BEC (Business Email Compromise) scams are an ever present problem in the business world. This scam consists of impersonating someone important within an organization’s structure in order to trick an employee into making a fraudulent bank transfer. According to the Financial Crimes Enforcement Network (FinCEN), these scams generate around $301 million every month, or $3.6 billion every year.

While this kind of scam generally aims to steal money, we have also seen cases where cybercriminals have other ends in mind. The latest such case was in New York.

A medical center in New York: victim of a BEC scam

On December 30, 2019, a medical center in New York City reported that it had suffered a BEC attack. The victim, who works in the VillageCare Rehabilitation and Nursing Center (VCRN), received an email that seemed to come from a senior staff member at the institution requesting information about VCRN patients.

According to the Notice of Data Privacy Incident statement published on the center’s website, “The unauthorized actor requested certain information related to VCRN patients.  Believing the request to be legitimate, the employee provided the information.”

Thanks to this ruse, the attacker exfiltrated information on 674 patients, including names and surnames; dates of birth; and medical insurance information, including the name of the provider and ID number.

VCRN explains that, “”Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”

The medical center has stated that it is unaware of any of the patient information having been used in any malicious activity since the incident. The VCRN has said that it intends to carry out a review of its cybersecurity.

The center has taken measures to inform the patients that have potentially been affected, and has advised them “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”

Healthcare: a sector vulnerable to data breaches

Healthcare is one of the sectors that suffers most when dealing with the consequences of a data breach. According to the Ponemon Cost of a Data Breach Report, healthcare is the sector with the highest data breach costs: an average of $6.45 million per breach. What’s more, the cost per file in a healthcare sector breach is also the highest: $429 per files, 60% higher than the average cost.

In the sector, the consequences of a data breach also go beyond the financial aspect: abnormal customer turnover in healthcare after an incident of this kind is also the highest of any sector: 7% of customers are lost.

It is possible to protect yourself against BEC scams

As we’ve seen, BEC scams can have serious repercussions for a company falls victim to one, even if no money is stolen. As well as financial loss or information theft, a cybercrime of this type can have a negative impact on an organization’s reputation.

The most important thing to protect against BEC scams is to have a zero-trust stance. This means not trusting any emails that seem out of the ordinary. If you have even the slightest doubt about the legitimacy of anything, don’t open it, don’t reply, and don’t open any attachments.

Even though the final phase of a BEC scam is an act of social engineering, malware is often employed in the attack as well. The messages must seem to come from trusted email addresses; for this reason, cyberattackers use spyware to steal credentials. This information is then used to create emails that are believable both in form and content, which can convince the victims that the request is legitimate.

This use of spyware or other kinds of malware means that it is vital to use an advanced cybersecurity solution. Panda Adaptive Defense constantly monitors all activity on the network. This way, you can be sure that neither spyware nor any other kind of advanced threat will endanger your organization.

BEC scams are a trend that is showing no signs of slowing down. What’s more, cybercriminals are finding ever more innovative ways to keep compromising the systems of organizations all over the world. Make sure your company isn’t the next victim.