FBI warns healthcare industry of surge in payment scams

Cybercriminals use social engineering and phishing to steal payments

Marianne Kolbasuk McGee (HealthInfoSec) •
September 19, 2022

Cybercriminals are stealing multimillion-dollar payments from healthcare payment processors by compromising user login credentials, FBI warns healthcare industry.

See also: New on demand | A better way to approach data backup and recovery

In an alert on Wednesday, federal agents said they had received several reports of cybercriminals redirecting vendor payments into their pockets.

In recent incidents, cybercriminals have used publicly available employee personally identifiable information and deployed social engineering techniques to impersonate healthcare providers and gain access to healthcare portals, payment information and websites, according to the FBI.

In one incident in February, an attacker altered an unnamed hospital’s direct deposit information to divert $3.1 million in payments to a consumer checking account.

In April, an anonymous health care company with more than 175 medical providers discovered that a threat actor had impersonated an employee and changed the instructions of the automated clearing house of one of the treatment providers. entity payments to direct the payments to the cybercriminal.

In this scam, the cybercriminal managed to embezzle approximately $840,000 over two transactions before the fraud was discovered, according to the FBI.

During a seven-month period between June 2018 and January 2019, cybercriminals targeted and accessed at least 65 healthcare payment processors in the United States, replacing legitimate customer banking and contact information with accounts controlled by attackers. One of these victims reported a loss of approximately $1.5 million.

“Cybercriminals will continue to target healthcare payment processors through various techniques, such as phishing campaigns and social engineering, to spoof help desks and gain user access,” warns the FBI.

attractive target

From a strategic perspective, the healthcare industry contains an attractive pool of potential victims, says retired FBI supervising agent Jason Weiss, now an attorney at the law firm Faegre Drinker Biddle & Reath LLP.

Its members “generally focus on helping people, first and foremost, on people’s health”. Meanwhile, the health care price shock means patients have more reason than ever to visit clinics to discuss their bills.

When users from victim organizations are targeted by phishing and social engineering scams to “help” solve a payment problem, some are prone to fall for the trap, Weiss says. “It’s basic human nature.”

Cybercriminals are profit-driven and will tailor their activities to where the money is, says attorney Erik Weinick of law firm Otterbourg PC and steering committee member of the Secret Service’s Cyber ​​Fraud Task Force .

“Law enforcement is increasingly successful in recovering ransoms paid via cryptocurrency, so criminals may believe that the types of scams described in the FBI bulletin are more likely to allow them to retain their ill-gotten gains,” he said.

“Cybercriminals are incredibly patient and have been known to spend months or more learning about individuals and organizations in order to gain access, and then once they gain access, they wait even longer to gain more knowledge that allow them to increase the gravity and scale of their crime,” he says.

While cybercriminals have long targeted healthcare and other sectors in work email compromise and similar schemes, Weinick speculates that the recent FBI alert is linked to an increase in intrusions “attributed to the rapid creation remote access without putting enough emphasis on security at the height of the crisis. of COVID-19.”

Indicators of Compromise

The FBI advises entities to watch for one of many potential indicators that cybercriminals are trying to gain access to user accounts.

Indicators include:

  • Phishing emails targeting the financial services of healthcare payment processors;
  • Alleged attempts at social engineering to gain access to internal files and payment portals;
  • Unwarranted changes to the configuration of the e-mail exchange server and custom rules for specific user accounts;
  • Short-time requests for employees to reset passwords and multi-factor authentication phone numbers;
  • Employees reporting that they are locked out of payment processor accounts due to failed password recovery attempts.

To take part

In its alert, the FBI recommends that the healthcare industry take steps to reduce the risk of being victimized, including deploying multi-factor authentication where possible for all accounts and login credentials. “Viable choices such as hardware tokens enable software access and identity verification with a physical device instead of authentication codes or passwords.”

Entities should review and amend contract renewals as necessary to include the inability to change both credentials and multi-factor authentication phone numbers within the same time frame.

“Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets, including two-factor authentication phone numbers within a short period of time to IT and security departments for investigation,” the FBI advises.

Brett Callow, a threat analyst at security firm Emsisoft, says healthcare providers should consider implementing “phishing-resistant” multi-factor authentication to better protect themselves.

The FBI alert says devices with local administrative accounts should have a password policy that requires strong, unique passwords for each administrative account. Likewise, all accounts with password logins — such as service accounts, administrator accounts, and domain administrator accounts — should require “strong and unique passphrases,” according to the FBI. .

According to the FBI, personnel should also be trained to identify and report phishing, social engineering and impersonation attempts, and organizations should perform regular network security assessments, including penetration tests and vulnerability scans.

Comments are closed.