Why some emails are so easy for scammers to fake

By Gary Stoller
Published March 16, 2015

Emails purportedly sent by health insurance companies and large banks are more likely to be fraudulent than those claiming to be from social media companies, a new research study reveals.

An email that appears to come from a health insurance company is four times more likely to be fraudulent--or two times more likely from a large US bank--than an email ostensibly from a social media company like Facebook, according to Agari's 2015 study.

Agari, which provides solutions to detect and prevent cyberattacks, analyzed 6.5 billion emails daily last year in nine industries for the study.

The study should make consumers and organizations more aware of the security of their email and data and "how they can protect themselves from fraud," says Patrick Peterson, Agari's CEO.

The health care industry, which has been hit with massive cybersecurity attacks, has the worst average TrustScore of all industries surveyed, the study says. A TrustScore, based on a zero to 100 scale, indicates how well organizations protect their consumers from email cyberthreats.

The poor TrustScores of health care companies are in line with an FBI warning last year. According to Reuters, the agency warned health care providers that their cybersecurity systems are lax compared to to other sectors, making them vulnerable to hackers targeting American citizens' medical records and health insurance data.

In February, Anthem, the nation's No. 2 health insurance carrier, was struck by a cyberattack that exposesed the sensitive data of up to 80 million customers in all 50 states.

Last July, Community Health Systems, the nation's second-largest-for-profit health system, confirmed that information about 4.5 million patients was stolen in a cyberattack believed to have originated in China.

Agari's study reports that six of 14 major health insurance companies surveyed had a TrustScore of zero. Aetna, though, is an exception. It had a 100 TrustScore in last year's third and fourth quarters--"remarkable for a company in any sector," the study says.

Banks Ranked Low

Email attackers targeted banks and other financial institutions more than any other types of company in 2014, but every category of bank surveyed had a low average TrustScore, the study says. The study looked at large and mega banks in the USA and mega banks in Europe.

"European megabanks, whose customers are some of malicious emailers' most common targets, fared especially poorly," the study says. They had a TrustScore of 33, the second-lowest of nine industries surveyed.

Large American banks had the third-lowest TrustScore, 36, and American megabanks scored 46. Two US banks--Chase and Capital One--had perfect 100 scores.

Most companies haven't implemented technology to prevent "cyber criminals from sending messages that appear to come from their domains--a failure that leaves customers vulnerable to phishing attacks," the study concludes.

The emails from cyber criminals trick people into sharing sensitive information, "leading to identity theft and other crimes," the study says. "Because victims of phishing attacks often blame the companies they thought sent the forged emails, the attacks also erode the trust companies spend years building with customers."

http://www.foxbusiness.com/technology/2015/03/16/why-some-emails-are-so-easy-for-scammers-to-fake/

Why health hacks are worse than credit card hacks

By Erin Griffith
February 5, 2015

Companies in the health care industry have richer data and fewer defenses than those in other industries, making them especially susceptible to attacks.

In the largest-ever security breach of a health insurance company, Anthem revealed on Thursday that the personal data of 80 million customers may have been exposed to hackers.

It's likely that hackers will continue to target health care companies. For one thing, health data is a richer source of personal information than credit card data. Among the bounty; social security numbers, email addresses, birthdays, street addresses, policy numbers, diagnosis codes, billing information, and the names of family members--the sort of information used in security questions for online accounts.

Malicious hackers can use that information for what's sometimes called a "soft hack," or unauthorized entry without the use of sophisticated software. Identity thieves can gain access to a person's account by guessing the right answers to security questions and resetting a password. With the right combination of family and personal information, a thief can also use fake identities to score drugs from pharmacies. This is the major reason why stolen health credentials are worth 10 times more than credit cards on the black market, according to Reuters.

Secondly, health care companies haven't focused on security as much as other industries have, and have been known to rely on outdated software. "Healthcare organizations have invested less in IT, including security technologies and services than other industries," says Lynne Dunbrack, a vice president at market research firm IDC.

That's true for insurers in part because they aren't incentivized to make security a priority. Their end customers often have little choice as to which provider they use, since that choice is typically made my employers. Insurers are not likely to lose as much business over a data breach as, say, a retailer. For example, it is much easier for a shopper to choose Walmart over Target after the latter suffered a massive security breach last year.

In general, companies that administer their data in servers located on-premise are often less secure than companies that rely on major cloud computing vendors, according to Kevin Spain, a general partner at Emergence Capital. "The most vulnerable systems tend not to be cloud-based because security is what they do," he says. A hack like this may not ruin a health insurance company like Anthem, but it could destroy a cloud software company like Salesforce, Spain says: "That's why there is a different level of priority."

http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-credit-card-hacks/