BEC Scams: Healthcare Providers Reeling from Coronavirus-Themed Email Attacks

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Patrick R. Peterson

Even as a handful of leading cybercriminal organizations declare a moratorium on targeting the healthcare sector in the face of the coronavirus pandemic, countless other crime rings appear to be ramping up — including business email compromise (BEC) scammers.

Forget honor among thieves, or even basic self-preservation. Email threat actors the world over are launching an unprecedented number of attacks against hospitals and healthcare systems scrambling to avert “Code Black” scenarios in which they’re overwhelmed by a deluge of COVID-19 patients.

In recent weeks, fraudsters have been impersonating the World Health Organization (WHO) and the Centers for Disease Control (CDC) in phishing emails aimed at disseminating ransomware and other malicious code through attachments purporting to contain important information about the virus. One COVID-19 testing center at a university hospital in the Czech Republic may be a victim of such attacks, which shut down computer systems at the worst possible time.

Other groups have impersonated Vanderbilt University Medical Center in emails containing a remote access trojan (RAT) in order to target insurance, healthcare, and pharmaceutical companies worldwide. That includes organizations in Italy, even after the outbreak there spiraled into a human catastrophe.

‘Fearware’ is Spreading Fast

The fact is, email attacks exploiting concerns over COVID-19 have grown so common in the past four weeks that the tactic now has its own moniker: “Fearware.” And malware isn’t its only con.

A credentials harvesting campaign using the subject line “All Staff: Coronavirus Awareness” has been targeting healthcare system workers throughout the UK, for example. The malicious email prompts staff members to sign up for a special seminar, complete with a link pointing to a phishing site disguised as an Outlook login screen.

Everyone is vulnerable to such schemes, but exhausted nurses and hospital staff may be most at risk — especially as they grapple with a global contagion. Yet even before the coronavirus erupted, a study from Brigham and Women’s Hospital in Boston found that healthcare organizations see phishing clickthrough rates as high as 14.2%.

Using stolen login credentials, cyberthieves are able to infiltrate employee accounts and make their way laterally through an organization, one account at a time. Along the way, they may seed critical systems with ransomware. Or they could gain access to valuable patient records that can be sold for as much as $1,000 each on the dark web.

BEC: Expanding the Hot Zone

I suspect the next wave of email schemes will be even harder for traditional email security controls and overworked employees to detect. Before the pandemic, we were already seeing a growing number of scams that use legitimate links to OneDrive or SharePoint accounts with malware-infected documents awaiting download by unsuspecting victims.

We’ve also been seeing email messages that evade detection by employing “time-bombed” links that redirect to phishing sites only after they’ve successfully made it to a recipient’s inbox. And that’s not even the worst of it.

As I shared in a recent post, the Agari Cyber-intelligence Division (ACID) has uncovered an email crime ring it calls Ancient Tortoise that is using the pandemic as a lure in far more intricate scams that could cost companies millions.

In these attacks, fraudsters use email to pose as senior executives to swindle financial aging reports from employees in accounts receivable. They then take the information in those reports to target that company’s customers with BEC attacks asking for payment on legitimately late invoices.

In the scams identified by our researchers, the coronavirus outbreak is used as pretext for changes in bank details used to receive payments. Amid the turmoil caused by the COVID-19, unwitting employees in accounts payable — many working from home — could make easy prey for this kind of approach.

This is especially true for healthcare organizations racing to acquire ventilators, antiviral medications, and other critical equipment from a rapidly expanding supply chain at a time when normal accounting processes are adapting to a rapidly changing environment.

A Sector Under Continuous Attack

There is a catch to all of this, however. Truth be told, the pandemic is really just amplifying the kind of email security risks organizations in the healthcare sector face all the time.

Ransomware attacks against healthcare providers rose 350% during the fourth quarter of 2019, according to HealthITSecurity.com. More than 759 healthcare providers fell victim to these attacks last year, with payments averaging more than $41,000. At the same time, email scams that successfully bypassed security by foregoing malware or malicious links increased by 25%.

Meanwhile, direct financial losses from supply chain-based BEC offensives like those from Ancient Tortoise average $125,000 per incident — as much as double those from other forms of BEC. But attacks that result in data breaches can be even worse.

According to Ponemon Institute, costs associated with a data breach in the US healthcare sector average more than $13 million per incident — roughly 60% more than the global average across all industries. And that’s before any regulatory fines or possible civil or criminal penalties. In 2019, nearly 40 million patient health records were pilfered through breaches. With the coronavirus used as phishing bait, the figure could skyrocket.

Inoculating the Inbox

Findings from the Brigham study point to reasons why hospitals in particular face a difficult challenge protecting themselves from advanced email threats even under “normal” circumstances — let alone during the treacherous weeks ahead.

According to the researchers, one of the biggest factors in the success of email attacks is that turnover at hospitals is very high, with a constant influx of new employees who may be more susceptible to social engineering ploys.

As COVID-19 threatens to push hospitals toward Code Black, overwhelmed physicians, nurses and other staff members will be joined by a continuous rotation of colleagues, support personnel, and unexpected enlistees — including just about anyone who can intubate a patient. Under unfathomable pressure, even longstanding hospital employees may not have the time or capacity to scrutinize every last email message they receive.

Recalibrating email security controls to better detect ransomware and malicious links can help reduce the threat from email attacks for organizations throughout the sector — both now and post-crisis. But that’s only a first step.

More advanced phishing defenses are required to block sophisticated, social engineering-based email attacks — especially those leveraging stolen, proprietary information or are launched from compromised email accounts. And continuous detection and response technologies are needed to sniff out and remove any “time-bombed” email threats that do manage to reach employee inboxes.

In the vernacular of the times, the faster healthcare organizations can “flatten the curve” or even eradicate successful BEC scams and other advanced email threats, the sooner we can all breathe a sigh of relief.

To see how one Global 500 healthcare company completely eliminated the threat of phishing-driven data breaches, download a special case study from TechValidate.