A series of Business Email Compromise (BEC) campaigns that used CEO fraud schemes was seen targeting 17 healthcare institutions in the US, ten in the UK, and eight in Canada over the past two weeks. These institutions range from general hospitals and teaching hospitals to specialty care and walk-in clinics. Even pharmaceutical companies were not safe from the BEC scams, as one UK-based company and two Canadian pharma companies were also targeted.
CEO fraud, a type of BEC scam, works by spoofing or impersonating the email account of the CEO or another business executive in order to send a fraudulent wire transfer request to those who manage company wire transfers (CFOs, Financial Controller, or accountant). Believing that the request is legitimate, the unwitting employee will then transfer funds (a potentially hefty amount that can average at $140,000 per incident) to a bank account controlled by the cybercriminal.
We found two main techniques being used in the campaigns against healthcare institutions. The first spoofs the From field to make it seem that the email came from the CEO or executive, while the Reply To field is filled with the scammer’s email address. The second technique uses copycat domain names, where the scammer uses a domain name that’s very similar to the target healthcare institution. This can be done by using an email extension that could be off by just one character. The scammer then crafts a simple and innocuous subject line, which commonly includes the following phrases:
- Extremely Urgent
- Treat As Urgent
- Treat Very Urgent
- Due Payment
- Urgent Payment
Several National Health Service (NHS) institutions were also observed being targeted by these techniques, with the copycat domains appearing as <name of hospital>-nhs.co instead of nhs.uk. Reconnaissance revealed that the threat actors behind these CEO fraud scams easily targeted the institutions by using open-source intelligence (OSINT)—collecting the company positions from publicly available organizational charts.
Defending against CEO fraud and other BEC scams
Unlike other cybercriminal schemes, Business Email Compromise can be particularly challenging to defend against. Based on the emails targeting healthcare institutions, the attacker normally would just spoof the From and Reply To fields and keep subject lines limited to a few words to avoid raising any suspicion and heighten urgency. In other words, the email itself won’t include the typical malware payload (malicious attachments or URLs) in its body. This means traditional security solutions that only look into suspicious content simply won’t cut it.
Trend Micro can protect both small- to medium-sized businesses, enterprises, and healthcare institutions against BEC-related emails through our social engineering attack protection. This technology, integrated with the Trend Micro™ InterScan Messaging Security Virtual Appliance and Trend Micro™ Hosted Email Security, utilizes machine learning to inspect email headers and social engineering techniques, and also detects BEC-related malware. These endpoint and email security capabilities are provided by the Trend Micro Smart Protection Suites and Network Defense solutions.
Employees can also effectively deflect company intrusions by BEC scams. While wire transfer requests usually require immediate action from the targeted employee, it is still important to double-check and verify transfer details. Instead of using Reply, employees can use the Forward option to type in the email address from the company contact list to ensure legitimate correspondence.
For more information on Business Email Compromise and the security measures organizations can implement:
- Billion-Dollar Scams: The Numbers Behind Business Email Compromise
- Enterprise Network Protection against Cyberattacks: Business Email Compromise
Updated on November 24, 2016, 01:40 AM (UTC-7)
We have made a minor correction to the average payout per victim of BEC scams.