Cybercriminals use phishing and social engineering to divert payments. FBI Warns of Increase in Payment Scams in the Healthcare Sector. The FBI alerts the healthcare sector that cybercriminals are stealing multimillion-dollar payouts from healthcare payment processors by stealing user login passwords.

Federal investigators claim they have received numerous complaints of cybercriminals diverting provider payments into their own pockets in a Wednesday alert.

According to the FBI, in recent occurrences, hackers impersonated healthcare providers to access websites, payment information, and healthcare portals by using employees’ publicly available personally identifying information and social engineering tactics.

In a February incident, a perpetrator altered the direct deposit information for an undisclosed hospital in order to reroute $3.1 million in payments into a consumer checking account.

A threat actor who pretended to be an employee of a healthcare organization that employs more than 175 medical providers modified the automated clearinghouse instructions of one of the organization’s payment processing vendors in April, directing payments to the cybercriminal instead of the employee.

According to the FBI, the cybercriminal in a scam diverted around $840,000 over the course of two transactions before discovering the crime scam.

Cybercriminals targeted and gained access to at least 65 healthcare payment processors in the United States over a seven-month period between June 2018 and January 2019, replacing legitimate client banking and contact information with accounts under the control of the attackers. One of the victims claimed to have lost almost $1.5 million.

The FBI warns that cybercriminals will continue to target healthcare payment processors using a range of tactics, including phishing campaigns and social engineering, in order to impersonate service centres and get user access.

Attractive Target

According to retired supervisory FBI agent Jason Weiss, who is currently a lawyer with the law firm Faegre Drinker Biddle & Reath LLP, the healthcare industry has an alluring pool of potential victims.

Most of the time, the group’s members focus on helping people, especially getting people well.” In the meantime, patients have more reasons than ever to call clinics to discuss their bills due to the sticker shock of healthcare expenditures.

According to Weiss, certain users at victim organizations are likely to fall for the scams. When targeted by phishing and social engineering scams to “help” solve a payment issue. It’s in our nature to do that.

According to attorney Erik Weinick of the legal firm Otterbourg P.C. and a member of the Secret Service’s Cyber Fraud Task Force Steering Committee, cybercriminals are driven by financial gain and will tailor their operations to wherever the money is.

 The criminals may think that the types of frauds mentioned in the FBI advisory are more likely to enable them to keep their illicit earnings, he says, because law enforcement has been more effective in retrieving ransoms paid via cryptocurrencies.

According to him, “cybercriminals are incredibly patient and have been known to spend months or longer learning about individuals and organizations in order to gain access, and then further stalling their time once they have access to gain more knowledge that allows them to increase the severity and magnitude of their crime.”

Although business email compromise and other similar schemes have long been used by cybercriminals to target the healthcare industry and other industries, Weinick hypothesizes that the FBI’s recent alert is related to an increase in intrusions “attributable to quick build-outs of remote access without a sufficient emphasis on security during the peak of COVID-19.”

Indicators of Compromise

The FBI encourages organizations to keep an eye out for any of a number of potential signs that hackers are trying to access user accounts.

The signs consist of:

  • fraudulent emails aimed against healthcare payment processors’ financial divisions;
  • suspected attempts at social engineering to get access to corporate files and payment interfaces;
  • unauthorized modifications to the email exchange server’s configuration and special rules for particular user accounts;
  • requests for employees to quickly change their passwords and multifactor authentication phone numbers;
  • Employees are complaining that attempts to retrieve their passwords have shut them out of their payment processor accounts.

Taking Action

In its advisory, the FBI advises the healthcare industry to take precautions to lessen the chance of being a victim, including, where practical, implementing multifactor authentication for all accounts and login passwords. In contrast to authentication codes or passwords, “viable choices” like hard tokens give access to software and use a physical object to validate identification.

Entities should check and adjust contract renewals as needed to prevent the simultaneous change of multifactor authentication phone numbers and credentials.

Create procedures so that employees may alert IT and security departments about any suspicious emails, changes to email exchange server configurations, password resets that include two-factor authentication phone numbers within a short time frame, and refused password recovery attempts.

Healthcare organizations should think about deploying “phishing-resistant” multifactor authentication, according to threat analyst Brett Callow of the security company Emsisoft.

According to the FBI notice, devices having local administrative accounts need to have a password policy that mandates strong, individual passwords for every administrative account. The FBI recommends “strong, unique passphrases” for all accounts that require password logins, including service accounts, admin accounts, and domain admin accounts.

The FBI advises employers to regularly undertake network security assessments, including penetration tests and vulnerability scans, and to train staff members to recognize and report phishing, social engineering, and spoofing attempts.