Socially engineered attacks end with nothing social about them. In fact, some say a better name would be "anti-social attacks." Names aside, tricking people into divulging their PII in ways that benefit an attacker is what these scams aim to do. The American Hospital Association (AHA) shares its knowledge about how these social engineering attacks are making the rounds at hospital IT help desks.
The AHA says IT help desks are contacted via phone and the social engineering attacks target employees in financial roles. Attackers use the following steps to initiate the financial fraud starting with compromising the staffer's email account.
How The Scheme Plays Out
The attacker, likely from overseas, calls the hospital IT help desk using stolen employee PII to pass security questions from the help desk.
The attacker then initiates an email password request and sets up a new device to get MFA (multi-factor authentication) codes. The new device, often a smartphone, also has a local area code.
By evading MFA security, the attacker has full entry to the employee's now compromised email account and other useful apps.
Once inside, the attacker gets to work abusing the financial staffer's stolen email account. They alter payment instructions with PSPs (payment service providers) and switch them to fraudulent U.S. bank accounts. After this step, the hijacked funds likely end up in overseas accounts.
How Hospital IT Desks Fight Back
One thing to remember is these fraudsters are slick without missing a beat — they're cons without a conscience. So, what can a hospital IT desk do to help stop these attacks? First, someone requesting a password change and enrolling a new device via phone call should be called back at the employee phone number on file.
Then, IT should ask questions about information they already have about the employee that are independently verified. Also, contacting the employee's supervisor adds another layer of verification. One hospital already a victim of these attacks requires any employee making these changes now appear in person, which may not work for everyone but it's worth consideration.
There is no doubt that cybercriminals are ratcheting up their social engineering sophistication, and the idea that AI is here to help them is troubling but true. Mitigating these social engineering attacks depends on verifying the verifiable and not accepting anything less. Thank you for sharing, AHA.
A PHI Security Epidemic! Healthcare Ransomware Attacks Threat To Patients
Published March 30, 2024
It’s no secret that in the U.S., cybercriminals placed a bullseye on healthcare systems and the sensitive patient data they hold. A recent study from the Journal of the American Medical Association (JAMA) shows over a five-year period, nearly 42 million patients had their PHI (Protected Health Information) compromised by ransomware attacks. This previously unprecedented number of victims makes PHI security more important now than ever before.
Phony Voicemail Links Steal Employee Credentials From Office 365 And Outlook Users
Published March 12, 2024
Most of us know phishing emails and fake texts are a hacker’s calling card for stealing valuable PII. But recently, researchers at Zscaler cloud security sounded the alarm about an unusual malware campaign using voicemail-themed email phishing as the primary hook for cyberattacks. It’s only after Zscaler fell victim to this campaign that the company felt compelled to study it further. Zscaler finds this cybercrime targets employees in the U.S. using Microsoft Office 365 and the Outlook email service.
2024 HIPAA Rules Promote Data Privacy, Cyber Awareness Training
Published January 28, 2024
The 2024 HIPAA requirements for healthcare organizations include a focus on patient data privacy and cyber incident preparedness. It's a welcome change with new compliance that all Americans can be happy about, especially when their PHI (protected health information) is better guarded from cybercrime. Here's a quick summary of a few that may affect you and the organization you work for including bolstering employee awareness, incident response, and more data privacy.
Healthcare Gets A Shot In The Arm From Cybersecurity Toolkit
Published January 17, 2024
The Healthcare and Public Health (HPH) industry has long been a target for cybercrime. In particular, hospitals continue to be crippled by ransomware attacks. With patient lives and health services at risk, help with these devastating attacks has been desperately needed. And now, that help has arrived with a cybersecurity “toolkit.” The Biden administration created the toolkit in partnership with Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
These Scams Are Heading Your Way
Published January 12, 2024
This year’s top scams are bigger and better than ever. Phishing scams hit new heights during the pandemic and show no signs of slowing down. The FBI’s Internet Crime Complaint Center (IC3) received over 2.1 million complaints from scam victims last year. The most common reports were about imposter scams, but that’s just the tip of the iceberg. The FTC finds that last year, the financial cost of these fraudulent scams was more than $3.3 billion.
