Understanding Business Email Compromise and Common Social Engineering Tactics

Each day, threat actors send nearly 3.5 billion phishing emails. It takes just one click by one of your employees or connected vendors to unleash disastrous consequences—from ransomware to data exfiltration or misuse. As an attack vector, a single business email compromise (BEC) can cost your healthcare organization millions in breach penalties and recovery costs and put your patient’s lives at risk.

No healthcare covered entity or business associate is immune. Bad actors target nearly 88% of organizations each year with spear phishing. With so much potential exposure to electronic personal health information (ePHI), every healthcare organization and partner along the supply chain is a likely target and must remain on high alert.

What is spear phishing?

Spear phishing is a form of social engineering attackers use to target potential victims, often through email. Threat actors collect information about a user or their organization and then use that to send what appears to be a valid communication from a trusted source. This is called a business email compromise (BEC). The more legitimate the email seems, the more likely a potential victim will open it, click links, download files, or engage with the sender.

Unfortunately, even with repeated guidance about the threat of social engineering and phishing training and education, at least 30% of those malicious emails are opened. At least 10% of those will result in threat actors successfully unleashing ransomware or stealing sensitive data.

Common words attackers use to lure your team members into clicking:

• Urgent (8%)
• Important updates (8%)
• Important (5%)
• Attention (2%)

Threat actors also zero in on topics they know will pique interest, like potential payroll changes or something that indicates a needed action.

In the past, security teams could thwart some of these interactions by installing software that prevents activation of malicious links by halting connections without secure sockets layer (SSL) certificates, but today, more than half of phishing sites use valid SSLs. This emphasizes the need for more robust security measures across the board, even though attackers are getting increasingly good at bypassing other security measures, too.

For example, many organizations use multifactor authentication (MFA), such as sending a one-time password or secure code to an approved device, application, phone number, or email, to grant access to systems with sensitive data or that could be an entry point into other sensitive systems. However, at least 1 million attacks every year successfully bypass MFA.

How? They may send so many MFA requests that the user gets tired of rejecting them or thinks there is a system issue and ultimately breaks down and approves one. Others use a proxy or reverse proxy to get users to provide a code, or they’ll steal cookie sessions to gain access that way.

That’s not to say MFA isn’t a good measure; in fact, it should be a standard control every healthcare organization has in place. Still, healthcare organizations and business associates must remain vigilant about the complex ways attackers try to work around these controls.

And, while business email compromise is increasing, threat actors still employ other methods to steal credentials or sensitive data. There are more than 10 million multi-layer phishing attacks each month that combine text messaging with phone calls and other social engineering tactics. This is referred to as TOAD — telephone-oriented attack delivery.

Attackers Like BEC

While threat actors can use many attack vectors, they like BEC because it works. Even with the right—and continuous—training and exercises, end users like your employees and vendors still take risks they know they shouldn’t, like responding to an email or text from someone they don’t know or clicking a link or attachment from an unknown source. Why? According to Proof Point’s 2024 State of the Phish Report,

• 39% say they’ll make a risky decision to save time.
• 10% will to meet performance requirements.
• 44% will because it’s convenient.
• 24% will to meet urgent deadlines.

In addition, some employees, regardless of training, still don’t understand who is responsible for security in their organization. In Proof Points’ research, 59% of users said they weren’t sure if security is their responsibility or that they aren’t responsible. This is alarming compared to the 85% of security professionals in the research who said most employees know they are responsible for security. This disconnect helps explain the risk behavior described above and why employees decide to take those risks. 

Tips to Reduce the Risk of Business Email Compromise

• Increase staff awareness
  • Remind them that research is an attacker’s first phase for a BEC attack
    • Any employee with a social media presence can be a significant source of information
• Educate employees about what BEC and social engineering are
  • Discuss examples, attacker goals, and tactics
  • Conduct routine tests and exercises
    • Ensure employees know how they did and how their actions could harm your business
• Make sure your employees know what to do if they receive payment, payroll, or wire requests
  • Encourage transparency. Ensure your employees understand these things are not done in total secrecy. If an email or phone call approaches it this way, it should instantly be a red flag. Ensure they know how, when, and where to report suspicious communications.
  • If your employee is unsure, make it standard practice to seek secondary validation internally before clicking, downloading, or responding.
  • Don’t underestimate the influence of an apparent request from an executive.
• Make cybersecurity awareness and readiness part of your organization’s culture.
  • Ensure all staff know everyone is responsible for cybersecurity
  • Highlight examples of their impact (roles/responsibilities), how they can help, and why it’s important
  • Connect with new employees right away and ensure they understand policies and procedures
• Implement industry-recognized technical security controls
  • Implement, confirm, and test email protocol protections. Examples:
    • Domain keys identified mail (DKIM)
    • Sender Policy Framework (SPF)
    • Domain-based message authentication, reporting, and conformance (DMARC)
    • Enable proper audit logging within email systems
    • Don’t assume cloud defaults are adequate; they’re not
• Implement industry-recognized operational controls
  • Continuously monitor and log activities 24/7
  • Develop incident response plans and regularly test them
  • Conduct regular security audits, including penetration testing, to identify gaps and remediate them
  • Conduct business email compromise assessments
• Enable email access controls
  • At a minimum, MFA for all email access
  • Implement geofencing to reduce profile and exposure risk
  • Don’t ignore mobile devices
• Implement strong anti-phishing protections
  • Use at least two layers of protection, for example, what’s included with email programs like Gmail and Microsoft, but add an additional layer such as URL and attachment scanning
  • Clearly label all external emails, for example, with a red banner or text, so employees know the message comes from outside your organization.

6 Ways Clearwater Can Help Protect Your Healthcare Data from Compromise

Clearwater security solutions and consulting services can help protect your organization from potential email compromise and more effectively safeguard sensitive patient data:

1. Security awareness training: Clearwater can help you educate staff on identifying phishing attempts and social engineering, often used in BEC attacks.

• HIPAA-compliant risk analysis and vulnerability management: Identify security weaknesses in your email systems and configurations that BEC attackers might exploit.

• Managed security services: To relieve security burdens on your internal teams, partner with Clearwater for managed security services, including access to tools that automatically filter suspicious emails and block malicious attachments.

• HIPAA compliance consulting: HIPAA compliance requires strong email security practices. Clearwater’s consultants can help ensure your email systems meet HIPAA regulations, making it more difficult for BEC attackers to succeed.

• Threat intelligence: As an industry leader in healthcare cybersecurity, Clearwater can keep your teams up-to-date on the latest threat intelligence about BEC tactics and email threats.

• Incident response: Few security systems are fail-proof. If you experience a BEC attack, Clearwater can help with incident response to stop the attack, contain damage, recover data, and prevent future email compromise.

While BEC can affect organizations of all sizes across all industries, healthcare’s complex cyber risk landscape requires a multi-layered approach to security. By combining Clearwater’s security awareness training, threat intelligence, and managed security services, you can empower your staff with the tools they need to stay one step ahead of attackers.