A cyberthreat known as business email compromise has caused businesses, religious institutions, educational institutions, non-profits, and other companies, to lose billions of dollars since the FBI first began tracking the threat in 2013.
Business email compromise (BEC) – also known as CEO impersonation – is a favorite crime of Internet con artists because the practice relies on what any con operation requires for success: deception. These criminals target a highly specific group: employees with access to company finances.
What Do Business Email Compromise Scammers Do?
The business email compromise scammer begins “work” by identifying which employee or employees have access to company finances. Once the scammer has the names of these individuals, and the names of the CEOs for whom they work, the scammer then tricks them into making wire transfers. The employee who falls for the scam thinks that the bank account to which the money is transferred belongs to a trusted partner. However, the money ends up in accounts controlled by the criminals.
But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners – except the money ends up in accounts controlled by the criminals.
How Does Business Email Compromise Work?
Scammers, when they’ve determined the time is right – often when the CEO is away from the office – act by sending a fake email – an email claiming to be from the CEO – to a targeted employee in the finance office. The targeted employee can be anyone with access to company finances – a bookkeeper, accountant, controller, or even the chief financial officer (CFO).
In the fake message claiming to be from the CEO, the scammer requests that one of these employees make a wire transfer – usually immediately – to a trusted vendor, with whom the company already has a business relationship.
The employee with access to company finances, believing he or she has been sent a legitimate request, sends the money to what he or she believes is a familiar account – business as usual. But, the account numbers are slightly different, and the transfer – which can range from thousands to millions – ends up in an account controlled by the criminals.
The targeted employee believes he or she is sending money to a familiar account, just as he has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal group.
How Exactly Do Business Email Compromise Scammers Trick You?
The scammers work using tried and true cybercriminals’ tools, including:
- Spear-phishing. Spear-phishing is targeted phishing directed at a single individual or a very small group. Business email compromise criminals use spear-phishing in different ways. Some criminals try to induce individuals to click on a link that might lead to a website that downloads malware. Other criminals try to get you to click on a link that sends you to a fake website that requests a password, or that sends you to a site with ads or trackers.
- Identity theft
- Email spoofing
- Malware
Many business email compromise cybercriminals use a variety of these methods, in combination, to perpetrate the fraud. The sophisticated techniques the criminals use, combined with the criminals’ persistence, are key to their “success.”
What Does This Have to Do with HIPAA?
HIPAA covered entities and business associates are especially vulnerable to attacks. The cybersecurity company Proofpoint recently analyzed more than 160 billion emails sent by organizations in 150 countries between Q1, 2017 and Q4, 2018. The results: 473% more healthcare email fraud attacks were conducted in Q4, 2018 than Q1, 2017.
Protecting against business email compromise requires multi-faceted defenses. Protective measures include training staff as to how to identify a suspicious email, and to report suspicious-looking email before any other action is taken. Covered entities and business associates can also develop BEC attack testing scenarios. Having staff go through various simulations of increasing complexity, can reinforce training and identify security gaps.
In addition, under the HIPAA Security Rule, covered entities (CEs) and business associates (BAs) must develop effective administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information – protected health information (PHI) that is produced, saved, transferred or received in an electronic form.