top of page
Admin

Credential Phishing Targets Hospital IT Desks

Published: May 04, 2024 on our newsletter Security Fraud News & Alerts Newsletter.



Socially engineered attacks end with nothing social about them. In fact, some say a better name would be "anti-social attacks." Names aside, tricking people into divulging their PII in ways that benefit an attacker is what these scams aim to do. The American Hospital Association (AHA) shares its knowledge about how these social engineering attacks are making the rounds at hospital IT help desks.


The AHA says IT help desks are contacted via phone and the social engineering attacks target employees in financial roles. Attackers use the following steps to initiate the financial fraud starting with compromising the staffer's email account.


How The Scheme Plays Out


The attacker, likely from overseas, calls the hospital IT help desk using stolen employee PII to pass security questions from the help desk.


The attacker then initiates an email password request and sets up a new device to get MFA (multi-factor authentication) codes. The new device, often a smartphone, also has a local area code.


By evading MFA security, the attacker has full entry to the employee's now compromised email account and other useful apps.


Once inside, the attacker gets to work abusing the financial staffer's stolen email account. They alter payment instructions with PSPs (payment service providers) and switch them to fraudulent U.S. bank accounts. After this step, the hijacked funds likely end up in overseas accounts.



How Hospital IT Desks Fight Back


One thing to remember is these fraudsters are slick without missing a beat — they're cons without a conscience. So, what can a hospital IT desk do to help stop these attacks? First, someone requesting a password change and enrolling a new device via phone call should be called back at the employee phone number on file.


Then, IT should ask questions about information they already have about the employee that are independently verified. Also, contacting the employee's supervisor adds another layer of verification. One hospital already a victim of these attacks requires any employee making these changes now appear in person, which may not work for everyone but it's worth consideration.


There is no doubt that cybercriminals are ratcheting up their social engineering sophistication, and the idea that AI is here to help them is troubling but true. Mitigating these social engineering attacks depends on verifying the verifiable and not accepting anything less. Thank you for sharing, AHA.


Want to schedule a conversation? Please email us at advisor@nadicent.com

Recent Posts

See All

Comments


bottom of page