FBI: Cyber Criminals Use Social Engineering to Target Healthcare Payment Processors

September 19, 2022 - The Federal Bureau of Investigation (FBI) released its second private industry notification in a single week directed at the healthcare sector, this time warning of social engineering techniques used by cyber criminals to target healthcare payment processors.

In an earlier alert, the FBI warned of the prevalence of legacy and unpatched medical devices, which it said could result in operational disruptions and risks to patient safety.

The latest private industry notification noted an uptick in cyber criminals using social engineering techniques and publicly available personally identifiable information (PII) to redirect victim payments from healthcare payment processors.

“In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments,” the FBI stated.

In another case, in April 2022, cybercriminals disguised themselves as an employee and changed the Automated Clearing House (ACH) instructions of one of a healthcare organization’s payment processing vendors to direct payments to the cyber criminals instead of the intended providers. The criminals were able to divert $840,000 before it was detected.

“Recent reporting indicates cyber criminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access,” the FBI continued.

The FBI identified numerous indicators of compromise (IOCs) to look out for, including phishing emails and suspected social engineering attempts, especially those targeting financial departments within healthcare payment processing organizations.

In addition, the sector should be wary of unwarranted changes in email exchange server configuration, multiple requests for employees to reset passwords within a limited timeframe, and employees reporting that they are locked out of payment processing accounts.

To reduce risk, the FBI recommended that the healthcare sector enable antivirus software, conduct regular network security assessments, and implement security training for all employees.

“Advise all employees to exercise caution while revealing sensitive information such as login credentials through phone or web communications,” the notification explained.

“Employees should conduct requests for sensitive information through approved secondary channels.”

Additionally, organizations should employ multi-factor authentication, update incident response plans, mitigate vulnerabilities stemming from third-party vendors, and create protocols for employees to report suspicious activity.

“Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations,” the FBI stressed.

“Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.”

Similar to the notification from earlier in the week, the FBI underscored the importance of timely patching, which it said was “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.”