Cybercriminals Using Social Engineering, Phishing to Divert Payments
Cybercriminals are stealing multimillion-dollar payouts from healthcare payment processors by compromising user login credentials, the FBI warns the healthcare industry.
In a Wednesday alert, federal agents say they’ve received multiple reports of cybercriminals redirecting into their pockets payments from providers.
In recent incidents, cybercriminals used employees’ publicly available personally identifiable information and deployed social engineering techniques to impersonate care providers and gain access to healthcare portals, payment information and websites, the FBI says.
In one February incident, an attacker changed an unnamed hospital’s direct deposit information to divert $3.1 million in payments into a consumer checking account.
In April, an unnamed healthcare company with more than 175 medical providers discovered that a threat actor had posed as an employee and changed automated clearinghouse instructions of one of the entities’ payment processing vendors to direct payments to the cybercriminal.
In that scam, the cybercriminal successfully diverted about $840,000 dollars over two transactions prior to discovery of the fraud, the FBI says.
During a seven-month period between June 2018 and January 2019, cybercriminals targeted and accessed at least 65 healthcare payment processors in the United States, replacing legitimate customer banking and contact information with accounts controlled by the attackers. One of those victims reported a loss of approximately $1.5 million.
“Cybercriminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access,” the FBI warns.
From a strategic standpoint, the healthcare sector contains an attractive pool of potential victims, says retired supervisory FBI agent Jason Weiss, now an attorney at law firm Faegre Drinker Biddle & Reath LLP.
Its members are “usually focused on helping people, first and foremost, getting people healthy.” Meanwhile, the sticker shock of healthcare costs means patients have more reasons than ever to call into clinics to discuss their bill.
When users at victim organizations are targeted through phishing and social engineering scams to “help” work out a payment problem, some are inclined to fall for the schemes, says Weiss. “It is basic human nature.”
Cybercriminals are motivated by profit and will adjust their activities to wherever the money is, says attorney Erik Weinick of the law firm Otterbourg P.C. and a member of the Secret Service’s Cyber Fraud Task Force Steering Committee.
“Law enforcement has been increasingly successful in recovering ransoms paid via cryptocurrency, so the criminals may believe that the types of scams described in the FBI bulletin are more likely to allow them to retain their ill-gotten gains,” he says.
“Cybercriminals are incredibly patient and have been known to spend months or longer learning about individuals and organizations in order to gain access, and then once they have access, further biding their time to gain more knowledge that allows them to increase the severity and magnitude of their crime,” he says.
While cybercriminals have long targeted healthcare and other sectors in business email compromise and similar schemes, Weinick speculates that the FBI’s recent alert is linked to an increase in intrusions “attributable to quick build-outs of remote access without a sufficient emphasis on security during the height of COVID-19.”
Indicators of Compromise
The FBI advises entities to watch for any of a number of potential indicators that cybercriminals are attempting to gain access to user accounts.
The indicators include:
- Phishing emails targeting the financial departments of healthcare payment processors;
- Suspected social engineering attempts to obtain access to internal files and payment portals;
- Unwarranted changes in email exchange server configuration and custom rules for specific user accounts;
- Requests within a short time frame for employees to reset passwords and multifactor authentication phone numbers;
- Employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.
The FBI in its alert recommends the healthcare sector take steps to reduce the risk of falling victim, including by deploying multifactor authentication for all accounts and login credentials to the extent possible. “Viable choices such as hard tokens allow access to software and verify identity with a physical device instead of authentication codes or passwords.”
Entities should verify and modify contract renewals as needed to include the inability to change both credentials and multifactor authentication phone numbers within the same time frame.
“Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including two-factor authentication phone numbers within a short time frame to IT and security departments for investigation,” the FBI advises.
Brett Callow, a threat analyst at security firm Emsisoft says that healthcare providers should consider implementing “phishing-resistant” multifactor authentication to better protect themselves.
The FBI alert says that devices with local administrative accounts should have a password policy that requires strong, unique passwords for each administrative account. Similarly, all accounts with password logins – such as service account, admin accounts and domain admin accounts – should require “strong, unique passphrases,” the FBI says.
Workforce members should also be trained to identify and report phishing, social engineering and spoofing attempts, the FBI says, and organizations should conduct regular network security assessments, including penetration tests and vulnerability scans.