Healthcare Cybersecurity

Security Analytics Solutions Can Improve Security Posture, but there are Challenges

Posted by HIPAA Journal

A recent Ponemon Institute study has delved into the use and effectiveness of security analytics solutions. The study shows that while security analytics solutions can help organizations improve their security posture, there are many challenges with both deployment and day to day use.

The purpose of the study was to find out how – and how much – these solutions are helping organizations and where they are failing.

The study, which was sponsored by analytics firm SAS, was conducted on 621 IT and IT security professionals in the United States that are involved with security analytics in their respective organizations. 87% of respondents said they personally used security analytics solutions in their organization, while 80% of respondents said those solutions were fully deployed.

Most commonly, security analytics solutions are deployed after a cyberattack has been suffered. 68% of organizations said an attack was the main driver for implementing an analytics solution. 53% said it was fear of a cyberattack or a successful intrusion that spurred them to start using an analytics solution, while 44% said they deployed an analytics solution to meet compliance requirements.

The most common analytics solutions are tools that have been developed in house, which are used by half of organizations, while a Security Information and Event Management (SIEM) solution was used by 47% of respondents. Those solutions were deployed on premise and in the cloud by 40% of respondents. 33% said they only used the solution on premise, while 23% only used the solution in the cloud.

There are clear benefits to using a security analytics solution, although deployment is challenging. The solutions require extensive configuration and tuning before they are effective. 56% of respondents said they found deployment difficult or very difficult.

Other major problems were the sheer volume of data that needs to be analyzed – a problem for 51% of respondents – and getting access to the necessary data – rated as a problem by 45% of respondents.

Once access to the required data has been achieved, the challenges do not stop. 66% of respondents said they experienced problems with data quality, while integrating data was an issue for 65% of respondents.

The main purpose of security analytics solutions is to gain insight into security events as they happen. 72% of respondents wanted to see what was happening now, while 69% said they used the solutions to find out about past security events. 65% of respondents used the solutions to provide advance warnings about potential internal and external threats.

That said, many respondents were failing to detect the threats they most wanted to find. Half of respondents wanted their analytics solutions to detect data exfiltration, yet only 33% of respondents said their solution had that capability. 40% said they wanted to use their solution for adversary reconnaissance, but only 35% said their solution was capable of providing that information. 36% wanted their solution to detect lateral network movement, yet only 31% of respondents said their solution provided that information. Detecting malicious insiders and internal threats was important for 36% of respondents, yet only 23% said their solution had the necessary capability.

Information is needed quickly for it to be most beneficial, yet only 28% said their solution could provide information in real time or every few minutes. 40% of respondents said their solution only provided data hourly or daily.

The overwhelming feeling was the use of security analytics solutions had helped to improve security posture. One of the most important benefits was the reduction in false positives when analyzing anomalous traffic. Before the solutions were deployed, 80% of respondents said it was difficult to reduce false positives, although that figure fell to one third after a security analytics solution had been deployed.

There may be many challenges with deploying and using security analytics solutions, but 61% of organizations said their solution was critical to their cyber defenses. 71% of respondents said their organization is planning on increasing the use of security analytics in the next 12 months.

“Security analytics clearly isn’t as effective as security practitioners need it to be,” said Stu Bradley, Vice President of Cybersecurity Solutions at SAS. That said, “building analytic sophistication ultimately pays off in improving organizations’ ability to discover, detect, investigate and respond to security events in a reliable, repeatable way.”

As for the challenges in deploying security analytics solutions, Bradley offered some helpful advice

“Nearly all solutions require initial configuration and tuning for optimal performance,” however, “organizations can avoid many pitfalls by clearly defining workflows and project goals before starting an implementation.”

The post Security Analytics Solutions Can Improve Security Posture, but there are Challenges appeared first on HIPAA Journal.

OCR Urges Covered Entities to Monitor and Report Cyber Threats

Posted by HIPAA Journal

The healthcare system in the United States has suffered a barrage of cyberattacks in recent years and there is no sign that those attacks will ease. In all likelihood, attacks will increase in both number and severity.

To counter the increased threat, healthcare organizations, government agencies, the private sector, and international network defense communities must collaborate, says the Department of Health and Human Services’ Office for Civil Rights in its February newsletter.

It is the responsibility of healthcare organizations to keep abreast of the latest cyber threats to enable them to take timely action to mitigate risk. Threat intelligence is available from many organizations, although as a minimum, healthcare organizations should be regularly checking the cyber threats published by the United States Computer Emergency Readiness Team (US-CERT).

OCR explains that US-CERT – one of the four branches of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) – provides actionable threat intelligence to the public and private sector, government agencies and critical infrastructure owners. US-CERT collects and analyses its own data, but also intelligence submitted by its partners.

Information on the latest threats is published on its website, along with recently discovered vulnerabilities, mitigations for known vulnerabilities, and details of the latest patches. Organizations can also sign up for e-mail alerts from US-CERT via its website.

The value of the information provided by US-CERT was highlighted by a report on Grizzly Steppe activity, published on February 10, 2017. Grizzly Steppe is the name given to a campaign run by Russian civilian and military intelligence services targeting the U.S government and private sector organizations, including healthcare organizations. The activity report details the methods used by the threat actors to gain access to systems along with techniques that can be adopted to mitigate the threat and defend against spear phishing and webshell attacks.

Armed with this information and intelligence on other network and data security threats, healthcare organizations can ensure action is taken to counter threats to the confidentiality, integrity, and availability of ePHI. OCR recommends US-CERT reports and alerts should be obtained by all covered entities and their business associates as part of the HIPAA Security Management Process.

Healthcare organizations should also play a part in improving awareness of the latest cybersecurity threats by sharing reports of suspicious activity with US-CERT. OCR suggests “Covered entities should report to US-CERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”

While threat intelligence and details of security incidents should be submitted, covered entities are not permitted to share any ePHI with US-CERT unless the disclosure is otherwise permitted under HIPAA Rules (Details of allowable disclosures of ePHI are available on this link).

The post OCR Urges Covered Entities to Monitor and Report Cyber Threats appeared first on HIPAA Journal.

81% of U.S. Healthcare Organizations Have Increased Security Spending in 2017

Posted by HIPAA Journal

The 2017 Thales data threat report published earlier this week shows the healthcare industry is responding to the increased threat of data breaches and cyberattacks by committing more funds to improving cybersecurity defenses.

After two record breaking years of healthcare data breaches – 2015 in terms of the number of records exposed or stolen, and 2016 in terms of the number of breaches reported – it is clear that the healthcare industry is under attack.

2016 also saw a record number of settlements reached with the Department of Health and Human Services’ Office for Civil Rights. Last year there were 12 HIPAA settlements and one Civil Monetary Penalty issued to resolve HIPAA violations discovered during healthcare data breach investigations.

Healthcare organizations are certainly feeling the heat. In the US, 90% of healthcare organizations feel vulnerable to data threats. There was also a 2% increase in the number of healthcare organizations that experienced a data breach in the past 12 months. 20% said they had a data breach in the past 12 months and 55% of healthcare organizations say they have had a historic data breach.

In the past, the healthcare industry has lagged behind other industry sectors when it comes to cybersecurity. That is now starting to change. Healthcare organizations have responded to the increased threat level by committing more funds to their cybersecurity programs; considerably more this year than other industry sectors.

Last year, only 60% of healthcare organizations increased cybersecurity spending. According to the Thales threat report, 81% of healthcare organizations will be increasing their cybersecurity budgets this year, compared to the overall industry average of 73% and the global healthcare industry average of 76%.

94% of healthcare organizations are now using advanced technologies to protect sensitive data. 61% use SAAS, 50% IAAS, 39% PAAS, 59% use Big Data, 19% use containers, and 5% are now using blockchain.

The biggest spending priorities for healthcare organizations is to comply with industry regulations. 57% of healthcare organizations say their main spending priority is compliance, 40% say it is to prevent data breaches, 34% say it is to adopt best practices, and 27% say spending has increased in response to increased cloud use.

How is the money going to be spent? 69% of healthcare organizations are increasing spending on network security, 61% are investing in endpoint and mobile protection measures, 62% are increasing spending on analysis and corrections, 51% on technologies to protect data in motion, and 47% on technologies to protect data at rest.

92% of healthcare organizations believe network security is very or extremely effective at preventing data breaches – and increase of 14% year on year – while 67% believe endpoint protection is very or extremely effective – an increase of 3% year on year.

Garrett Bekker, Senior analyst at 451 Research points out that healthcare organizations need to think carefully about the technologies they use to keep data secure, “Oorganizations keep spending on the same solutions that worked for them in the past but aren’t necessarily the most effective at stopping modern breaches.” Bekker also said “Spending on securing internal networks from external threats is less and less effective – and relevant – as both the data and the people accessing it are increasingly external.”

When it comes to barriers preventing the adoption of better cybersecurity defenses, 53% said complexity is a major issue. 39% said they lack the staff to manage those defenses, 36% said performance concerns, 33% lack the budget, while 26% said they lacked organizational buy in.

48% of healthcare organizations believe cybercriminals are the main external threats, but internal threats are also a major concern. Privileged users are rated as the biggest internal threat according to 61% of organizations, followed by executive management (46%), contractors (33%) and service providers (26%).

Peter Galvin, VP of strategy, Thales e-Security says “For healthcare data to remain safe from cyber exploitation, security strategies need to move beyond laptops and desktops to encompass an ‘encrypt everything’ approach that best suits a world of internet-connected heart-rate monitors, implantable defibrillators and insulin pumps. Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

The post 81% of U.S. Healthcare Organizations Have Increased Security Spending in 2017 appeared first on HIPAA Journal.

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Posted by HIPAA Journal

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture.

The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach.

Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud.

It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who said their data have been stolen said they have experienced medical identity theft as a result. The survey revealed that when medical identity theft occurs, out of pocket expenses of $2,500 are incurred on average.

The report shows half of the individuals who said their data have been stolen did not find out from a breach notification letter. They discovered they were a victim of a healthcare data breach after seeing charges on bank/credit card statements and suspicious entries on their Explanation of Benefits statements. Only a third of respondents said they were notified of the breach by the breached entity.

Even with record numbers of healthcare data breaches occurring, Americans still have faith in providers’ abilities to keep electronic protected health information secure. 88% of respondents said they trusted their providers to secure their ePHI. 85% said they trusted pharmacies, 84% trusted hospitals and 82% trusted health insurance companies. Healthcare technologies fared much worse (57%), as did government organizations (56%).

Businesses that experience data breaches know all too well that there is considerable fallout after a breach announcement is made. Many customers simply take their business elsewhere. That was clearly evident after the Target breach.

However, changing healthcare provider is less straightforward. That said, many breach victims said they did change healthcare provider or insurer after they were notified that their health information had been stolen. A quarter of breach victims said they had already changed healthcare provider following a data breach, while 21% said they had changed health insurance provider.

If a data breach or an attack is experienced, healthcare organizations should carefully assess what went wrong and how their cybersecurity defenses can be improved. Considering the impact healthcare data breaches have on patients and the considerable fallout following a data breach, healthcare organizations should ensure that their cybersecurity defenses are up to scratch to prevent data breaches from occurring in the first place.

The post Quarter of Americans Have Been Impacted by a Healthcare Data Breach appeared first on HIPAA Journal.

Healthcare Industry Threat Landscape Explored by Trend Micro

Posted by HIPAA Journal

Trend Micro has issued a new report that explores the healthcare industry threat landscape, the new risks that have been introduced by the inclusion of a swathe of IoT devices, and how cybercriminals are stealing and monetizing health data.

Cybercriminals are attacking healthcare organizations with increased vigor. More attacks occurred last year than any other year, while 2015 saw a massive increase in stolen healthcare records.

While the health data of patients is an attractive target, health records are not always being sold for big bucks on underground marketplaces. Health insurance cards can cost as little as $1, while EHR records start at around $5 per record set.

However, cybercriminals are now increasing their profits by processing and packaging the stolen data.  Data are used to obtain government-issued iDs such as driver’s licenses, passwords and birth certificates. Farmed identities of individuals who have died are being sold, which can see prices of more than $1,000 charged per identity, or even more if IDs are also supplied. A large haul of health data from an EHR system can see cybercriminals make considerable sums, so it is therefore no surprise that healthcare organizations and their EHR systems are being targeted.

The report provides insights into the healthcare industry threat landscape and shows how healthcare organizations are allowing chinks to develop in their cybersecurity armor.

For the report, Trend Micro performed a scan of connected healthcare devices via the search engine Shodan, which revealed how visible healthcare networks are via the Internet and how easy it is for cybercriminals to identify targets.

Shodan can be used by anyone with an Internet connection. The search engine returns details of Internet connected systems such as EHRs, along with medical equipment, appliances, printers and copiers together with the names of the organizations that own the devices.

Hackers can use Shodan to find devices and try to login using default passwords. Default passwords for those devices are freely accessible online. Even when passwords are changed, they are often replaced with weak passwords that can easily be guessed. Once access has been gained, the device can be used as a launch pad for an attack on other parts of the network. Alternatively, the devices can be reconfigured to record information that can be used in further attacks.

The Shodan scan revealed 36,116 healthcare-related records. Trend Micro reports that out of those records, “6,502 originated from the top 10 U.S. cities with exposed healthcare facilities.” The main cities with exposed healthcare facilities were Bethesda, Collegeville, Houston, Portland, and Phoenix, each of those cities accounted for between 10% and 18% of exposed healthcare facilities.

Many of the exposed healthcare organizations were also using out of date and unsupported operating systems such as Windows Server 2008 R2 and Windows XP. The search also revealed that 1,067 healthcare organizations had out of date security certificates.

Trend Micro discovered patch management failures were allowing vulnerabilities to remain unaddressed. 10 devices were discovered that had not been patched to protect against the Heartbleed vulnerability, even though the vulnerability was discovered and patched over two years ago.

Healthcare organizations can spend money on advanced cybersecurity protections, but it is essential that basic cybersecurity controls are not missed.

Given the value of healthcare data and the ease at which potentially vulnerable devices can be found, healthcare organizations must ensure that their networks are made more secure. At the very least, default passwords should be changed on all devices with strong passwords set. Patch management policies must cover all devices, and plans should be put in place to upgrade all devices that are still running on unsupported software.

Trend Micro’s report, Cybercrime and other Threats Faced by the Healthcare Industry, can be found on this link.

The post Healthcare Industry Threat Landscape Explored by Trend Micro appeared first on HIPAA Journal.

Beware of Medical Device Hijack Attacks! Medjack.3 Discovered

Posted by HIPAA Journal

In 2015, security researchers discovered MEDJACK malware: A form of malware developed specifically to attack medical devices such as heart monitors, MRI machines, and insulin pumps. While medical devices have long been a potential target for cybercriminals, until the discovery of MEDJACK, the threat of cyberattacks on medical devices was largely theoretical.

While MEDJACK could have been a one off, evidence emerged suggesting it was being actively developed. A second version of the malware – discovered last summer – was being used for advanced persistent attacks on hospitals via medical devices running on legacy systems.

Vulnerable medical devices were being used as a springboard to gain access to networks used to store the electronic protected health information of patients. TrapX security discovered that at least three attacks on healthcare providers had occurred using MEDJACK.2 by the summer of 2016.

MEDJACK.2 was capable of bypassing security controls as the malware used was old and was no longer deemed to be a threat by security solutions. More recent versions of Windows were protected against attacks using the malware so in many cases no alarms were triggered.

However, the attackers simply used an old malware wrapper to hide a range of cybersecurity tools. Tools that enabled them to install backdoors and move laterally within healthcare networks virtually undetected.

Now, security researchers at TrapX have discovered a third version of the malware. MEDJACK.3 is even more advanced and poses an even bigger threat to hospitals. The new version of the malware was discovered during an investigation of the medical infrastructure at ten UK hospitals.

As part of the investigation, TrapX created a number of fake medical devices such as MRI scanners. They noticed that those devices were being probed and that attackers were using a new method to discover and infect devices. While the method was new to MEDJACK, it had been seen before – many years previously. The attackers were using an old malware spreader to find and attack devices on older operating systems.

According to Anthony James, VP of marketing at TrapX, “Attackers are leveraging legacy malware-spreading tools that bypass a lot of today’s operating systems and target older systems.” The latest attacks are more targeted, with the attackers searching for specific devices that can be attacked rather than the more random approach seen last year.

Any device connected to an older, unpatched operating system was discovered to be vulnerable to attack and would accept the hacker’s tools. That included older operating systems such as Windows XP and Windows Server 2003, but also Windows 2008 and 2012. As was the case with MEDJACK.2, because the malware used was not perceived to pose a threat, the hackers were able to infect devices undetected.

TrapX has warned that many healthcare providers may already have been attacked with MEDJACK.3 and access may have been gained to their medical devices; possibly also the networks to which those devices are connected.

TrapX will be releasing a new white paper on MEDJACK.3 shortly.

The post Beware of Medical Device Hijack Attacks! Medjack.3 Discovered appeared first on HIPAA Journal.

2016 Healthcare Data Breach Report Ranks Breaches By State

Posted by HIPAA Journal

A new 2016 healthcare data breach report has been released that analyzes incidents reported to the Department of Health and Human Services’ Office for Civil Rights last year. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

The post 2016 Healthcare Data Breach Report Ranks Breaches By State appeared first on HIPAA Journal.

Cybercriminals Switch File Types to Infect More Organizations with Malware

Posted by HIPAA Journal

During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case.

During 2016, cybercriminals favored malicious Office macros and JavaScript for downloading their malicious payloads. However, the Microsoft Malware Protection Center has identified a new trend. Rather than JavaScript, which is becoming easier to identify and block, cybercriminals have turned to less suspicious looking file types to infect end users.

Large-scale spamming campaigns are now being conducted that distribute malicious LNK and SVG files. These files are less likely to arouse suspicions than JavaScript and may make it past anti-spam defenses. LNK files – Windows shortcut files – are combined with PowerShell scripts which download malicious payloads when opened. Over the past year, PowerShell scripts have been used to download ransomware variants such as Locky.

Microsoft’s Malware Protection Center has identified one campaign that uses LNK files which attempts to download Locky from five different domains. “The use of multiple domains and the technique of storing the rest of the URL as a parameter is a way to circumvent URL filtering solutions. All the script needs is one URL that is not blocked in order to successfully download malware,” warns Microsoft.

Not all campaigns are used to download malicious files. Fileless malware is becoming more popular. Since PowerShell scripts are run directly in the memory, no file download is necessary. Malicious code remains in the memory. Even if endpoint security has been implemented, those solutions are unlikely to detect these fileless malware attacks.

Organizations can improve defenses against these fileless malware attacks by setting PowerShell policies to restricted, but is a relatively easy process to bypass these security policies and still run the scripts.

SVG – Scalable Vector Graphics – files are image files; however, it is relatively easy to incorporate obfuscated JavaScript into the files. Opening the file attachment will launch the JavaScript, which in turn will download the malware or ransomware.  SVG files are opened using browsers and the image will be displayed even if JavaScript has been incorporated into the file. End users who open these files are therefore unlikely to realize that malware is being silently downloaded.

Many organizations have responded to the threat of JavaScript downloaders by blocking their delivery through their spam filtering solutions. The change to PowerShell scripts could potentially see spam controls bypassed. To deal with the threat, organizations should also configure their spam filtering solutions to block LNK files. Since these file types are rarely sent in legitimate emails, blocking LNK files is unlikely to cause any problems.

SCG files are more commonly used, although organizations should consider also blocking these image types from delivery via email. If images do need to be sent, polices can be developed to require these file types to be communicated via other means, via Google Drive or Dropbox for example.

The post Cybercriminals Switch File Types to Infect More Organizations with Malware appeared first on HIPAA Journal.

IRS Issues Warning About W-2 Phishing Scams

Posted by HIPAA Journal

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year.

This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The attacker sends an email request to a payroll or HR staff member and requests W-2 Form data for the entire workforce by return. Typically, the request is for the W-2 Forms of all individuals who worked in the previous tax year. The information is often asked for in PDF format.

The request appears to come from the company’s CEO, CFO, or another high-ranking executive with authority. Payroll and HR employee respond to the email and send data as requested as the email seems genuine. The individual who appears to have sent the request is likely to have a need for the information.

Research is conducted on the company by the attackers. They find out the email addresses of staff members to target and select an executive that is likely to have a need for W-2 Form data. The email address of the chosen executive is then spoofed using a variety of techniques to make the request appear to have been sent from within the company.

The consequences of responding to such a scam can be serious, certainly for an organization’s employees. The data on W-2 Forms can be used for a wide range of nefarious purposes, although the main purpose of the attack is to obtain the data necessary to file fraudulent tax returns.

Last year, there were at least 145 reports of successful W-2 phishing scams sent to the IRS and more than 29,000 employees were impacted by those scams. Given the number of successful scams already reported this year, 2017 looks set to be far worse than last year.

There have been at least 23 such scams pulled off in January, and over the past week, the number of reports received by the IRS has increased substantially.

It is not only the corporate world that is being targeted. Healthcare institutions, school districts, nonprofits, tribal organizations, restaurant chains, staffing agencies, shipping, and freight companies are all being targeted. In fact, any business or organization is a potential target.

This year, a new trend has emerged. In addition to the W-2 phishing scams, victims are also subjected to a second attack. The same spoofed email account is used to send a request to payroll or the comptroller requesting a bank transfer be made.

These scams were commonplace in 2016. In some cases, transfers of millions of dollars were sent to fraudsters’ accounts. The FBI reported that cybercriminals attempted to steal $3.1 billion by the middle last year. The transfer amounts ranged from around $10,000 to tens of millions of dollars.

The year may still be young, but several organizations have been stung twice and have sent W-2 Form data and made fraudulent bank transfers.

To avoid becoming a victim of these scams, employees must be made aware of the risk and instructed to exercise caution. Any request to send W-2 Form data should be treated as suspicious, even if that request appears to have been made by the CFO.

Policies should be introduced that require payroll/HR staff to properly authenticate any request for W-2 forms that are sent via email. Internal policies should also be developed covering wire transfers – and especially international wire transfers – to ensure such requests are authenticated before transfers are processed.

The post IRS Issues Warning About W-2 Phishing Scams appeared first on HIPAA Journal.