AHA Warns Hospitals of IT Help Desk Social Engineering Scheme

January 19, 2024 - The American Hospital Association (AHA) warned hospitals of a validated IT help desk social engineering scheme and encouraged hospitals to remain vigilant and notify the Federal Bureau of Investigation (FBI) if they fall victim to it.

The scheme involves threat actors leveraging the stolen identities of revenue cycle employees or employees in other sensitive financial roles. After obtaining a stolen identity, the threat actor will call IT help desks and use stolen personally identifiable information to answer security questions.

Next, the threat actor requests a password reset and requests to enroll a new device to receive multi-factor authentication codes. What’s more, the new device often has local area codes. With this access, the threat actor can obtain access to email accounts and other applications without detection.

There have been reports of these threat actors using the compromised employee’s email account to change payment instructions and divert legitimate payments to fraudulent US-based bank accounts. The funds are later transferred overseas.

John Riggi, AHA’s national advisor for cybersecurity and risk, described the scheme as “innovative and sophisticated,” but noted that it can be mitigated by employing strict IT help desk security protocols. These protocols might involve requiring a call-back to the number on record for any employees who are requesting password resets and new device enrollments.

“Organizations may also want to contact the supervisor on record of the employee making such a request. As a result of becoming a victim of this scheme, one large health system now requires employees making such requests to appear in person at the IT help desk,” Riggi added.

“This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes.”

The AHA also urged victim organizations to notify their financial institutions and the FBI, both of which can assist in recovering diverted payments if they are notified within 72 hours of the payment diversion.

Sophisticated social engineering attacks remain a pervasive threat in healthcare, as they can allow threat actors to gain access to internal systems and traverse the network, launching other types of attacks in the process. Technical and administrative safeguards and regular employee training can help organizations prevent or mitigate the risk of these attacks.