Are you and your healthcare organisation scam aware?

5 August 2019: This is the question to ask during Scams Awareness Week: 12-16 August 2019.

Australians made over 378 000 scam reports in 2018, with more than $489 million reported lost.¹ Everyone is a target.

A growing trend – business email compromise scams

Take some time to be more aware and educate your staff regarding the prevalence and sophistication of scams. Healthcare organisations are not immune to targeted attacks by scammers, with business email compromise being a favoured scam.² You can contribute to your organisation’s resilience by being aware of the latest scams and taking steps to protect your information and systems.

Scams come in many forms and are commonly delivered via phone, email or text. In 2018, Scamwatch reported that the largest increase in financial loss for email scams in Australia was through business email compromise, also known as CEO fraud. Of the $489 million lost through scams in 2018, scammers netted an astounding $60 million through business email compromise scams.

Business email compromise is a type of scam where criminals impersonate an organisation to trick the recipient into making a payment or providing sensitive information. A number of different methods can be used to achieve this, for example:

• Spoofing – when the scammer makes it appear as though the email has come from a legitimate sender, such as a CEO or supplier. In this situation, the email is sent from the scammer’s email address, but the ‘display name’ of the sender has been changed to impersonate a trusted sender.
• Use of a similar email address – where the scammer creates a new email address with a similar name to the organisation they are impersonating. For example, using ‘[email protected]’ to imitate ‘[email protected]’.
• Actual compromise of an organisation’s email account – this could happen as a result of hacking; however it can also occur when a scammer convinces a user to provide remote access to the person’s computer (often by pretending to be an IT support person who is calling to ‘fix’ your computer).

Scammers can use any of these situations to fraudulently obtain money or sensitive information. In 2018, losses due to business email compromise (BEC) scams increased by 170%.³

A related scam, which is not as targeted, is known as false billing. This where scammers use large mailing lists to send out hundreds or even thousands of fake invoices that appear to come from a well-known business. Many victims respond and pay the invoices, thinking they owe a legitimate payment.A common variant is executive or CEO fraud, where the scammer impersonates an executive and instructs staff to urgently transfer funds or send sensitive information to the scammer. Another common scam is invoice fraud, where the scammer sends an invoice that appears legitimate, but includes false account details, often with explanatory advice stating, ‘our bank account details have changed’.

Reduce your susceptibility to business email compromise scams

What can healthcare organisations do to reduce their susceptibility to business email compromise scams?

1. Protect your systems – maintain good security controls, block spoofed emails, and be aware of the Essential 8 to help prioritise how you protect your business.
2. Educate your staff – adopt mottos such as ‘if you didn’t expect it, suspect it’ and ‘think before you click’. Business email compromise relies heavily on social engineering, so your staff are your first line of defence. Educate your staff to be on the lookout for suspicious emails, such as emails that include a change in payment details, require urgent action, or request sensitive information.
3. Verify requests – if you receive a request to change bank account details, or an unexpected request to provide information, telephone the sender to seek verification of the email’s authenticity. Do not use the contact details provided in the suspicious email, independently source the contact details.
4. Have strong consistent business processes – ensure different staff are responsible for verifying, approving and paying invoices (separation of duties); and, for high value payments, implement secondary sign-off processes and use of multi-factor authentication.
5. Know where to report scams – contact Scamwatch to report scams and cyber.gov.au if you have been a victim of cybercrime, such as fraud. You can also seek assistance from IDCare. Additional information about how to recover from business email compromise is available on the ACSC website.
6. Sign up for alerts – keep abreast of the latest online threats by signing up to Scamwatch Radar and the Stay Smart Online alert service.

Learn more about Scams Awareness Week

Visit scamwatch.gov.au to learn more about Scams Awareness Week and access information including:

• how to protect your business from the latest scams
• a range of resources, including the latest Targeting Scams Report on scam activity in Australia
• how to get help
• real life stories, such as Operation WireWire (p39, Targeting Scams Report) and John’s false billing story.

---

1. ACCC: https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity ↩

2. Trend Micro Security Intelligence: https://blog.trendmicro.com/trendlabs-security-intelligence/ceo-fraud-email-scams-target-healthcare-institutions/ ↩

3. ACCC: https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity  ↩