A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) about an ongoing social engineering campaign targeting the healthcare and public health (HPH) sector. The campaign has been running since August 2023 and seeks access to email account credentials to divert automated clearinghouse (ACH) payments to U.S. bank accounts under the threat actor’s control.

The threat actor targets email accounts and once access has been gained, pivots to targeting login credentials that allow them to make changes to accounts involved in reimbursement payments to insurance companies, Medicare, and other entities. Two methods have been identified for initial access to email accounts. Phishing emails are sent that direct the recipient to a spoofed webpage where credentials are harvested. The domains used for this campaign closely resemble the domains used by the targeted organization, differing by one character.

An alternative method involves vishing calls to the targeted organization’s IT helpdesk. Social engineering tactics are used to trick IT helpdesk workers into performing a password reset and, in some instances, registering a new device to receive multifactor authentication codes. Personal information obtained in past data breaches may be provided to the helpdesk employees to pass identity verification checks...