Email Security Roundup 2020 (Biggest Email Scams, Phishing Attacks, BECs and Data Breaches of the Year)

Q&A: What to do if you respond to a phishing email?

The first thing you need to do if you respond to a phishing email is to log in to your email account from a different computer and change your password immediately. Once you do that, make sure to log out of all other web sessions and check your email settings for any changes you didn’t make.

Q&A: What to do if you click on a phishing link in an email?

If you clicked on a link in a phishing email, immediately close the webpage or document and do not enter any data. Next, disconnect the device from the Internet and scan it for malware and virus using an AV and anti-malware tool.

2020 is almost at an end (thankfully). And while we certainly can’t say it was a particularly good year, considering the global pandemic, for some it was even worse as they’ve been victims to email scams, BEC, phishing attacks and data breaches.

So let’s take a look back at some of the biggest business email compromises  that happened in 2020 and hopefully start learning from these mistakes as we countdown to 2021.

These include different types of data breaches, including phishing and ransomware, which just shows the different approaches cybercriminals can take when attacking.

  1. Puerto Rico – January ($4,000,000)

This is actually not one, but three separate BEC attacks suffered by the Puerto Rican government agencies in the first month of 2020 that resulted in overall losses of more than $4 million.

The scam was the result of a compromised email account of a Puerto Rico’s Employment Retirement System’s finance worker in December. Using his account, the hackers were able to send legitimate emails to his colleagues in other government agencies and instruct them to change their bank account numbers.

The biggest loss was suffered by the government-owned Industrial Development Company, $2.6 million, while the Tourism Company lost $1.5 million and the Commerce and Export Company lost $63,000.

  1. Barbara Corcoran (Shark Tank) – February ($400,000)

The Shark Tank’s judge nearly lost $400,000 this February and is a perfect example of why classic email scams are still dangerous and that they can happen to anyone.

What happened was that Corcoran’s assistant wired the money to a scammer pretending to be her assistant, in order to “pay for real estate renovation”. This shows that the scammer did his homework as Corcoran is herself a real estate broker and has made millions from it.

Luckily, the scam was discovered on time (one letter was off from the assistant’s real email address) and Corcoran was able to inform the bank in Germany of the fraud and get her money back before it was transferred to the scammer’s account in China.

  1. ExecuPharm – March (Unknown Impact)

The US pharmaceutical company ExecuPharm was a victim of a ransomware attack in March this year of unknown impact. 

The attack was the result of a phishing campaign targeting ExecuPharm’s employees, which allowed the cyberattacker’s access to the company’s servers. Once they had access, hackers managed to encrypt the data on it and demanded ransom from ExecuPharm, which the company refused. As a result, the attackers published the data on the dark web.

The stolen data included emails of employees, user documents, financial records, database backups and possibly other PII, including SSNs. bank account numbers and credit card numbers.

  1. Magellan Health – April (Undisclosed Number of Employees)

On 11th April, Magellan Health discovered a ransomware attack and a data breach that occurred a few days prior. 

In a letter sent out on 12th May and signed by Magellan’s Senior Vice President & Chief Compliance Officer John J. DiBernardi Jr., the company said:

“On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client. Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information.”

The company, which employs 10,500, did not disclose the exact number of affected employees.

  1. Imperium Health – April (Almost 140,000 Patients)

In a memo sent out in September, Imperium Health Management, Louisville, notified 139,114 of its users that their protected health information might have been compromised in a phishing attack.

The company learned of the attack at the end of April and an investigation by a 3rd-party cybersecurity forensics firm revealed that the breach was the result of two employees responding to a phishing email on 21st and 24th April.

The compromised accounts contained patient names, dates of birth, addresses, Medicare numbers, Medicare Health Insurance Claim Numbers (which often include Social Security Numbers), health insurance info, medical record numbers, account numbers and other protected health information (PHI).

  1. Polk County Tax Collector – July (450,000 People)

The Polk County Lakeland, Florida tax collector Joe Tedder’s office reported in July that it was a victim of a data breach on 23rd June that affected 450,000 people in that county.

According to the tax collector’s office, the breach happened when one of his employees opened an email attachment that contained a malware

Teder said:

“We believe exposure was very limited. We have no evidence that it was misused in any way. We want to let people know out of an abundance of caution to encourage people to monitor their own records and documents as they would under any situation.”

  1. EyeMed Tufts Health Plan- December (60,545 Members)

On 1st July, 2020, EyeMed discovered that certain PHI of 60,545 members of Tufts Health Plan was compromised in an email phishing attack in June.

The compromised account contained names, dates of birth, phone numbers, addresses, email addresses, health insurance accounts and ID numbers, Medicaid and Medicare numbers, birth and marriage certificates, government-issued ID numbers, social security numbers, medical diagnoses, treatment info, passport numbers and other protected health information.

Tufts Health Plan was notified of the breach in September and the affected members were offered a 2-year membership (complimentary) to identity protection and credit monitoring services.

Conclusion

Could have these data breaches been prevented? 

With a better email security awareness and employee education and training on how to identify common email scams and what to do if someone clicked on a phishing email.

If that were the case, they wouldn’t have lost millions of dollars or their customer records wouldn’t end up in the hackers’ hands.

Finally, use a secure email service like CTemplar, which will protect your email data with end-to-end 4096-bit OpenPGP encryption and salt & hashed passwords for sign-up and authentication.