By Amanda L. Wilson, CHC, CHPC, Founder, Principal Consultant, Cultured Compliance Co, LLC
Business Email Compromise (BEC) is on the rise and vigilance is more important than ever. Threat Actors have discovered clever ways of tricking targets into taking the bait. These infractions can result in unauthorized exposure of Protected Health Information (PHI), increased risk of identity theft, and irreparable damage to the reputation of the business that fell victim to the attack. There are a variety of steps a company can take to avoid a phishing scheme:
- Set your controls. Configure your technical controls to ensure your email platform screens incoming email to identify potential fake addresses and verify sender identities. Additionally, ensure the controls are set up to detect misleading links or malicious content. Add a banner to emails received from external senders to help staff quickly recognize the email as a possible BEC attack, and make sure the process for reporting suspicious emails is clear and accessible. Allowing staff to easily report suspicious emails in the email platform increases the rate of suspicious emails being reported and enhances the opportunity to combat the evolving threat actors. As a best practice, modify the appearance of your External Sender banner periodically to keep staff’s attention on the content.
- Retain cybersecurity experts. When a potential phishing email is received and reported, the next critical step is for an expert to evaluate its content and determine if the sender had malicious intent. Emails that are determined to be legitimate may be important for the business to receive and respond to. A thorough review and response from a cybersecurity expert is crucial to ensure important information is properly handled and retained by the business. Emails that are evaluated and determined to have malicious intent provide the company the opportunity to take action. These actions may include blocking the sender’s email domain from the company’s email platform, reviewing network activity if a link or file was accessed prior to the email being reported, and reporting the email to the service provider or relevant regulatory authorities.
- Train your employees, test their knowledge, and conduct phishing simulations to evaluate adherence to training materials. Simulations can help evaluate your level of risk, identify additional training needs, and gauge staff adherence to company standards communicated in the training content. Training, one of the key elements to a successful compliance program, helps individuals understand the motivation behind BEC attacks and the risks of a successful attack. Training teaches individuals how to be vigilant by ensuring that emails containing the External Sender banner are thoroughly scanned for legitimacy. Training will also help staff learn how to identify suspicious emails, and what steps to take when a BEC attempt lands in their inbox.
- Limit publicly-available company information. Businesses often publicly share companies they’re affiliated with, or companies they support as clients. Although this practice provides valuable social proof to prospective clients and customers, it can create vulnerabilities. Publicly-disclosed business-to-business partnerships can give threat actors valuable information to craft convincing BEC campaigns. The disclosed partnerships provide threat actors both a business or person, such as the CEO, to impersonate and a specific target, where a known business relationship exists. Limiting publicly-available information on business partnerships can prevent sophisticated BEC attacks.
- Protect patient data and company assets aggressively. To effectively combat threat actors, the healthcare industry must take an aggressive approach to identifying and responding to BEC attacks. Taking proactive measures to prevent attacks can help companies stay a step ahead of the threat actors. Finally, rather than just blocking threat actors, report all confirmed BEC attempts. These reports enable email service providers to enhance their platforms and allows regulatory authorities to establish enforcement protocols that deter malicious behavior.
BEC is on the rise and vigilance and preparation is key to protecting your company and patient data. By following these steps, and continuing to enhance your proactive approach, you can prevent deception, and maintain your thriving business.
