AHA is sounding the alarm about a “validated IT help desk social engineering scheme that uses the stolen identity of revenue cycle employees or employees in other sensitive financial roles.”
The scheme is presumably being performed on the part of a foreign-based threat actor “calling IT help desks and leveraging stolen personally identifiable information of employees to answer security questions posed by the IT help desk. The threat actor then requests a password reset and requests to enroll a new device, such as a cell phone, to receive multi-factor authentication codes. This new device will often have a local area code. This effectively defeats multi-factor authentication, including SMS text and higher level “phishing-resistant” MFA, to provide full access to the compromised employee’s email account and other applications.”
Continuing on, AHA warns that “the threat actor has reportedly used the compromised employee’s email account to change payment instructions with payment processors and divert legitimate payments to fraudulent U.S. bank accounts or deliver malware into the network. As with other payment diversion schemes, it is believed the funds are ultimately transferred overseas.”
John Riggi, AHA’s national advisor for cybersecurity and risk, stresses that the risk here can be mitigated by “ensuring strict IT help desk security protocols.” Initiating a video call with the employee requesting these details could also mitigate risk, forcing the person on the other end to verify their identity.
AHA’s website has the news release.
