Report Reveals 473% Increase in Healthcare Email Fraud Attacks in 2 Years

Proofpoint revealed in its recent healthcare email security report that there has been a 473% increase in healthcare email fraud attacks in the last two years.

Email fraud, often called business email compromise (BEC), is a major cyber threat. If the attacks are successful, businesses can lose hundreds of thousands of dollar as a result of the attacks. In some cases, businesses have lost millions of dollars in a single attack. Statistics from the FBI indicate the losses due to email fraud attacks since 2013 have reached $12.5 billion.

These highly targeted email attacks usually entail the spoofing of email addresses to make emails appear to have been sent from a known contact or trusted source. They frequently involve using a real email account of someone within the organization, which was earlier compromised as a result of a spear phishing attack.

The attacks are typically conducted to steal sensitive information such as employee tax data; to steal credentials, and for wire fraud. the latter is the most widespread type of email fraud in the healthcare industry.

Proofpoint reviewed over 160 billion emails sent from organizations across 150 countries from Quarter 1 of 2017 and Quarter 4 of 2018 for the report. There were 473% more healthcare email fraud attacks in Q4 of 2018 than in Q1 of 2017.

Healthcare organizations experienced an average of 96 email fraud attacks each quarter, although 53% of healthcare organizations experienced even higher numbers of attacks.  An average of 65 employees were targeted at healthcare organizations in Q4 of 2018. No healthcare organization studied saw a reduction in email fraud attacks within the period of study.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

An average of 15 healthcare employees were spoofed at each healthcare organization. 49% of organizations were attacked using at least 5 spoofed identities. More than 75% of healthcare organizations had over 5 employees targeted in the BEC attacks. The majority of employees were targeted because of their position in the organization.

Of all the attacks targeting healthcare organizations, 95% occurred using their own trusted domain and 100% had the attacker spoof a healthcare domain to attack business partners and patients. Proofpoint considered 45% of all emails coming from healthcare domains in Q4 of 2018 to be suspicious, 65% of which were sent to employees in the same organization, 15% to business partners and 42% to patients.

Proofpoint reviewed email fraud attacks in several industries. The healthcare industry was the only one where there was a link between the number of attacks and company size. Bigger organizations were targeted more often than smaller organizations.

The most common subject lines in the email fraud emails contained ‘Request’, ‘Payment’ or ‘Urgent.’ It was also common for blank subject lines to be used. Most of the emails were delivered during office hours. 70% were sent from 7 am to 1 pm, Monday to Friday.

33% of emails used in the attacks were on free email platforms like Gmail, Inbox, Comcast, AOL, and RR. Besides spoofing a healthcare domain name, attackers often use lookalike domains, such as those with misspellings, added characters, or transposed letters. 67% of the attacks on healthcare organizations used lookalike domains.

Blocking email fraud attacks requires layered defenses. Employees need to be taught how to identify potential email fraud attacks and must be trained to report them to their security teams. Email fraud attack simulations are useful and can identify employees who are susceptible to attacks to allow them to be provided with further training. Email security solutions should also be deployed to block the emails at the gateway. DMARC should be used to stop impostors from spoofing websites. Domains with URLs similar to those used by healthcare organizations should be monitored since they may be registered and used by fraudsters. Email filters should be configured to decline messages coming from those unsafe domains.

Resources for HIPAA Covered Entities and Business Associates

HIPAA Email Rules

Email Protection Services

Email Security for Office 365

Is Emailing Patients’ Names a HIPAA Violation?

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: