December 2022.
Attackers often exploit the urgent nature of medical services and staff′s desire to provide prompt patient care, as demonstrated in the HC3 report where cyber criminals nearly defrauded a medical center of $500,000 in prescription drugs by compromising their DEA ID number and pharmaceutical certificates. The report also documents a case where attackers successfully targeted a children's hospital after monitoring public announcements about their new campus construction project, using spoofed domains and impersonating the construction company's CFO to redirect payments.
Read more: How to secure email communications with third-party vendors
BEC attacks involve impersonating trusted individuals or organizations to manipulate staff into taking unauthorized actions. Attackers might pose as executives requesting urgent wire transfers, vendors changing payment details, or even patients seeking medical record access.
In healthcare settings, BEC attacks often target:
Implementing strong email authentication protocols (SPF, DKIM, and DMARC) helps prevent email spoofing. Healthcare organizations must verify sender legitimacy, especially for communications involving financial transactions or patient data requests.
Regular training helps staff recognize BEC attempts. Employees should understand common attack patterns, verify requests through secondary channels, and feel empowered to question unusual payment or data access requests, even from apparent authority figures.
Go deeper: The importance of training for email security
Healthcare organizations should establish multi-step verification processes for financial transactions. This includes:
Strict access controls and authentication procedures help prevent unauthorized access to sensitive systems. Organizations should regularly review and update access privileges, especially for employees handling financial or patient data.
Look for urgent requests, pressure to bypass normal procedures, subtle changes in email addresses, and requests for unusual payment methods.
Use established secondary communication channels to confirm requests, especially those involving financial transactions or patient data access.
Work with financial institutions to attempt recovery of funds, review and strengthen security procedures, and implement additional verification steps for similar transactions.