Archive for December, 2016

bec-scam

 

Cyber criminals are similar to any businessman who want maximum profit for the least investment. To assist cyber criminals with their goal is called Business Email Compromise (BEC) also known as CEO Fraud. An absolutely profitable scam and does not need much to be lucrative and cost-effective for the criminals.

“The FBI Boston Division issued a warning of a dramatic rise in business e-mail compromise scams or BECs, which target businesses of all sizes and types and have resulted in massive financial losses in Boston and other cities. Globally, since October 2013, more than $3.1 billion in actual and attempted losses have been reported.” Press Release December 20, 2016

  • Reported losses totaled 33 million dollars approximately
  • Range from 500 to 5.9 million dollars
  • Average loss per scam 90,000 dollars
  • About 13 million dollars has been successfully returned

“The BEC scam is one of the fastest growing schemes we’ve seen over the past few years. The perpetrators leave a long wake of financial and emotional damage, stealing money from small businesses—leaving them unable to pay bills; and from families in the process of buying a home, all but erasing their dreams of home ownership,” Harold H. Shaw, special agent in charge of the FBI Boston Division

Here’s how scammers accomplish their deeds:

  • Spoof a company e-mail/phishing email
  • Use social engineering to assume the identity of the CEO, trusted vendor, or person with authority
  • Research employees who manage money
  • Use language specific to the company they are targeting
  • Then scammers request a wire transfer to an account controlled by them

Common recipients are real estate agents, title companies, and attorneys in the midst of real estate transactions; bookkeepers; accountants; controllers; and chief financial officers.

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). This organization has been around since 2000 and has dealt with cyber crime including online fraud, computer intrusions, economic espionage, online extortion, international money laundering, identity theft, and a growing list of internet facilitated crimes.  IC3’s mission is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI for investigation and public awareness.

Top 3 Business Email Compromise (BEC) involving 3.1 billion dollar and Statistical Data

  1. January 2015, 1,300% increase in identified exposed losses
  2. Scam has been reported by victims in all 50 states and in 100 countries
  3. fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong

Victims of the BEC scams are both small and large businesses with a variety of good/services. Scams are also linked to lottery, employment, romance, and rental frauds.

Here’s a sample of BEC complaints from the IC3.

  • Businesses and associated personnel using open source e-mail accounts are predominantly targeted.
  • Individuals responsible for handling wire transfers within a specific business are targeted.
  • Spoofed e-mails very closely mimic a legitimate e-mail request.
  • Hacked e-mails often occur with a personal e-mail account.
  • Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
  • The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
  • The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
  • Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
  • Victims report that IP addresses frequently trace back to free domain registrars. 

TIPS

  1. Do not give out any information  or sensitive information without double checking who is asking.
  2. Provide training to your employees (increase awareness)
  3. Avoid web-based email accounts, use a company domain name
  4. Don’t over post in social media and company websites regarding job roles or office details
  5. Be suspicious of requests for secrecy or to take action quickly
  6. Implement verification process such as authentication methods and protocols: passwords, public key cryptography, digital signatures, Secure Sockets Layer – SSL, many more remote access authentic protocols available
  7. Delete spam and report immediately
  8. Delete unsolicited email
  9. Do not use reply, instead use forward to respond and type the email address that you know
  10. Implement an intrusion detection system to flag emails with extensions similar to your company email
  11. Register all company domains slightly different from the actual company domain
  12. Verify any changes to the company such as vendor payment address
  13. Confirm requests for transfers of funds
  14. File a complaint online at www.ic3.gov for internet crimes
  15. Go to the Cybersecurity Unit for Best Practices and protect your organization

 

For the complete Alert data (Alert Number I – 061416-PSA)   Public Service Announcement

 

Did You Know?

Posted: December 14, 2016 by RISC in Education, HIPAA / HITECH Enforcement, Tip of the Week

The Office for Civil Rights (OCR) has teamed up with the Office of the National Coordinator for Health Information Technology and created information to help you understand your rights under HIPAA.

Through the federal civil rights laws and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, OCR protects your fundamental nondiscrimination and health information privacy rights by:

  • Teaching health and social service workers about civil rights, health information privacy, and patient safety confidentiality laws
  • Educating communities about civil rights and health information privacy rights
  • Investigating civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems.

The Office of the National Coordinator for Health Information Technology (ONC) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).

ONC is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.

For more information visit: www.HHS.gov  and www.healthit.gov/

 

 

 

Fast Facts for Covered Entities (CEs)

The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The Privacy Rule does not require you to obtain a signed consent form before sharing information for treatment purposes.  Health care providers can freely share information for treatment purposes without a signed patient authorization.

The Privacy Rule does not require you to eliminate all incidental disclosures.  The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures.  In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.

The Privacy Rule does not cut off all communications between you and the families and friends of patients. As long as the patient does not object, The Privacy Rule permits you to:

  • share needed information with family, friends, or anyone else a patient identifies as involved in his or her care;
  • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition;
  • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.

 

The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can:

  • be listed in the hospital directory;
  • be given to people who call or visit and ask for the patient;
  • be given to clergy along with religious affiliation–when provided by the patient–even if the patient is not asked for by name.

The Privacy Rule does not prevent child abuse reporting.  You may continue to report child abuse or neglect to appropriate government authorities.

The Privacy Rule is not anti-electronic.  You can communicate with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of appropriate safeguards to protect patient privacy.

 

Source: Fast Facts for Covered Entities

Did You Know?

Posted: December 14, 2016 by RISC in Education, HIPAA / HITECH Enforcement, Tip of the Week

The Privacy Rule does not require you to eliminate all incidental disclosures. The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures. In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.