Attacks on Email Accounts are on the Rise!

The threat of compromised business email spans across all industries. From healthcare to manufacturing – both large and small – from coast to coast –organizations are struggling to stave off increasingly sophisticated cyber threats. Criminals are using techniques like phishing, social engineering, spoofing, and malware to hack business email accounts. Not only are threats becoming more sophisticated, they’re also are becoming more frequent. The July 2018 Beazley Breach Insights Report shows that attacks that target business email accounts have been steadily increasing. In the second quarter of 2018, 23% of reported breaches were caused by compromised email accounts, a total of 184. In the first quarter of 2018 – 173. Those numbers are staggering considering that the first quarter of 2017 saw only 45 such breaches.

Why Email?

Why has email becoming an increasingly popular target? That answer is quite simple: email is an easy way to gain access to an organization’s systems. Criminals know how to play off of people’s emotions, tricking them into taking an action that will give hackers the access they want and, ultimately, the information they’re looking for. There are no software programs that can control human emotion or error!

Targeting a healthcare organization means access to a world of valuable information. Protected Health Information (PHI) can serve as a means for blackmail, accessing clients’ stored credit card information intended for billing, and acquiring user-name and password combinations. Armed with these types of fraudulently obtained personal information, cyber thieves are then able to gain access to virtually all of a target’s online accounts and records, including bank, mortgage, credit, medical, personnel, and insurance, among others. The healthcare industry provides a lot of bang for the effort.

Email Account Compromise is a Catalyst for Further Attacks

As HIPAA Journal recently points out, once thieves successfully hack one email account, “not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.¹

“Business email compromises are efficient for the hacker because the compromise of a single account gives the hacker a platform from which to spear phish within and outside the organization,” according to  the Beazely report.²

Increased Risk for MS Office 365 Users

There have been enough email attacks in 2018 on Microsoft Office 365 users to warrant a warning. Organizations that use Microsoft Office 365 are at an increased risk of being attacked because of the sheer size of the product. With the rapid expansion of Office 365, more and more threats can emerge within its infrastructure, particularly via email. Where Office 365 offers many benefits to an organization, it lacks in security.³ It’s estimated that up to 35% percent of organizations are either using or have actively solicited third-party Office 365 email security services. A 2017 Osterman Research report stated that 41% of Office 365 organizations are unsure of what to do when it comes to supplementing their Office 365 security stack.⁴

How to Keep Your Email Account Safe

While you can’t completely stop email compromise, you can take actions that will help keep your organization secure. Check out these tips for spotting scams and preventing third-party applications from accessing your network.⁵

• Establish email hygiene by addressing threats to email services like spam filtering solutions, secure email delivery, and virus control.
• Practice good password management by using multi-factor authentication. Total HIPAA has written several blogs on password best practices available on our website, www.totalhipaa.com.
• Provide security awareness training to prepare employees for attacks and train them on how to recognize email threats.
• Confirm and think before you click. Clarify via phone or in person any email containing sensitive data.

Email Account Compromises Come at a Price

If just one email account in your organization is compromised, the effects could quickly spiral out of control, meaning you could be in big trouble. That single breach could bring a cost of as little as $100,000 to as much as $2 million to resolve. In fact, successful business email attacks are among the more expensive data breaches.⁶  Of course, there are other ramifications other than financial ones. You don’t want your organization to be associated with a breach of information. That’s when it gets too personal. Business Email Compromise has increased by 1,300% since 2015, generating estimated losses of $5.3 billion worldwide.⁷ Email compromise is almost like a plague – It’s clear that you need to protect yourself… starting now!

For more information on phishing, specifically, reference our blog published in March of this year, as well as the HHS OCR February Newsletter.

1. https://www.hipaajournal.com/email-account-compromises-continue-relentless-rise/

2. https://www.businessinsurance.com/article/20180731/NEWS06/912323021/Phishing-attacks-up-in-2018-second-quarter-Beazley

3. https://blog.microfocus.com/office-365-the-need-for-third-party-archiving-and-security/

4. https://www.helpnetsecurity.com/2018/05/18/office-365-phishing-threats/

5. https://ontech.com/office-365-phishing/

6. https://resources.infosecinstitute.com/preventing-business-email-compromise-bec-strong-security-policies/#gref

7. https://resources.infosecinstitute.com/preventing-business-email-compromise-bec-strong-security-policies/#gref

Sharing is caring!