Hospital IT Help Desks Targeted in Sophisticated Payment Fraud Scam
U.S. hospitals are being targeted by cybercriminals in a sophisticated payment fraud scam, according to the American Hospital Association (AHA). The AHA has received multiple reports of scammers contacting hospital IT departments to perform password resets and enroll new devices to obtain multifactor authentication (MFA) codes. Once access has been gained to employee email accounts, they send instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds are then transferred to overseas accounts.
According to the AHA, scammers contact IT departments and pose as revenue cycle employees or other employees in sensitive financial roles. They provide stolen personal information to verify their identity to pass the security checks that are necessary to perform a password reset to enroll a new device to receive MFA codes. The devices used to receive the codes often have a local area code. With a new device enrolled, the scammer will receive MFA codes, allowing them to access employee email accounts. This technique also allows the scammers to defeat phishing-resistant MFA.
The AHA has received dozens of reports from U.S. hospitals that have been targeted and had payments diverted to attacker-controlled accounts. Anyone who falls victim to such a scam should immediately report it to the Federal Bureau of Investigation (FBI) and their financial institution to try to get the transfer blocked and recover the fraudulently transferred funds. The FBI has been able to successfully block fraudulent transfers of funds if notified within 72 hours of the transfer being made.
Hospitals should consider implementing stricter IT help desk security protocols to ensure they do not fall victim to these scams. John Riggi, AHA’s national advisor for cybersecurity and risk, suggests that as a minimum, any requests for password resets should require a call back to the number on record for the employee requesting a password reset and enrollment of a new device. Some hospitals have implemented procedures that require any such request to be made in person at the IT help desk. Riggi also suggests implementing policies that require the supervisor of the employee to be contacted to verify any such request. “This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes,” said Riggi.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
