29th September 2020

Cyber claims case study: Care home hoax

By Aston Lark
Cyber claim case study

88% of hackers who took part in ‘The Black Report’ survey admitted they use social engineering as part of their attack strategy, and that it can take less than five hours to complete an entire data breach in the hospital/healthcare industry*. With few care homes providing companywide cyber awareness training, threat actors continue to reap rewards by targeting humans rather than technology. The frequent and high value online transactions made by many care homes makes this sector a highly lucrative target.  

CFC Underwriting shares a real-life example of how a sophisticated social engineering attack resulted in a care home transferring £87,315 to a fraudster. Poor password management and the absence of multi factor authentication allowed the attacker to access the CEO’s email account.  There they sat patiently monitoring the email traffic and familiarising themselves with the CEO’s calendar.  Knowing when he was on holiday, and so a scam was less likely to be uncovered, the fraudster made his move.  He sent an email impersonating the CEO to a member of the Finance team instructing urgent payment of an outstanding invoice for the sum of £47,584. Having been monitoring how the CEO communicated with members of the finance team, the fraudster was able to mimic his phraseology, making his email look as authentic as possible. The sense of urgency, coupled with not wanting to disturb the CEO whilst on holiday, led the employee to transfer the funds as requested. The following day the same thing happened, and £39,731 was transferred to another account. By the time the fraudulent transactions were discovered, all but £600 of the funds were irretrievable. Fortunately, having purchased cybercrime cover, insurers were able to recover most of the loss.

In this digital age, it is critical for care homes to implement a cyber smart culture and help employees spot phishing emails to reduce the likelihood of becoming a victim. Security is everyone’s responsibility. However, even with every security measure in place, all it takes is for one employee to make one mistake and it could have catastrophic consequences not only financially, but also through the long-term negative impact on a care home’s reputation. 

With threat actors exploiting any vulnerability – be it targeting technology weaknesses, or human error through social engineering manipulation - care homes must adopt a strategy which reduces their risk exposure with security protocols, but also mitigates the risk with cyber insurance should the worst happen.

To read the full case study, click here.

*Source: Nuix’s ‘The Black Report 2018’