American Hospital Association Warns of Social Engineering Schemes
Marianne Kolbasuk McGee (HealthInfoSec) • January 18, 2024
Read the full article in Healthcare InfoSecurity here:
Health-ISAC pulled quotes:
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said that Health-ISAC has been aware of IT help desk social engineering schemes targeting the health sector entities since mid-2022, while variations of the scams have been happening even longer in some other industries.
“Ten years ago in the banking sector, I saw cybercriminal groups use these same social engineering tactics to obtain sensitive information, get access to company accounts, and use all that to perpetrate fraud,” he said.
“The threat actors call the help desk to gain unauthorized access to corporate accounts and sensitive information. The information is typically used to further scams or fraudulent activity like business email compromise,” he said.
“It’s the same scam today, just leveraging helpful IT help desk support staff,” Weiss said.
Moving forward, AI-fueled attacks, including those involving deepfakes, potentially make matters even more difficult for entities to detect and prevent falling victim to social engineering schemes.
“The problem is: IT help desks are being fooled by threat actors to reset MFA credentials and send them authorization codes,” Weiss said.
“Organizations can implement more thorough checks like having the employee’s supervisor validate the request or use technology like voice recognition to enhance the process,” he said.