Cyber Security: Healthcare Industry Vulnerabilities Give Rise to Cyber Crime

cyber-702x336

In November, at least 35 healthcare facilities in the U.S., U.K. and Canada were targeted by cybercriminals executing Business Email Compromise (BEC) campaigns. The organizations, which included hospitals, specialty care providers, walk-in clinics and pharmaceutical companies, were defrauded by attackers who impersonated executives within the organizations.

Cybercriminals are drawn to and attack the healthcare industry for many reasons, but primarily because they allocate a bulk of their resources to patient care and innovation, which often leaves information security underfunded. However, by becoming educated about BEC scams and the tools available to mitigate this threat, healthcare organizations can drastically reduce email fraud and associated financial losses.

Understanding BEC

BEC is defined by the FBI as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments. As such, BEC scams typically involve an attacker hacking into or spoofing an official business email account to request a fraudulent wire transfer of funds from that business to a bank account the attacker controls.

To pull off their scams without arousing suspicion, fraudsters often conduct research via the targeted company’s website and social media to secure organizational charts that indicate employees’ titles and roles, as well as the chain of command within a company. Some attackers even call their target’s human resources department to obtain personal information about employees that may help them better position their requests for fraudulent payment. With this research in hand, attackers are able to piece together enough intricacies of an organization to understand under what auspices to request the transfer and who the initiating and receiving parties should be.

The main forms of BEC include:

The Bogus Invoice Scheme: Often referred to as “The Supplier Swindle” or “Invoice Modification Scheme,” attackers identify vendor partners of their target and pose as these vendors via email to request payment on an invoice.

CEO Fraud: Known alternately as “Business Executive Scam,” “Masquerading” or “Financial Industry Wire Frauds,” this form of BEC involves a cybercriminal impersonating a member of the executive team within the target organization and using this spoofed email account to initiate a wire transfer to an account the attacker controls.

Account Compromise: This version entails a fraudster hacking into an employee’s email account and sending email requests to multiple vendors for invoice payment to be made to an attacker-controlled account.

Attorney Impersonation: To execute this form of BEC, attackers contact employees within the target company claiming to be a legal entity handling confidential, time-sensitive matters that require a transfer of funds into an account owned by the attacker.

Data Theft: Cybercriminals seek out HR representatives or administrators with access to personal employee information and use this intelligence as a jumping-off point for the aforementioned forms of BEC.

Targeting the Healthcare Industry

As organizations within the healthcare industry place much of their focus and financial resources on patient care and working toward advancements in medicine, they often neglect to allocate the necessary portion of their budgets to cybersecurity. These security vulnerabilities make healthcare organizations the perfect target for BEC scams. For these specific cyberattacks, two main BEC strategies have been identified:

In the first tactic, attackers spoof the “From” field on an email to make it appear as though the email is being sent by an executive while the “Reply To” field contains the attacker’s email address. Although the employee intends to respond to the executive who they believed sent the email, their reply containing sensitive information is actually sent to the attacker.

The second tactic entails fraudsters utilizing a domain name that is similar to that of the targeted healthcare institution — often varying only by one letter that is not readily detectable by the recipient. For example, cybercriminals used this technique on several National Health Service (NHS) institutions with the copycat domains appearing as <name of hospital> co instead of nhs.uk.

In both strategies, attackers utilize a simple subject line conveying a sense of urgency that encourages the recipient of their spoofed email to act quickly. Some examples of the subject lines used in BEC schemes include:

  • Extremely Urgent
  • Treat as Urgent
  • Due Payment
  • Urgent Payment

This push for quick action — coupled with the fact that the email appears to be sent from a high-level member of their company — discourages employees from fully considering and verifying the details of the request. In turn, many inadvertently reply to the attacker, providing them with the account information needed to fraudulently obtain the organization’s funds.

Combatting BEC

Unfortunately, since there are many variations of BEC scams — and fraudsters work hard to create credible, inconspicuous email messages — BEC is particularly difficult to monitor and mitigate without employee awareness of the threat and the advanced cybersecurity solutions. Traditional security software typically does not detect BEC tactics because these spoofed emails don’t contain typical malicious content such as URLS within an email and email attachments.

To combat BEC scams and other emerging threats, healthcare chief information security officers (CISOs) should invest in a comprehensive layered defense that includes an advanced cybersecurity solution that detects and blocks social engineered attacks and advanced malware. These solutions should utilize machine learning to inspect behaviors of socially engineered emails to prevent them from reaching their endpoints.

Additionally, CISOs must develop an executive training program focused on advanced threats. They need to educate employees on the threat of BEC attacks and encourage them to verify all details in an email request for wire transfer, no matter the level of urgency communicated. Employees can also help mitigate the risk of fraudulent transfers by using the Forward function, rather than Reply, to type in their intended recipient’s email address to ensure their response is sent to the correct party.

Finally, healthcare organizations should review their accounting policies and operational controls to validate that proper verification procedures are in place. Employees should use phone confirmation as part of fund transfer request procedures, and vendor payment location changes should have a secondary sign-off system.

With the right tools, employee training and vigilance, most healthcare organizations can substantially diminish the risk of BEC attacks. Ultimately, by investing in the resources up front, they can avoid heavy financial losses in the end.

 

Advertisements

Cybersecurity Fraud Intelligence Lead – Vice President in J.P. Morgan, Singapore

The Cybersecurity organization’s objective is to ensure that JPMC is able to effectively detect, prevent, and respond to cyber threats against our technology infrastructure. The scope of Cybersecurity comprises detection and monitoring of threats and vulnerabilities, managing security incidents, and evolving our preventive infrastructure to keep ahead of the threat. We accomplish this through strong information security leadership and active collaboration with line of business information risk managers to provide high quality security solutions and services that are focused on improving the Firm’s risk posture.

The Cyber Fraud APAC and South America Lead will work closely with Fraud Intelligence teams within Cyber Security Operations to maintain and advance intelligence collection efforts, optimize reporting, and manage metrics production.

Responsibilities :

  • Lead efforts across Fraud Intelligence teams (card, banking, data automation) to expand the teams’ intelligence collection, optimize reporting to internal stakeholders, and assist in managing expanding metrics production efforts specific to the Asia Pacific and South American geographic areas
  • Act as the Fraud Intelligence lead representative in a multi-disciplinary security operations center (SOC)
  • Act as liaison between Corporate Cyber Security Operations-Fraud Intelligence and the various JPMC lines of business (LOBs)
  • Work closely with Cyber Security Operations teams to collaborate on a first in class intelligence program.
  • Maintain and advance knowledge of industry fraud trends
  • Conduct and manage detailed analysis and risk assessments on all issues affecting the Firm
  • Engage in problem solving, process improvement, and strategic planning initiatives
  • Continually identify and evaluate 3 rd party solutions to fraud problems facing the Firm
  • Author and edit intelligence reports and contribute to metrics production

Qualifications

5+ years of experience with at least 3 collecting and analyzing intelligence, conducting financial investigations, and/or working in banking technology, risk, or operations including APAC and South America

  • 3+ years of experience collecting and analyzing intelligence, conducting financial investigations, and writing professional reports
  • Experience with large volumes of transactional data, conducting deep-dive analysis, and financial services industry products and services
  • Experience serving business stakeholders, managing cross collaboration, and leading teams
  • Strong knowledge of banking terms, phrases, and concepts
  • Prior cyber security and/or cyber threat experience a plus
  • The ability to work in a fast paced environment to include the translation of complex concepts and issues into messaging easily understood by senior leadership
  • Bachelor’s degree or equivalent experience
  • Prior threat intelligence/SOC experience a plus

People Skills:

  • Excellent people, time management, and organization skills
  • An ability to work with minimal direction and supervision-independently or in leadership role
  • Experience managing aggressive deadlines in a fast-paced environment
  • The ability to coordinate, work with, and gain the trust of business stakeholders to achieve a desired objective

Process Skills:

  • Strong attention to detail in conducting analysis combined with ability to accurately record full supporting documentation
  • An ability to leverage the efforts of multiple teams into a cohesive product/service
  • An ability to mitigate a vulnerability or issue by leveraging support from internal stakeholders in a collaborative approach
  • An ability to conduct critical analysis, form a hypothesis, and make recommendations to senior management
  • An ability to mitigate a vulnerability or issue by leveraging support from internal stakeholders in a collaborative approach

Communication Skills:

  • Excellent written and verbal communication skills are required
  • Able to articulate and visually present complex analysis results
  • Ability to communicate effectively with business representatives in explaining findings clearly and where necessary, in layman’s terms

This position is anticipated to require the use of one or more High Security Access (HSA) systems. Users of these systems are subject to enhanced screening which includes both criminal and credit background checks, and/or other enhanced screening at the time of accepting the position and on an annual basis thereafter. The enhanced screening will need to be successfully completed prior to commencing employment or assignment.

J.P. Morgan is a place for talented people from all backgrounds and perspectives because our clients come from all backgrounds and perspectives. We encourage a culture of inclusion, where everyone’s opinion counts and all employees have the freedom to deliver their absolute best. This is why we work hard and invest in attracting and developing a diverse workforce. Learn more about our Business Resource Groups in how they help our employees build successful careers and reach their greatest potential.