• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   CEO Fraud Email Scams Target Healthcare Institutions

CEO Fraud Email Scams Target Healthcare Institutions

  • Posted on:November 23, 2016 at 8:00 am
  • Posted in:Malware, Targeted Attacks
  • Author:
    Ryan Flores (Threat Research Manager)
0

A series of Business Email Compromise (BEC) campaigns that used CEO fraud schemes was seen targeting 17 healthcare institutions in the US, ten in the UK, and eight in Canada over the past two weeks. These institutions range from general hospitals and teaching hospitals to specialty care and walk-in clinics. Even pharmaceutical companies were not safe from the BEC scams, as one UK-based company and two Canadian pharma companies were also targeted.

CEO fraud, a type of BEC scam, works by spoofing or impersonating the email account of the CEO or another business executive in order to send a fraudulent wire transfer request to those who manage company wire transfers (CFOs, Financial Controller, or accountant). Believing that the request is legitimate, the unwitting employee will then transfer funds (a potentially hefty amount that can average at $140,000 per incident) to a bank account controlled by the cybercriminal.

We found two main techniques being used in the campaigns against healthcare institutions. The first spoofs the From field to make it seem that the email came from the CEO or executive, while the Reply To field is filled with the scammer’s email address. The second technique uses copycat domain names, where the scammer uses a domain name that’s very similar to the target healthcare institution. This can be done by using an email extension that could be off by just one character. The scammer then crafts a simple and innocuous subject line, which commonly includes the following phrases:

  • Extremely Urgent
  • Treat As Urgent
  • Treat Very Urgent
  • Due Payment
  • Urgent Payment

Several National Health Service (NHS) institutions were also observed being targeted by these techniques, with the copycat domains appearing as <name of hospital>-nhs.co instead of nhs.uk. Reconnaissance revealed that the threat actors behind these CEO fraud scams easily targeted the institutions by using open-source intelligence (OSINT)—collecting the company positions from publicly available organizational charts.

Defending against CEO fraud and other BEC scams

Unlike other cybercriminal schemes, Business Email Compromise can be particularly challenging to defend against. Based on the emails targeting healthcare institutions, the attacker normally would just spoof the From and Reply To fields and keep subject lines limited to a few words to avoid raising any suspicion and heighten urgency. In other words, the email itself won’t include the typical malware payload (malicious attachments or URLs) in its body. This means traditional security solutions that only look into suspicious content simply won’t cut it.

Trend Micro can protect both small- to medium-sized businesses, enterprises, and healthcare institutions against BEC-related emails through our social engineering attack protection. This technology, integrated with the Trend Micro™ InterScan Messaging Security Virtual Appliance and Trend Micro™ Hosted Email Security, utilizes machine learning to inspect email headers and social engineering techniques, and also detects BEC-related malware. These endpoint and email security capabilities are provided by the Trend Micro Smart Protection Suites and Network Defense solutions.

Employees can also effectively deflect company intrusions by BEC scams. While wire transfer requests usually require immediate action from the targeted employee, it is still important to double-check and verify transfer details. Instead of using Reply, employees can use the Forward option to type in the email address from the company contact list to ensure legitimate correspondence.

For more information on Business Email Compromise and the security measures organizations can implement:

  • Billion-Dollar Scams: The Numbers Behind Business Email Compromise
  • Enterprise Network Protection against Cyberattacks: Business Email Compromise


Updated on November 24, 2016, 01:40 AM (UTC-7)

We have made a minor correction to the average payout per victim of BEC scams.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BECbusiness email compromiseCEO fraud

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.