The healthcare industry remains a prime target for hackers, with more breaches occurring in healthcare than in any other industry. In 2025, according to the Ponemon Sullivan Privacy Report, 53% of those they surveyed were vulnerable to business email compromise (BEC) attacks. Business email compromise is a tried and tested method for cybercriminals to slip into an inbox, mimicking someone trusted using email fraud.

Related: HIPAA compliant email: The definitive guide (2026 update)

 

Healthcare: the most targeted sector

According to the FBI in its 2025 IC3 Annual Report, the healthcare industry ranked as the top targeted sector for cyber threats in 2025, with 460 known ransomware attacks and 182 data breaches. Cybercriminals target healthcare because patients’ protected health information (PHI) is central to proper patient care. A single compromise can cause a long list of issues for a healthcare organization, and unfortunately, the healthcare industry has numerous threat vectors.

Hackers know that disabling a health network can make it difficult for healthcare organizations to properly treat patients. That’s why it's not unheard of for a covered entity to pay a ransom to have its systems restored, even though there are signs that organizations making payments is changing.

Financial gain remains the primary motivation behind healthcare data theft because of the opportunities for multiple forms of fraud. Criminal marketplace pricing clearly demonstrates the demand: a driver’s license reportedly sells for about $20, while a complete identity package can sell for $1,000. Stolen PHI can be used for identity theft and to impersonate patients needing medical services.

 

What is business email compromise?

Business email compromise attacks are targeted schemes in which attackers impersonate someone trusted to trick their victims into transferring money, sharing sensitive data, or granting access to internal systems. Such attacks are a type of targeted social engineering that uses credential theft, phishing, or direct emailing schemes to compromise a person or a system. These criminals can make a request look ordinary enough to pass as part of everyday business.

The FBI’s 2025 IC3 Annual Report (above) stated that BEC generated about $3 billion in reported losses across all industries and that healthcare's complex systems provide multiple access points for BEC attacks. Healthcare organizations process high volumes of payments, transactions, and billing communications, making them even more attractive targets to cybercriminals.

Business email compromise ranks among the most expensive forms of cybercrime because hackers play directly on trust and routine to exploit the growing reliance on email. Especially for healthcare providers, as exposed or stolen PHI presents a huge problem to staff and patients.

See also: Examples of business email compromises

 

How attackers use BEC tactics

Unlike phishing attacks, BEC emails typically contain no malicious links or attachments. Instead, attackers rely on impersonation, deception, timing, and knowledge to make fraudulent requests or nudges appear legitimate. Attackers can compromise email accounts through credential theft or spoof email addresses that closely resemble real company domains. They can register lookalike domains that differ from legitimate domains by only a single character, further increasing the credibility of fraudulent messages.

Researchers from arXiv note that BEC attacks “blend into normal business communication,” making them harder for employees and automated filters to identify. Many organizations rely on email to approve invoices, process payments, and coordinate vendor transactions, which allows attackers impersonating higher-ups or vendors to redirect funds before the fraud is detected.

Business email compromise attackers research their targets using publicly available information, including company websites, LinkedIn profiles, press releases, and vendor details. Victims easily connect with BEC attackers, who understand how to manipulate tired and stressed employees, such as healthcare workers. A recent study by JAMA Network notes that healthcare employees are very susceptible to such scams.

 

What is new about BEC attacks?

Modern BEC attacks are similar to modern phishing tactics in that cybercriminals are able to use advanced technologies to better create contextualized, grammatically perfect emails that copy legitimate business communications. Moreover, attackers can use these advanced technologies, such as AI and machine learning (ML), to research their victim (and multiple victims at the same time) for more accurate targeting. In other words, today’s attacks have evolved past basic spoofing and can create truly realistic emails.

Attackers still rely on social engineering, but have been able to employ a variety of tactics such as:

  • Credential theft
  • Domain impersonation
  • Vendor email impersonation
  • Inbox infiltration through MFA fatigue
  • Session hijacking

Better written messages exploit human trust and can avoid simple detectors. Advanced tools help attackers create highly personalized messages that are realistic, simulate writing styles, and automate reconnaissance. Scammers can hit multiple targets simultaneously, hijacking multiple conversations, and coordinate over multiple channels, such as voicemail or telephone, not just email.

 

The impact of BEC attacks

BEC remains one of the most costly forms of cybercrime. A recent study on malicious traffic reported that “in 2022 alone, BEC attacks resulted in losses of nearly USD 2.7 billion globally, which is an escalation of approximately USD 350 million from the preceding year (2021), and a notable surge of around USD 860 million from the year 2020.” FBI data from 2024 recorded 21,442 BEC incidents and about $2.77 billion in losses from that year. As stated above, the FBI’s 2025 report said that BEC cost organizations about $3 billion that year.

Statistics suggest that the numbers will climb in 2026. When it comes to healthcare, 70% of those surveyed by the Ponemon Sullivan Report say that BEC attacks against them disrupted patient care. Other health-related consequences include shutdown services, unusable electronic record systems, high financial burdens, and patients withdrawing due to mistrust.

A single stolen login can open access to electronic health records, billing systems, insurance claims, and internal communications with colleagues who trust that sender.

More about: Why BEC is today’s biggest email threat

 

Cybersecurity strategies for HIPAA compliance

Preventing BEC attacks requires a comprehensive cybersecurity approach. There are several tactics that could be used effectively by healthcare organizations when creating a layered, consolidated security system.

  1. Establish up-to-date policies and procedures
  2. Keep systems, software, and security features aligned with advanced technologies
  3. When creating a business associate agreement (BAA) with third parties, address their email security as much as your own
  4. Use continuous employee awareness training on email scams
  5. Ensure proper technological safeguards, such as data encryption
  6. Utilize strong access controls like mandatory passwords and multifactor authentication
  7. Configure email servers to block invalid domains
  8. Keep communication channels secure
  9. Perform risk assessments and penetration tests regularly
  10. Create data backup and disaster recovery plans in case of an incident, especially possible double or triple extortion
  11. Regularly audit and monitor systems
  12. Have an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect health information. Adhering to HIPAA standards with a defensive approach helps providers protect privacy, leading to stronger systems and better patient outcomes.

 

Leveraging advanced cybersecurity strategies

Advanced technologies, such as AI, can play a significant role in enhancing cybersecurity defenses while also contributing to their vulnerabilities. While criminals can exploit weaknesses with advanced technology, healthcare organizations can invest in solutions that provide real-time threat detection and response capabilities. Generative AI is a ML model that can create new outputs based on patterns learned from existing data.

Artificial intelligence has access to many data points like sender behavior, email metadata, and historical communication patterns to proactively identify and prevent BEC attempts at a larger scale than human employees. Generative AI examines the content, tone, sender history, timing, and context of messages. In healthcare, generative AI allows advanced data analysis, predictive modeling, and automation.

Implementing such strategies can help healthcare organizations use the benefits of advanced technologies without compromising patient privacy.

 

Paubox Email Suite and AI

Paubox Email Suite is a HIPAA compliant email solution designed for healthcare organizations to securely communicate PHI without disrupting workflow. Paubox seamlessly encrypts all outbound emails, delivering them directly to recipients’ inboxes. It integrates with existing email platforms like Google Workspace and Microsoft 365, ensuring seamless security while maintaining ease of use.

Business email compromise can be prevented and mitigated through several Paubox tools:

  • AI-powered detection
  • Zero trust filtering
  • Zero-step encryption
  • HITRUST Certification

Its generative AI offers a secure email solution for organizations seeking a cybersecurity option tailored to one of their most vulnerable outputs. Traditional filters often miss messages that appear normal, so attackers slip through. Finally, Paubox’s Inbound Email Security is designed to plug those gaps by combining AI, pattern recognition, and domain protections.

 

FAQs

What is the difference between phishing and BEC?

Phishing usually involves sending generic messages to large numbers of recipients. Business email compromise targets specific organizations or individuals and impersonates trusted contacts to manipulate financial or operational decisions.

 

Why are BEC attacks so financially damaging?

BEC attacks exploit legitimate payment processes. Once an employee authorizes a wire transfer or payment change, funds may move through multiple accounts quickly, making recovery difficult.

 

Do BEC attacks always involve hacked email accounts?

No. Some attacks rely on spoofed email addresses that resemble legitimate domains, while others involve fully compromised accounts where attackers monitor real conversations.

 

Which employees are most commonly targeted in BEC attacks?

Finance teams, executives, HR departments, and procurement staff are frequent targets because they often handle payments, payroll, and sensitive documents.

 

Can security tools alone stop BEC attacks?

Technology helps detect suspicious activity; however, verification procedures and employee awareness are equally important, given BEC's reliance on social engineering.

 

What should I do if my business falls victim to a BEC attack?

  • Report the incident immediately to your IT/security team and the FBI’s IC3 unit.
  • If payments have been made, contact your bank to try to recall the transaction.
  • Conduct an internal investigation to understand how the attack succeeded and take steps to strengthen defenses to prevent recurrence.