HC3 alerts to social engineering risk, rise in vishing attacks on healthcare

Healthcare delivery organizations should work to address potential risks posed by a rise in vishing attacks against the healthcare sector, as well as the ongoing threat of social engineering attempts, warns Department of Health and Human Services Cybersecurity Coordination Center.

Two new white paper alerts detail the ongoing threats and recommended remediation to prevent falling victim.

HC3 has observed a “marked increase” in vishing, or voice phishing, attacks in the last year across all sectors. The method is used by advanced persistent threat groups or state-sponsored actors, leveraging voice-changing software to trick victims into installing malware. 

The objectives of these attacks are usually to obtain sensitive information or distribute malware. One of the more recent victims was a large organization that fell victim to a sophisticated vishing attack, which enabled an actor with access to their network. 

First introduced by BazarCall/BazaCall, the callback phishing attacks were first observed in March 2021 and targeted corporate networks with ransomware attacks. Reports show the use of “hybrid vishing” saw a 625% growth during Q2 2022, which first connects with the victim via email before calling them.

Past healthcare vishing targeting led to the exploit of a Michigan health system in September 2020, whether the threat actor posed as an employee in an effort to steal member numbers and protected health numbers. In this specific incident, the “fake phone calls even ‘spoofed’ caller ID and appeared to be originating from a legitimate phone number belonging to the… entity…”