Clinical Laboratory Pays $25,000 to Settle HIPAA Security Rule Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it has gotten to a settlement with Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories due to a number of HIPAA Security Rule violations.

Peachstate is a CLIA-accredited laboratory that delivers a selection of services such as clinical and genetic testing solutions via AEON Global Health Corporation (AGHC), its publicly traded parent firm.

OCR started a compliance audit on August 31, 2016 right after the U.S. Department of Veterans Affairs (VA) filed a report about a breach of unsecured protected health information (PHI) involving its business associate, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had hired AHC to handle the VA’s Telehealth Services Program. The purpose of the OCR investigation was to evaluate whether or not the breach was caused by the inability to follow the HIPAA Privacy and Security Rules.

All through the breach investigation, OCR discovered that on January 27, 2016, AHC had signed a reverse merger with Peachstate and had obtained Peachstate. OCR afterward performed a compliance evaluation of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In the course of that investigation, OCR discovered a number of probable violations of the HIPAA Security Rule.

Peachstate was determined not to have performed an appropriate and complete review to determine risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was not able to lower risks and vulnerabilities to a sensible and ideal level by taking on proper security actions, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and step-by-step systems had not been used to report and check activity in information systems comprising or employing ePHI, violating 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been enforced to log actions, activities, and checks required by 45 C.F. R. § 164.312(b), which violates 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate consented to negotiate the case and make a $25,000 penalty payment and will carry out a comprehensive corrective action plan to deal with all aspects of non-compliance found by OCR while doing the investigation. Peachstate is going to be under close supervision by OCR for 3 years to make certain of compliance.

Clinical laboratories, similar to other covered health care companies, need to abide by the HIPAA Security Rule. Not implementing the essential Security Rule standards makes HIPAA governed entities interesting targets for malicious activity, and unnecessarily risks to patients’ ePHI. This settlement deal shows OCR’s determination to making certain that covered entities adhere to rules that secure the privacy and security of PHI.

Shut Down of DarkSide RaaS and Suspension of Ransomware Attacks on Healthcare Companies

The DarkSide ransomware gang has informed its affiliates regarding the shut down of its ransomware-as-a-service (RaaS) activity. The statement was made after the public infrastructure of the gang was taken off the internet in what seems to be a police campaign.

On May 13, the DarkSide data leak website was off the internet as well as much of the public infrastructure of the gang, which include the payment server employed to get the victims’ ransom payments and deliver breach data content. The ransomware gang likewise said its cryptocurrency wallets were emptied and the money was moved to an unidentified account.

Intel 471 acquired a copy of a note from the gang, which mentioned to its affiliates why its public infrastructure was gone, why its servers were inaccessible via SSH, and why its hosting panels were blocked. The gang claimed its hosting company didn’t give any more details except that the inaccessibility of the servers was requested by law enforcement.

The gang mentioned that it is going to release the decryptors for all firms that were attacked yet didn’t pay the ransom; nevertheless, the gang is releasing the decryptors to the affiliates who carried out the ransomware attacks, not to the victim firms. It will be the individual affiliates’ decision if they will give the decryptors to their victims or try to get payment.

Because of the pressure from the U.S. and the lost servers, the affiliate program is shut down, stated the gang.

On the day when that the group’s infrastructure was taken offline, President Biden conducted a press meeting concerning the Colonial Pipeline ransomware attack stating that the government’s efforts to restrict disruption and promising to take action will be counted against the DarkSide ransomware gang.

“We do not think the Russian government had anything to do with this attack, stated President Biden. There is no strong evidence that criminals from Russia did the attack. Biden said that the United States directly communicated with Moscow regarding the command for responsible nations to take action against the ransomware networks. President Biden additionally affirmed that the U.S. Department of Justice has a new task force focused on prosecuting ransomware hackers.

Before the shutdown, the hacking community had begun to avoid the DarkSide group. A top-tier dark web forum utilized by the DarkSide gang to promote its RaaS operations removed the DarkSide account as well as two threads concerning its ransomware operations, as per the Gemini Advisory. Gemini Advisory furthermore remarks to have heard from a number of reputable sources that the group has no more appearance on the dark web. Another top-tier dark web forum frequently employed by ransomware gangs has likewise enforced sanctions on ransomware activities and has blocked them completely from the forum, saying ransomware has turned out to be too toxic.

Intel 471 reports that aside from the DarkSide operations, a number of other ransomware operations also shut down their activities, though it is uncertain if the shutdown will last. Perhaps the ransomware gangs are just want to be inconspicuous and will operate again using another name. The Babuk ransomware operators said that they gave their source code to another gang and won’t do ransomware attacks anymore. They stated their ransomware will be run by another group with a different name.

The REvil ransomware gang also said that it won’t promote its ransomware operations on dark web forums anymore. It wants to make its activities private. REvil and Avaddon have decided to cease their affiliates that attack organizations in specific fields. The two ransomware gangs gave statements about the new rules for affiliates prohibiting them from executing attacks on the federal government, charities, healthcare, and educational organizations in any nation. They furthermore necessitate their affiliates to get approval from the group prior to making any attack. If an affiliate attacks a restricted target, the victim will get the decryptor for free and the affiliate will be completely expelled from the RaaS program.

Intel 471 likewise states that BitMix, a cryptocurrency mixing service utilized by REvil and Avaddon to illegally transfer the cryptocurrency acquired from ransomware attacks was shut down as well.

Ransomware Attack on Orthopedic Associates of Dutchess County and Entrust Medical Billing

Orthopedic Associates of Dutchess County, a New York medical group practice, has made an announcement about the potential theft of protected health information (PHI) of a number of patients during a cyberattack recently.

The security event was noticed on March 5, 2021 after discovering suspicious activity within its systems. A probe into the occurrence verified the unauthorized access of certain persons in its network on or about March 1, 2021. The attackers obtained access to a number of systems and encrypted files and made a ransom demand to get the keys for unlocking the encrypted files.

The hackers professed they had ripped off sensitive information before encrypting the files, even though it wasn’t possible to identify which files were compromised. An assessment of the systems, which the attackers accessed showed they comprised files with PHI including names, addresses, email addresses, contact phone numbers, dates of birth, payment data, emergency contact details, diagnoses, treatment data, medical record numbers, health insurance details, and Social Security numbers.

People likely impacted by the breach were alerted via mail and were given a one-year complimentary membership to credit monitoring and identity theft protection services. Thus far, there are no reports of actual or attempted improper use of any patient data.

The attack resulted in the potential compromise of the PHI of 331,376 persons.

PHI of 5,426 Persons Exposed in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a medical billing firm located in Canton, OH, has encountered a ransomware attack that caused the probable exposure of the PHI of 5,426 people.

Third-party cybersecurity experts were hired to investigate and find out the scope of the breach. On or about March 1, 2021, the investigation established that the hackers had exfiltrated a number of the files that contain PHI like names, birth dates, addresses, health diagnosis/clinical data/treatment type or location, healthcare procedure details, medical insurance data, and patient account number.

Though the investigation affirmed the data theft, there is no proof identified that shows attempted or actual misuse of the stolen information. Impacted persons have already been advised and those who had their Social Security numbers exposed got offers of free credit monitoring services. The company likewise enforced new technical safety measures and amplified its monitoring campaigns throughout its network environment.

Lawmakers Demand the Breach of the Contact Tracing Data of 72,000 Pennsylvanians Investigated

Lawmakers in the Commonwealth of Pennsylvania want a data breach to be investigated. The case relates to the contact tracing information of 72,000 Pennsylvanians including sensitive data that was shared through unauthorized avenues without the required security protections.

Insight Global is a firm based in Atlanta that has been helping the Commonwealth of Pennsylvania do COVID-19 contact tracing throughout the pandemic. A number of people working at Insight Global were found to have made and shared unauthorized copies of files with each other during the conduct of their contact tracing responsibilities. Files and spreadsheets were shared by means of non-secure ways for example personal Google accounts, which supposed|suggested} sensitive data were transmitted to servers outside the control of the state or Insight Global.

Insight Global made an announcement about the breach on April 29, 2021 and stated in its substitute breach notice that the information associated with contract tracing of persons between September 2020 and April 21, 2021. An investigation into the breach was begun and third-party security specialists have been helping to find out the magnitude of the security problems and their effect. To date, no evidence has been discovered that suggests the misuse of any personal data or PHI. The investigation into the security concerns is ongoing.

Insight Global reports that the exposed information included names of people possibly exposed to COVID-19, positive/negative test status, whether there were symptoms or not, data on the names of household members, and telephone numbers, email addresses, and other information needed for particular social support services.

Insight Global mentioned it learned of the security problem on April 21, 2021 and took quick steps to fix the issues, and those steps were done by April 23. Insight Global has been working with the Pennsylvania Department of Health concerning the identification of the security problems and will be notifying affected persons via mail as soon as the address details have been confirmed. Insight Global stated there was no exposure of Social Security numbers or financial data and, as a safety precaution, affected people are given complimentary credit monitoring and identity protection services.

Target 11’s investigators found out that employees were using free versions of Google Sheets to record contact tracing information and were sending those spreadsheets and other files to colleagues through their individual email accounts. The free versions of Google services are not HIPAA compliant, therefore they must not be used.

Insight Global had security practices implemented to make sure that contact tracing data may be logged and shared securely. It is presently uncertain whether this was just a case of isolated employees circumventing security standards and making unauthorized records and spreadsheets to make their work less difficult. Nevertheless, regardless of the cause, sensitive information has been compromised.

The Commonwealth of Pennsylvania has made the decision not to renew its agreement with Insight Global regarding the security breach. The deal will expire on July 31, 2021. A Pennsylvania Department of Health spokesperson mentioned the company’s dismay regarding Insight Global workers that acted to compromise this type of data and truly apologize to all impacted persons.

State Representative Jason Ortitay (R- Allegheny, Washington) states that after learning about the breach, it was raised to the state Governor’s office on April 1, 2021. Republican lawmakers are currently calling for an investigation into the security breach by the federal law enforcement agencies, state Attorney General’s office, House Government Oversight Committee.

DOJ Roll-Outs Ransomware and Digital Extortion Task Force

Because of the increasing threat from ransomware attacks, the U.S Department of Justice has introduced a new Ransomware and Digital Extortion Task Force that will concentrate on the entire ransomware ecosystem. The purpose is not just to bring the people performing the attacks to justice but at the same time any man or woman who helps attackers, such as those who launder ransom payments.

The Task Force is going to include reps from the DOJ criminal, national security and civil divisions, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys and will work tightly with the Departments of Homeland Security and the Treasury. The task force will additionally work to enhance venture with the private sector and global partners.

More resources will be used to deal with ransomware attacks, training, and intelligence collecting will be enhanced, and the task force will work with the Department of Justice to look into leads and relationships to discovered cybercriminal organizations and nation-state threat groups. Besides aggressively going after all persons behind the attacks, the task force is going to provide recommendations to Congress on how to best assist victims of cyber attacks and discouraging ransom payments at the same time.

The task force will help deal with the growth of ransomware attacks by making them less profitable. Based on an internal DOJ Memo created by Acting Deputy Attorney General of DOJ, John Carlin, this process will consist of using all available civil, criminal, and administrative actions for enforcement, from takedowns of servers employed to propagate ransomware to captures of these criminal enterprises’ ill-gotten profits.”

The goal of the task force is to better safeguard people and companies from ransomware attacks and to make sure the persons involved are brought to justice. Presently, ransomware gangs, members of which are usually based abroad, know that there is minimal chance of being caught and attacks are very lucrative.

Ransomware attacks increased greatly in 2020, which was the worst year in terms of ransomware attacks. As per a current Chainalysis report, ransomware groups collected more than $370 million in ransom payments in 2020, which was higher by 336% from the prior year. Ransoms are frequently paid because victims know that paying the ransom demand, even though it is several million dollars, is a portion of the cost of recouping from the ransomware attack without giving the ransom. The cost of attacks could simply be 10 or 20 times greater in case no ransom is paid out.

In 2019, the City of Baltimore did not pay a ransom worth $75,000 and the breach cost the city over $18 million. As per the GetApp 2020 Data Security Survey, 28% of businesses have experienced a ransomware attack in the last 12 months and 75% of victims settled the ransom to minimize the cost of remediation.

The cost of ransomware attacks to the U.S economy runs in the billions. Cybersecurity Ventures has forecasted that ransomware attacks will keep on increasing and are probable to happen at one for every 11 seconds in 2021, and the overall cost of the attacks will rise to $20 billion in 2021 in America alone, with the worldwide cost predicted to reach $6 trillion in 2021.

HSCC Releases Guidance Paper to Secure the Telehealth and Telemedicine Ecosystem

Healthcare organizations are increasingly utilizing health information technology to give patients virtual health care services. With telehealth services, patients located in rural places and the seniors receive necessary medical services. Because of the pandemic, there is a substantial development in telehealth to give virtual medical care services to individuals to minimize the COVID-19 spread.

Based upon FAIR Health, private insurance providers saw growth in telehealth claims by 4,347% a year ago. Actually, virtual care telehealth nowadays is the fastest expanding facet of medical care. The Centers for Medicare and Medicaid Services has committed to providing ongoing assistance for online medical care services. According to Frost & Sullivan, a seven-fold increase in telehealth services is expected by 2025.

The critical advancement of healthcare services has taken place immediately and at a moment when cybercriminals are much more focusing on the healthcare industry. Attackers are able to easily exploit vulnerabilities to acquire access to sensitive medical data and disrupt services to get a profit. A 2020 study by SecurityScorecard and DarkOwl exhibited a nearly exponential increase in targeted attacks on telehealth firms with the skyrocketing popularity of telehealth.

To reach the 100 % potential of virtual healthcare services, it is necessary for healthcare sector stakeholders to find and manage the privacy and security risks to medical data, which can be difficult in a complicated, interconnected ecosystem such as medical care.

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a white paper to offer the healthcare sector guidance on pinpointing cybersecurity vulnerabilities and risks linked to the use and provision of telehealth and telemedicine.

The published Health Industry Cybersecurity-Securing Telehealth and Telemedicine guidance aims to support the healthcare programs, doctors, vendors, providers, and patients, who all carry the responsibility of ensuring that telehealth gives the best service along with privacy and security protection to an appropriate level.

The report details the cyber threats linked to telehealth and telemedicine and explains the regulatory challenges of telehealth services, offering audit resources, help with policies and procedures, and recommending guidelines to abide by.

The guidance paper talks about the policy structure of healthcare cybersecurity, discusses rules and business policies, cybersecurity priorities, and comes with strategies for utilizing and protecting telemedicine services.

At this time, no federal agency has the ability to create and enforce privacy and security requirements for the entire telehealth setting. At least, telehealth systems must implement security and privacy relative to all types of care.

Healthcare organizations are advised to adhere to the guidelines suggested in the white paper and make use of the ideas well suited for their risk profile to improve privacy and security protection to get the utmost benefits from telehealth and telemedicine services.

The HIC-STAT white paper may be downloaded on this page.

Malware Attacks on Squirrel Hill Health Center and La Clinica de la Raza and Laptop Theft at Woolfson Eye Institute

La Clinica de la Raza based in Oakland, CA is notifying a number of patients with regards to a likely compromise of their protected health information (PHI). The company detected the malware on its systems that contain patient information on January 28, 2021.

The health center engaged a third-party forensics firm to help investigate the malware attack and confirmed on February 26, 2021 that because of the malware, the attacker could have accessed files that contain patient data. However, the breach covered only a short time, because the malware was installed and became active only on January 12, 2021.

In the short stretch of time that the malware was activated it’s possible that unauthorized persons viewed documents, however, the center is convinced that only a few documents were accessed. Those files contained full names, birth dates, telephone numbers, home addresses, medical insurance data, and selected health data like dates of service, diagnosis, test results data, and treatment details associated with medical services given at the medical clinic.

Actions have been implemented to enhance data protection, such as boosting its attack detection and prevention process, protecting login credentials, giving more employees training, and employing other threat prevention procedures. The breach report sent to the HHS’ Office for Civil Rights indicates that the breach affected 31132 individuals.

Malware Possibly Allowed Cybercriminals to Access the PHI of Squirrel Hill Health Center Patients

Squirrel Hill Health Center located in Pittsburg, PA has found malware installed on its computer system that might have given cybercriminals access to documents that contain patients’ PHI. The provider identified the security breach on February 4, 2021 upon detecting suspicious activity on its computer system that hampered file access.

Third-party computer forensic experts investigated the breach and confirmed that unauthorized people acquired access to its networks on January 28, 2021 possibly until February 4, 2021. Although it is usual in attacks like this that sensitive data are exfiltrated, Squirrel Hill Health Center did not see any evidence that indicates actual or attempted misuse of personal information.

Analysis of the files that were possibly accessed showed they included names, addresses, birth dates, diagnostic codes, some appointment scheduling information, and, for some people, Social Security numbers. The malware attack impacted 23,869 people.

Guidelines, procedures, and operations associated with the safe-keeping of and access to patient data are under review and will be modified, as needed, to enhance security.

Laptop Containing Patient Data Stolen from Woolfson Eye Institute

Woolfson Eye Institute located in Atlanta, GA has reported the theft of a laptop computer associated with medical testing equipment on September 21, 2020. Analysis of the laptop contents confirmed it held patient data such as names and birth dates. There was no compromise of other information. The institute reported the theft to law enforcement, however, the laptop computer hasn’t been brought back.

Because of the limited data contained in the laptop, it is believed that patients are not in danger of identity theft and fraud however vigilance is still advised.

FBI/CISA Alert on Continuing Attacks On Vulnerable Fortinet FortiOS Servers

Advanced persistent threat (APT) actors are targeting vulnerabilities in the Fortinet FortiOS operating system to obtain access to servers to enter networks as pre-placement for follow-on data exfiltration and information encryption attacks.

In the latest Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency notified end-users of the Fortinet FortiOS to promptly employ patches for three vulnerabilities, monitored as CVE 2020-12812, CVE 2019-5591 and CVE 2018-13379.

Patches were introduced to fix the vulnerabilities in May 2019, July 2019, July 2020. Fortinet corresponded with impacted firms and shared a number of blog posts telling clients to upgrade the FortiOS to a secure version; then again, many users have not implemented the patches to fix the vulnerabilities and are prone to attack.

CVE-2018-13379 is a vulnerability resulting from the inappropriate limit of a pathname to a restricted directory and occurs in Fortinet FortiOS 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4. Under SSL VPN website, an unauthenticated attacker could get system files by transmitting specially made HTTP tickets to a vulnerable server. Before, Chinese Russian, and Iranian APT groups have taken advantage of the vulnerability so as to breach U.S. election support solutions.

CVE-2020-12812 is an inappropriate authentication vulnerability identified in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which can be exploited to let users get access with success without requiring an additional authentication factor – FortiToken – whenever they modified the case of their username.

CVE-2019-5591 is a default settings vulnerability found in FortiOS which may permit an unauthenticated hacker on the same subnet to snatch sensitive information by posing as the LDAP server.

The FBI/CISA point out that APT groups are listing servers that have not been patched to correct CVE-2020-12812 and CVE-2019-5591 and are checking for devices susceptible to CVE-2018-13379 on ports 10443, 4443 and 8443. The vulnerabilities were taken advantage of to obtain access to several businesses, government, and technology services sites. Other CVEs and exploitation tactics including spear-phishing could also be utilized in attacks to acquire access to vital infrastructure systems.

Aside from implementing the patches to resolve vulnerabilities, the FBI/CISA advises these few other tips to avert vulnerabilities exploitation:

  • Include key artifact files employed by FortiOS to execution deny lists to stop initiatives to install and operate the insecure program and its related data.
  • Set up systems to necessitate administrator credentials prior to putting in software.
  • Apply multi-factor authentication where probable, continue to keep good password hygiene and perform reviews of accounts having admin rights.
  • Deactivate all remote access/RDP ports that are unused and review remote access/RDP records.
  • Because phishing attacks are likely to happen, flag communications from external sources and deactivate links in emails.
  • Educate the staff about data security and how to know phishing emails.
  • Set up antivirus software program on all systems and keep it updated.
  • Employ network segmentation to control the damage that can be created in the event of a network breach.
  • Considering that extortion and data deletion attacks can take place, routinely backup data and save a backup copy on an air-gapped system and password-protect the file backup.
  • Develop a recovery plan to regain sensitive information from a physically independent, segmented, protected area.

Data Breaches at Mobile Anesthesiologists Patients, Heart Of Texas Community Health Center And Haven Behavioral Healthcare

Mobile Anesthesiologists lately found out about the compromise of some patients’ protected health information (PHI) as a result of a technical misconfiguration. The issue happened before December 14, 2020, and permitted public access to PHI including names, medical insurance data, date of service, medical treatment information, and birth dates.

An inquiry of the problem ended on January 28, 2021 and it confirmed the exposure of the PHI of 65,403 persons. Although the PHI could likely have been accessed by unauthorized people, there is no proof found that suggests unauthorized data access or PHI theft. Mobile Anesthesiologists notified the affected persons by mail beginning March 10, 2021.

Email Error Brings About Unauthorized Disclosure of Heart of Texas Community Health Center Patients’ PHI

Heart of Texas Community Health Center learned about the exposure of the PHI of a number of patients.

An email with patient information was sent to people who are permitted to view the data, however, the email got mailed to an account that was beyond the coverage of the firewall and might have been intercepted since the email had no encryption.

The email simply contained an email address and mentioned the email account holder was past due to have a pap smear. The email didn’t include any name or other data. The email merely corresponded to female patients who are 21 to 65 years old and had visited a Heart of Texas Community Health Center facility from September to December 2020.

There was no report obtained that suggests the interception of the email or its access by unauthorized persons.

Haven Behavioral Healthcare Reports Breach of Systems Comprising Patient Information

Haven Behavioral Healthcare located in Nashville, TN has publicized that unauthorized people acquired access to sections of its system that secured the PHI of patients. The provider detected the data breach on or around September 27, 2020 and started an investigation right away. Third-party cybersecurity professionals helped to find out the nature and extent of the breach.

The investigation showed that the attacker viewed its systems between September 24 and September 27, 2020. It was affirmed on January 27, 2021 that the files accessed by the attacker included patient information. An analysis of the files was done on March 11, 2021 and Haven Behavioral Healthcare started mailing notification letters on March 23, 2021.

Though the files were unsecured, the investigation cannot verify whether the hacker accessed the files. It is at the moment unknown which hospitals and patients were impacted.

FBI Issues Alert of Rise in Business Email Compromise Attacks on State And Local Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification notified state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been noticed that BEC attacks on SLTT government entities went up from 2018 to 2020. Losses due to these attacks vary from $10,000 to $4 million.

BEC attacks entail getting access to an email account and mailing communications impersonating the account owner with the motive to persuade the target to go ahead with a falsified transaction. The email account is frequently utilized to send out messages to the payroll section to alter employee direct deposit data or to folks authorized to carry out wire transfers, to ask for modifications to bank account information or payment options.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) got an advisory regarding the report of 19,369 BEC attacks and losses of more or less $1.9 billion. The following are a few occurrences of BEC scams:

In July 2019, a little city government lost $3 million after getting ripped off by means of a spoofed email that seemed to be from a service provider asking for a modification of their payment account.

In December 2019, the email account of a financial manager of a government agency of a US territory was attacked and employed to send out 146 communications to government agencies with information regarding financial transactions. A number of these requests were asked through email, and the scammer had intercepted and answered those emails. Altogether, $4 million was transmitted to the account of the attacker.

Aside from the financial losses, the attacks damage operational capacities of SLTT government organizations, cause reputational ruin, and can likewise bring about the loss of sensitive data for instance PII, banking data, and employment records.

BEC scammers can readily research targets and can learn SLTT operating details and information regarding vendors, suppliers, and providers from open resources. Getting access to the email accounts is simple as the email address of the target could be easily found, and phishing kits are accessible at low cost on the darknet for mining credentials.

When an email account is accessed, the scammer mimics the writing style of the account holder and usually hijacks message posts. The scam may include a number of messages where the target thinks they are conversing with the true account owner when they are speaking with the attacker.

The FBI explains that BEC scammers usually aim for SLTT government entities with poor cybersecurity standards and exploit SLTT government entities that do not offer enough training to the employees. The shift to remote employment as a result of the pandemic has furthermore made it a lot easier for the fraudsters.

In 2020, CISA held phishing simulations with SLTT government entities. Of the 152 campaigns comprising about 40,000 messages, there were approximately 5,500 unique clicks of fraudulent malicious hyperlinks. With a click rate of 13.6%, it implies security awareness training does not teach employees concerning the threat of email-based attacks and shows the importance of “defense in depth mitigations.”

The FBI advises making certain that all workers get training about security awareness, fully understand BEC attacks, and how to recognize phishing emails and fake emails. Workers need to be taught to cautiously verify email messages for advance payments, alterations to bank account data, or requests for sensitive details. Guidelines and procedures must be enforced that necessitate any bank account modification or transaction request to be confirmed by phone call utilizing a verified number, not data given in email messages.

Extra measures that ought to be considered comprise multi-factor authentication implementation on email accounts, phishing simulations, stopping auto email forwarding, tracking email Exchange servers for configuration modifications, putting banners to emails coming from outside sources, and employing email filtering solutions.

Find out about additional steps that could be enforced to stop and recognize BEC attacks in the FBI Alert.