AHA: Rise in Scams Targeting IT Help Desks for Payment Fraud
Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
American Hospital Association Warns of Social Engineering Schemes
Threat actors are targeting hospital IT help desks with elaborate social engineering scams to commit payment fraud by using stolen credentials from billing and payments employees, the American Hospital Association warned.
See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Social engineering schemes for payment fraud aren’t new, but the latest attacks against hospitals appear to be rising and take a fresh twist.
“The identification and targeting of employees with specific financial roles, combined with stolen personally identifiable information, password reset and new device authorization appears to a relatively new phenomenon,” John Riggi, national adviser for cybersecurity and risk at the AHA, told Information Security Media Group.
The AHA in an alert to members Friday said the schemes involve what is “presumably” foreign-based threat actors calling IT help desks and using stolen personal identifiable information of billing department employees to answer security questions posed by the IT help desk workers.
In the scheme, the fraudster requests a password reset and asks to enroll a new device, such as a smartphone, to receive multifactor authentication codes, the AHA said.
“This new device will often have a local area code. This effectively defeats multifactor authentication, including SMS text and higher-level ‘phishing-resistant’ MFA, to provide full access to the compromised employee’s email account and other applications.”
The compromised employee’s email account is used to change instructions with payment processors and to divert legitimate payments to fraudulent U.S. bank accounts. “As with other payment diversion schemes, it is believed the funds are ultimately transferred overseas,” the alert says.
“We know anecdotally that dozens if not more, in multiple states, from large to small hospitals, have been targeted” with recent attacks, Riggi told ISMG.
The AHA recommends that organizations immediately notify their financial institutions and report the incident to the FBI. In many cases, the FBI has helped in recovering the diverted money when notifications are made within 72 hours of the payment diversion, Riggi said.
Organizations can reduce the risk of falling victim to these schemes by implementing “strict” IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices, Riggi said.
Organizations should also consider contacting the supervisor on record when an employee makes such a request, he said.
One large unnamed healthcare organization now requires employees making password reset or new device enrollments requests to appear in person at the IT help desk, Riggi said.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said that the H-ISAC has been aware of IT help desk social engineering schemes targeting the health sector entities since mid-2022, while variations of the scams have been happening even longer in some other industries.
“Ten years ago in the banking sector, I saw cybercriminal groups use these same social engineering tactics to obtain sensitive information, get access to company accounts, and use all that to perpetrate fraud,” he said.
“The threat actors call the help desk to gain unauthorized access to corporate accounts and sensitive information. The information is typically used to further scams or fraudulent activity like business email compromise,” he said.
“It’s the same scam today, just leveraging helpful IT help desk support staff,” Weiss said.
Moving forward, AI-fueled attacks, including those involving deepfakes, potentially make matters even more difficult for entities to detect and prevent falling victim to social engineering schemes.
“The problem is: IT help desks are being fooled by threat actors to reset MFA credentials and send them authorization codes,” Weiss said.
“Organizations can implement more thorough checks like having the employee’s supervisor validate the request or use technology like voice recognition to enhance the process,” he said.