In November, at least 35 healthcare facilities in the U.S., U.K. and Canada were targeted by cybercriminals executing Business Email Compromise (BEC) campaigns. The organizations, which included hospitals, specialty care providers, walk-in clinics and pharmaceutical companies, were defrauded by attackers who impersonated executives within the organizations.
Cybercriminals are drawn to and attack the healthcare industry for many reasons, but primarily because they allocate a bulk of their resources to patient care and innovation, which often leaves information security underfunded. However, by becoming educated about BEC scams and the tools available to mitigate this threat, healthcare organizations can drastically reduce email fraud and associated financial losses.
BEC is defined by the FBI as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments. As such, BEC scams typically involve an attacker hacking into or spoofing an official business email account to request a fraudulent wire transfer of funds from that business to a bank account the attacker controls.
To pull off their scams without arousing suspicion, fraudsters often conduct research via the targeted company’s website and social media to secure organizational charts that indicate employees’ titles and roles, as well as the chain of command within a company. Some attackers even call their target’s human resources department to obtain personal information about employees that may help them better position their requests for fraudulent payment. With this research in hand, attackers are able to piece together enough intricacies of an organization to understand under what auspices to request the transfer and who the initiating and receiving parties should be.
The main forms of BEC include:
The Bogus Invoice Scheme: Often referred to as “The Supplier Swindle” or “Invoice Modification Scheme,” attackers identify vendor partners of their target and pose as these vendors via email to request payment on an invoice.
CEO Fraud: Known alternately as “Business Executive Scam,” “Masquerading” or “Financial Industry Wire Frauds,” this form of BEC involves a cybercriminal impersonating a member of the executive team within the target organization and using this spoofed email account to initiate a wire transfer to an account the attacker controls.
Account Compromise: This version entails a fraudster hacking into an employee’s email account and sending email requests to multiple vendors for invoice payment to be made to an attacker-controlled account.
Attorney Impersonation: To execute this form of BEC, attackers contact employees within the target company claiming to be a legal entity handling confidential, time-sensitive matters that require a transfer of funds into an account owned by the attacker.
Data Theft: Cybercriminals seek out HR representatives or administrators with access to personal employee information and use this intelligence as a jumping-off point for the aforementioned forms of BEC.
Targeting the Healthcare Industry
As organizations within the healthcare industry place much of their focus and financial resources on patient care and working toward advancements in medicine, they often neglect to allocate the necessary portion of their budgets to cybersecurity. These security vulnerabilities make healthcare organizations the perfect target for BEC scams. For these specific cyberattacks, two main BEC strategies have been identified:
In the first tactic, attackers spoof the “From” field on an email to make it appear as though the email is being sent by an executive while the “Reply To” field contains the attacker’s email address. Although the employee intends to respond to the executive who they believed sent the email, their reply containing sensitive information is actually sent to the attacker.
The second tactic entails fraudsters utilizing a domain name that is similar to that of the targeted healthcare institution — often varying only by one letter that is not readily detectable by the recipient. For example, cybercriminals used this technique on several National Health Service (NHS) institutions with the copycat domains appearing as <name of hospital> co instead of nhs.uk.
In both strategies, attackers utilize a simple subject line conveying a sense of urgency that encourages the recipient of their spoofed email to act quickly. Some examples of the subject lines used in BEC schemes include:
· Extremely Urgent
· Treat as Urgent
· Due Payment
· Urgent Payment
This push for quick action — coupled with the fact that the email appears to be sent from a high-level member of their company — discourages employees from fully considering and verifying the details of the request. In turn, many inadvertently reply to the attacker, providing them with the account information needed to fraudulently obtain the organization’s funds.
Unfortunately, since there are many variations of BEC scams — and fraudsters work hard to create credible, inconspicuous email messages — BEC is particularly difficult to monitor and mitigate without employee awareness of the threat and the advanced cybersecurity solutions. Traditional security software typically does not detect BEC tactics because these spoofed emails don’t contain typical malicious content such as URLS within an email and email attachments.
To combat BEC scams and other emerging threats, healthcare chief information security officers (CISOs) should invest in a comprehensive layered defense that includes an advanced cybersecurity solution that detects and blocks social engineered attacks and advanced malware. These solutions should utilize machine learning to inspect behaviors of socially engineered emails to prevent them from reaching their endpoints.
Additionally, CISOs must develop an executive training program focused on advanced threats. They need to educate employees on the threat of BEC attacks and encourage them to verify all details in an email request for wire transfer, no matter the level of urgency communicated. Employees can also help mitigate the risk of fraudulent transfers by using the Forward function, rather than Reply, to type in their intended recipient’s email address to ensure their response is sent to the correct party.
Finally, healthcare organizations should review their accounting policies and operational controls to validate that proper verification procedures are in place. Employees should use phone confirmation as part of fund transfer request procedures, and vendor payment location changes should have a secondary sign-off system.
With the right tools, employee training and vigilance, most healthcare organizations can substantially diminish the risk of BEC attacks. Ultimately, by investing in the resources up front, they can avoid heavy financial losses in the end.
International Accountants Day was celebrated for the first time in Singapore as some 2,000 accounting and finance professionals gathered at the Lawn@Marina Bay on Thursday for activities.
Braving the rain, they danced to YMCA and broke the Singapore record for the longest chain of name cards of accountants and those who work to support the profession.
Minister of State for Finance and Transport Mrs Josephine Teo was at the event, which also had a fund-raising theme.
More than 10 charities took part to raise awareness, sign up volunteers, and sell products for their cause.
Our Senior Partner - Mr Jerry Lee is on the news as well!
· Speaking Engagements
Presentation Title Organization Year
· Collections Law Dayton Bar Association 2012
· Balancing Your Professional and Personal Life
· University of Dayton School of Law 2010
· Family Wealth Preservation Ameriprise 2010
· Personal Liability for Corporate Debt: Piercing the Corporate Veil; Nolo Publishing, 2010
· Elder Financial Abuse: Power of Attorney Scams; Nolo Publishing, 2012
· Elder Fraud and Financial Abuse; Dayton Bar Association 2011
· Representative Cases
· Cline v. Niehaus, 2011 CV 05176 (Montgomery C.P. 2011)
· Austin v. Lamb, 2010 CV 05546 (Montgomery C.P. 2010)
· Hughes v. Goodrich Corporation, 3:08CV263 (S.D. Ohio 2008)
· Davis v. International Trade Bridge, Inc., 3:11cv00462 (S.D. Ohio 2011)
· Executor of Estate of Violet Schumann v. Knoop, 2006 CV 5601 (Montgomery C.P. 2006)
· Scott v. Hall, 61 Ohio App.3d 616, 573 N.E.2d 718, 1998-Ohio App. LEXIS 4985 (2nd Dist. 1988)
· Moran v. Everdry, 2010 CV 03696 (Montgomery C.P. 2010)
· Horanyi v. Shooter Constr. Co., 23876, 2011-Ohio 4164, 2011 Ohio App. LEXIS 3488 (2nd Dist. Montgomery 2011)
· Bremer v. Angler Construction Company, 2010 CV 09962 (Montgomery C.P. 2010)
· Harmon v. GZK, Inc., 18762, 2002-Ohio-545, 2002 Ohio App. LEXIS 480 (2nd Dist. Montgomery 2002)
Awards and Honors
· Top 100 Ohio Litigator by the American Society of Legal Advocates
· Ohio State Bar College, 1991 - 1994
· AV Preeminent Rating by Martindale Hubble
· Superb Rating 9.7 out of 10 by Avvo
We practice with integrity, including a reasonable retainer and attorneys' fees based on responsible billing policies. We accept credit cards for your convenience.
It’s given that social media helps public relations (PR). The birth of social media seem to start in the era of Friendster and Myspace, but the meteoric rise in popularity of social media begins with the introduction of Facebook, Twitter, Instagram, LinkedIn and other newer platforms. It began as a personal use, but several business owners today engage in social media to promote their business.
No wonder why a lot of small and online-based businesses utilize social media for their PR because it is perfect for direct engagement with both customers and the press. Bacall Associates, a boutique PR, marketing and sales support agency, will share a few tips to help you get started.
Create awesome content
Publish an awesome and social-media friendly content that your customers will surely value, share and buy. You should always keep your mind in creating your content. Don’t forget to use easy to share social media buttons on your posts because some don't have the time to copy and paste your content in order to share them.
One example of effective content is using case studies because they are some of the most powerful quantifiers you can use on the web. They provide perspective in the results as well as a clear and concise data. You must present it in the right way to get an emotional response, which can cause engagement and potential sharing. Major media outlets often share case studies provided by companies of many sizes and influence. You may also want to add images or videos to add spice in your content. Publishing good content can be a great help to improve your PR and brand image.
Make your business caught bloggers' attention
Seeking bloggers' coverage can also help you promote your brand. As you may have recently read, the blogosphere is the nexus between social media and PR. Bacall Associates confirmed that social media is also being used by bloggers and are active on those platforms, and many of them are closely monitored by journalists. You can get mentioned by popular bloggers in different ways such as providing your expertise, being a contributor and having your service or product reviewed.
Connect with the press on social media
The Internet has been the home of media these days since they can get a tremendous amount of information from there. Major publications have been using Reddit to source interesting stories while Twitter is being covered by major news outlets by using trends and hashtags. Indeed, social media platforms have become a solid part of journalism.
It'll be fast to connect with the media using social media sites. If you have a good story to cover and proper use of hashtags and social media tagging, you can get a solid media coverage. But remember, you shouldn't abuse the use of hashtags.
Bacall Associates has been involved in this practice for several years now and they are using social media to heighten their influence to their customers. The impact of social media on public relations is undeniably remarkable and brought great change to this practice that helped a lot of businesses worldwide.