- Email fraud attacks on the healthcare sector increased by a whopping 473 percent between the first quarter of 2017 and the fourth quarter of 2017, according to a new report from Proofpoint.
Proofpoint analyzed over 160 billion emails sent across 150 countries in 2017 and 2019 to determine cyberattack trends on the healthcare sector. The researchers found that on average, organizations were targeted by 96 email fraud attacks per quarter during that time period.
Email fraud has sky-rocketed in all industries. But in healthcare, providers were targeted by 32 email fraud attacks each month. Not only that, 53 percent were attacked more often: incidents were up from 200 percent to 600 percent during those two years.
“Not a single company saw a decrease,” the report authors wrote.
Larger healthcare companies faced greater frequency of attacks than small organizations, which is unique to the healthcare sector. The researchers found that there is no correlation between organizations size and frequency in other sectors.
On average, email fraud attacks spoofed 15 healthcare staff members in multiple message attempts. In fact, 49 percent of organizations were targeted by at least five spoofed identities, and 40 percent were targeted with two to five identities.
Further, the median numbers of staff targeted by email fraud was 23, with 77 percent of organizations seeing 5 or more employees targeted by these attacks. Only 7 percent of organizations had just one employee targeted.
So just how do these email fraud attempts work? According to Proofpoint, the most popular spoofing subject categories for the last two years included the terms “payment,” “request,” and “urgent.” One of the greatest driving forces of these cyberattacks include wire-transfers.
According to the report, the attacks are socially engineered to target specific people, based on their role in the company – that may inadvertently help carry out the cybercriminals’ wishes. As a result, healthcare is primarily targeted during the weekdays, most commonly Monday through Thursday.
“Volume dips on Friday before falling sharply for the weekend,” the report authors wrote. “Nearly 70 percent of all email fraud attacks against healthcare organizations are sent between 7 AM and 1 PM in their targets’ time zones. The largest percentage arrives around 9 AM, near the start of the workday.”
The techniques vary, but the idea is to make the email appear to come from someone the recipient trusts or commonly communicates with for business purposes. The most common methods include those that spoof display-names and domains, along with leveraging “lookalike domains.”
“Webmail services, such as Gmail, are the preferred vehicle for email fraud because they’re free and easy to use,” the report authors wrote. “In email fraud, the attacker simply changes the display name. Email display names are unrelated to the actual address being used.”
During the two year period analyzed by researchers, 33 percent of attacks against healthcare came from Gmail, AOL, Comcast.net, Inbox.Iv, or RR.com.
And 95 percent of healthcare firms were targeted by at least one email attack launched from their own domain. Further, the average organization was targeted with 57 domain spoofing attacks. In fact, every organization included in the study experienced a cyberattack associated with a fraudulent message sent to patients and business partners.
Forty-five percent of email sent from healthcare-owned domains in fourth-quarter 2018 looked suspicious, with 65 percent of email sent to employees, 42 percent of email sent to patients from hospital-owned domains, and 15 percent to business partners appearing suspicious.
“Despite organizations’ large investments in security, email fraud continues to rise,” the report authors wrote. “Cybercriminals are growing more advanced. And attacks are evading traditional security tools, leaving people as the last line of defense.”
As the tactics are constantly shifting, organizations should employ a multi-layered defense including email authentication (DMARC), machine learning and policy enforcement, and domain monitoring. Other ome security leaders have also recommended taking some of those decisions away from users around email to bolster security.