Feds warn about social engineering in cyberattacks on physicians’ practices

Phony phone calls paired with bogus emails are part of “vishing” scams that are a rising threat to cybersecurity of physicians’ practices.

Voice phishing, or vishing, is the method “of eliciting information or attempting to influence action via the telephone,” according to the latest analyst note by the Health Sector Cybersecurity Coordination Center (HC3) within the U.S. Department of Health and Human Services (HHS). This month, HC3 also published “The Impact of Social Engineering on Healthcare,” a threat brief that describes how scammers manipulate human psychology for their own gain.

“A social engineer can manipulate staff members into giving access to their computers, routers or Wi-Fi,” to steal protected health information, personal indentifiable information or install malware, the threat brief said.

A growing problem

When part of computer hack attacks, social engineering is problematic in health care because people are naturally trusting, have a desire to help, and want to look intelligent. Workers do not want to get in trouble, but some do take short cuts, the threat brief said.

In large health care organizations, staff members do not always know all their coworkers.

Analysts have said patient data is valuable for bad actors, and health care systems must pay hefty prices to free data and restore computer systems due to attacks. In 2021 and 2022, health care had the largest average cost of a data breach -- $10.1 million in 2022 – among the public, energy, technology, pharmaceuticals, and financial sectors, according to HC3.

Phishing and vishing

With phishing, an attacker sends a fraudulent message is designed to trick people into revealing sensitive information, or deploy malicious software such as ransomware into the victim’s computer infrastructure. It was the most common threat to health care organizations, accounting for 45% of security incidents, followed by ransomware at 17%, said the threat brief, citing a health information cybersecurity survey.

In the last year, vishing cyber attacks have increased in all sectors and as a social engineering technique, it has been successful in providing initial access to target organizations, the HC3 note said.

The agency cited cybersecurity consultant Agari, which reported “hybrid vishing” attacks spiked 625% in the second quarter of 2022. The hybrid attacks are referred to as “callback phishing,” with multiple stages that first interact with victims via email and aim to obtain sensitive information or distribute malware. “This type of social engineering attack usually involves sending the target a fake email and calling, before sending a face subscription/invoice notice,” the threat brief said.

Avoid vishing attacks

Health care workers should be aware of the threat and emphasize user awareness training to detect possible scams, according to HC3.

The agency offered examples of how to identify phishing and vishing emails:

• Suspicious emails claiming a free trial has ended for a service for which the recipient never signed up for.
• Unexpected emails containing only the name, address, and phone number of an unrecognized organization.
• Individuals asking callers to navigate to a website to cancel a subscription they did not sign up for.
• Emails from a Gmail account with the name of a high-level individual in medical research.
• Phone calls or emails pretending to be from a government entity, such as a department of health or major technology company.

More cyberfraud

Phishing and vishing are not the only ways attackers use to access sensitive data of health care organizations.

Business email compromise happens when an attacker, intending to defraud a company, poses as a trusted source and emails targets. “This type of attack can be difficult to detect and relies on impersonation, along with other social engineering tactics, to trick people into interacting on the threat actor’s behalf,” the threat brief said.

Deepfake software involves a combination of voice cloning and video, allowing anyone to take on the identity of a trusted persona.

Whaling is a phishing attack with a fake email disguised as a legitimate one to target senior executives.

Reducing exposure

Whether phishing, vishing or another type of attack, HC3 suggested steps to protect health care organizations:

• Train staff to be alert and cautious, and to verify all requests for information.
• Implement backups with best practices.
• Have a structured program for regular software updates.
• Impose proper credential tracking.
• Hold every department accountable for security.
• Increase physical security.

HC3 advises health care workers to stay up-to-date with the latest health-themed scams and fraud schemes, such as COVID-19 and monkeypox.

HC3, along with HHS Health Industry Cybersecurity Practices and the federal Cybersecurity & Infrastructure Security Agency, offer a number of free resources to get started with computer security in health care and other businesses.