The FBI released an alert on July 12 titled Business E-mail Compromise E-mail Account Compromise – The 12 Billion Dollar Scam that should be on your radar.  BEC-EAC stands for Business Email Compromise – Email Account Compromise.  If you haven’t learned about this particular threat it is important that you review it and assess the risk it brings to your company.  That’s why we review these increasing threats and what you need to do about them in this episode.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

BEC-EAC the latest threat to your business

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Where to meet us

  • 4medapproved Healthcare Cybersecurity Officer Live Webinar Workshop – Sept 12, 13, 19, 20, 2018  Use GRINDLE20 to get a 20% discount.
  • Georgia Pediatric Practice Administrators, October 18

Next HIPAA Boot Camp

Live in Tucker, GA

October 25th and 26th

Want to be part of Help Me With HIPAA? Donate to the cause at

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page:


BEC-EAC the latest threat to your business

The FBI published the same alert title last May except for the dollar amount.  In that version, the total was 5 billion dollars.  That difference alone warrants a detailed look into the issue.  Another alert was released on June 11, 2018, titled Business Email Compromise Contributes to Large-Scale Business Losses Nationwide that mentions the same problem.

The most recent alert has to do with specific attacks on real estate firms.  But, that is just the latest surge at a specific target.  All email accounts can end up as part of the scam.

We have seen and heard about a lot of these cases in recent weeks.  Most people in healthcare probably read the first paragraph and assumed it wasn’t something they should dig into much further.  Turns out that isn’t the case.

The first paragraph of the report reads:

Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.

The problem with that statement is so many people who see these things (if they see them at all) don’t read them past that paragraph because they don’t do wire transfers.  There is so much more information after that paragraph that explains why this matters to all businesses.

First, let’s explain what the BEC and EAC are all about.  In general terms, the Email Account Compromise is where they hack an account and take it over.  If that is a business email and they then use it to lure your business contacts into doing things, like send them money, it is a Business Email Compromise.

A little more from the alert explains how this matters to all businesses.

Perpetrators have been known to impersonate business executives, real estate industry representatives, HR staff, law firms, and trusted vendors to initiate or redirect wire transfers to overseas bank accounts. They often adjust the BEC scheme to target specific victims and maximize financial payouts. Criminals also use these techniques to obtain personally identifiable information, which they can sell in Dark Web Marketplaces or use to submit fraudulent tax returns. To perpetuate the scheme, criminals may compromise the email accounts of business employees or they misuse publicly available services to spoof victim email domains.

BEC-EAC – You may not be the target for one but you will be for the other.

You may not be a target for one part of the scam but you can definitely be a target for the other half of the scam.  This means there is no email account immune to these attacks.  Here are the steps:

  • An email shows up in one of the inboxes at your company.  It may even be one of the best phishing emails you may have ever seen.
  • A single user is compelled to click on the link and it prompts this user to enter the email login information, which they do.
  • At this point, the hacker has what they need to login to that employee’s account and wander around freely.

They can review regular contacts in the account and gather contact information about your communications.  They will see if you do financial transactions and if not, what other business, executives, vendors, customers you do communicate with at any level.  The stolen account can also be swept for any valuable information that can be extracted and sold or used for other attacks.

Once the criminals have figured out what could be useful in the account they begin using it to send out more emails.  Those emails the criminal sends continue to perpetuate the scam.

Those emails include a wide variety of scams:

  • They may identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters when contacting people in your contact list.
  • They may request information from other members of the company or vendors that may compromise their accounts.
  • They use this account to send out emails to other contacts they have harvested through other hacked accounts.

None of that activity has to do with actually having you wire money but it sure gets involved in the scam in so many other ways.  The scary part is all of those accounts with “encrypted email” that is loaded with PHI.  That is why we keep seeing the breach notifications due to “compromised email accounts” and “phishing attacks”.

If you haven’t considered this as an issue in your business, you should do something about it right now.  These attacks are the new ransomware (the malware version of orange is the new black).  The decrease we have recently seen in ransomware corresponds with the dramatic increase in these attacks.  Although, one report mentioned that a ransomware or malware attack preceded these BEC-EAC cases appeared to be a distraction effort.

I can tell you that it is actually much more likely that you can prove there is no need to notify patients after ransomware attacks than with one of these attacks.

How to protect your business from BEC-EAC incidents

So how do you prevent this from being your next problem?  In the FBI alerts included a list they recommend:

  • Frequently monitor your Email Exchange server for changes in configuration and custom rules for specific accounts
  • Consider adding an email banner stating when an email comes from outside your organization so they are easily noticed
  • Conduct End-User education and training on the BEC threat and how to identify a spear phishing email
  • Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information
  • Contact requestors by phone before complying with e-mail requests for payments or personnel records
  • Consider requiring two parties sign off on payment transfers

Depositphotos 8613468 s 2015To me, the most important technical change you can make is to add 2FA or MFA or some sort to all of your email accounts.  Do it ASAP, in fact.  Also, SMS based on what we are seeing – make sure that you use an app for the authentication if not one of the hardware devices.  SMS is becoming less acceptable for providing that extra layer without creating new issues.

You can’t let your guard down anymore with these threats.  As soon as you get things locked down to stop one type, they shift to another one and before you know it, back to an older one.  That is why security awareness matters so much.  The prairie dog effect we can get from a phishing test as everyone starts to check with each other can be fun but it is also always bringing awareness.  The more you know isn’t just a saying for TV commercials, it matters in security very much.

We do the best we can to share the info here.  Just another reason to stay in touch with us and keep listening each week!

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM