Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

October 27 | Fwd:Thinking. The Intelligent Security Summit (Powered by Tessian). Save Your Seat →

52% of U.S. Healthcare Insurance Providers At Risk of Email Impersonation During Open Enrollment

  • By John Filitz
  • 05 September 2022

Over half of the top 25 U.S. healthcare insurance providers are at risk of having their domain spoofed by threat actors looking to target individuals via advanced phishing and email impersonation attacks as open enrollment begins on 1 November 2022. 

 

In our analysis, we found that 52% of the top healthcare insurance providers in the U.S. do not have DMARC – Domain-based Message Authentication, Reporting & Conformance – policies set up to the strictest settings or don’t have it set up at all to prevent abuse of the domain on email. 

 

Why is DMARC important in preventing impersonation on email? 

 

Nearly all cyberattacks in enterprises start with a successful spear phishing attack. This often involves a threat actor directly impersonating an email domain of a recognizable, trusted or well-known organization. 

There are a number of policies and protocols that prevent direct impersonation of an organization’s domain on email. In its simplest form, SPF and DKIM are email authentication records that allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how to respond to emails that fail these SPF or DKIM checks – generally reject, quarantine, or take no action.

 

In the absence of authentication records, bad actors could easily create legitimate-looking emails with the domain extension, while the recipient of the malicious emails wouldn’t be able to validate the sender’s authenticity. 

 

In the case of the insurance providers that do not have DMARC records in place – or do not have the DMARC policies set up to ‘reject’ – there is a very real opportunity for threat actors to impersonate the provider’s domain in spear phishing campaigns, convincing their targets they are opening a legitimate email from their healthcare insurance provider. 

 

What risk does this pose to individuals? 

 

Open enrollment – the yearly period in which people in the U.S. can enroll in a health insurance plan for the next calendar year – begins on 1 November 2022. 

 

As open enrollment becomes available for employees and people seeking healthcare options, threat actors will likely take advantage of this time to target unsuspecting people – using the timely hook as a lure in their scams. We’ve noted in previous blogs how cybercriminals take advantage of timely or trending moments to make their phishing attacks more convincing. 

 

By impersonating a trusted insurance provider, cybercriminals could trick people into sharing personally identifiable information including social security numbers, financial information, or even confidential medical details which – if gotten into the wrong hands – could be used to perpetrate identity fraud. 

Advisory to healthcare insurance companies and the public

 

As open enrollment begins,  healthcare insurance providers must ensure they are taking every measure to protect their domain from misuse over email. 

 

Conversely, it’s important that employees signing up to new benefits – as well as HR personnel – are made aware of the potential scams that could land in their inbox during this period. Advise people that if they do receive an email from their provider, asking for urgent action or financial information, they must take the time to check it and question the legitimacy of any requests. If they’re ever unsure, they should always contact the insurance company directly to verify or only read correspondence in the insurance provider’s portal. 

 

An more intelligent approach to email impersonation attacks

 

While DMARC is certainly a necessary first step to prevent domain impersonation over email, it’s not without its shortcomings and cybercriminals can find ways around it. 

 

For example, DMARC won’t stop lookalike domains, and there’s nothing stopping threat actors from registering look-a-like domains, betting on the fact that victims may not notice the slight change. Furthermore, DMARC records are inherently public, and an attacker can use this information to select which domains they can directly impersonate, their targets and their attack methods, simply by identifying providers that do not have DMARC policies configured to the strictest settings. 

 

In addition to ensuring DMARC records are set to the strictest standards, security teams at healthcare insurance providers should also question whether they are equipped to safeguard against email scams. They should consider whether a more intelligent approach to email security is needed to stop staff and customers falling victim to advanced email impersonation attacks. 

 

To see how the Tessian Cloud Email Security platform intelligently prevents advanced email threats and impersonation attacks, watch a product overview video or book a demo with us today.

John Filitz Research Lead & Sr. Technical Writer