Businesses around the globe, including those in the dental industry, felt the impact of the COVID-19 pandemic. Some companies were forced to shut down, while others switched to a work from home setup to keep their operations afloat. Dental clinics, however, didn't have a choice but to temporarily halt their operations to prevent staff and patients from being infected.
With new stay-at-home orders issued in various parts of the country, dental clinics are looking for safe ways to provide dental care and service to their patients. Meanwhile, cybercriminals are taking advantage of this by launching COVID-19-themed business email compromise (BEC) attacks on unsuspecting businesses.
What is a business email compromise attack?
A business email compromise attack, also known as CEO fraud or man-in-the-middle scam, is a scam cybercriminals use to deceive businesses like dental offices into transferring money to a fraudulent account. According to the Federal Bureau of Investigation's (FBI) 2019 Internet Crime Report, BEC scams resulted in $1.7 billion in financial losses in the United States alone.
How does a BEC scam work?
BEC scams in the dental industry typically use emails to target personnel handling your dental clinic's finances. The scam often begins with a phishing attack, which allows hackers to steal the email account of a top executive such as a CEO, CFO, or someone in accounts payable or the finance department.
Cybercriminals can then use the compromised emails to request payments via wire transfer. The recipients of the emails won't likely suspect a thing because the message appears to be coming from a trusted source and will probably proceed with the transaction.
Types of BEC scams
Here's a list of the most common types of BEC scams cybercriminals use:
1. CEO fraud
In CEO fraud, a hacker impersonates a high-level executive and tricks employees into transferring money to a fraudulent bank account.
2. Domain spoofing
Domain spoofing is using an email address that looks like that of a legitimate institution to trick recipients into thinking that the message came from a reputable organization or entity. For example, if your clinic’s email address is firstname.lastname@example.org, a cybercriminal will create and use a similar-looking email address, such as email@example.com. By altering some characters in the domain name, hackers hope to deceive unsuspecting users into believing the message is legitimate.
3. Fake invoices
Cybercriminals are also notorious for using fake invoices that look exactly like those issued by your vendors to make payment requests.
What makes BEC scams dangerous?
Most email security solutions are designed to filter emails containing attachments that automatically download malware or links that take a user to a fraudulent website. These security tools detect potential threats based on patterns and signatures and prevent suspicious emails from reaching your inbox.
However, many BEC scams don't contain any harmful content or malware, and some even come from legitimate domains that hackers were able to exploit. Since they appear to come from a trusted source, security software doesn’t flag such emails.
How can you protect your dental practice from a BEC attack?
To prevent your dental clinic from being a victim of a BEC attack, Pact-One recommends these security best practices:
1. Use a secure email gateway (SEG)
An SEG is a device or software designed to identify emails coming from a spoofed domain and prevent them from being delivered. Your IT team or managed IT services provider (MSP) can also use an SEG to check for frequently used keywords in BEC scams such as “urgent,” “payment,” and “private,” to name a few. Suspicious emails with these keywords will be quarantined until your IT team checks them for authenticity.
2. Implement a strict policy for wire transfers
If any of your staff receives a request for payment or to change payment details, they should first verify the authenticity of the invoices and the identity of the requester. They can do this by confirming in person or through the phone using the information stored in your contact list. Phone numbers and email addresses listed on invoices can be compromised, so never take them at face value.
3. Train your staff
Another way to protect your dental practice from BEC attacks is to regularly train your staff in security awareness. This will help your team identify BEC scams and suspicious emails coming from unknown sources. You should also run simulations to see if your employees can identify the signs of a potential BEC attack and how they would react to it.
To ensure your dental clinic is safe from BEC scams and other cyberattacks, partner with a trusted MSP like Pact-One. Our proactive support services will monitor your network 24/7/365 to ensure it’s running optimally and protected from all forms of cyberthreats. Download this free eBook to discover the essential types of cybersecurity that your dental practice must have.