The FBI has observed an increase in attacks targeting healthcare payment processors in an effort to divert significant amounts of money to accounts controlled by the attacker.
As part of such attacks, threat actors rely on publicly-available personally identifiable information (PII) and social engineering to impersonate victims and access payment information, healthcare portals, and more.
“Recent reporting indicates cyber criminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access,” the FBI warns.
According to the agency, cybercriminals are compromising credentials of healthcare payment processors and using them to divert payments to bank accounts they control.
In one incident in February 2022, attackers redirected $3.1 million from a victim’s payments after using compromised credentials to change direct deposit banking information to an account they controlled.
The same month, the same method was used in another attack to steal approximately $700,000.
In April 2022, a threat actor posing as an employee of a healthcare company that has over 175 medical providers changed Automated Clearing House (ACH) instructions at a payment processing vendor, which resulted in roughly $840,000 being diverted to the cybercriminal.
According to the FBI, between June 2018 and January 2019, at least 65 healthcare payment processors in the US were targeted by cybercriminals who replaced customer banking and contact information with the details of accounts controlled by the attackers. One of the victims reported a loss of $1.5 million.
“The cybercriminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method,” the FBI notes.
Organizations should be suspicious of phishing emails targeting healthcare payment processors, social engineering attempts to gain access to payment portals and internal files, sudden changes to email exchange server configurations, requests for changing passwords and 2FA phone numbers, and failed password recovery attempts locking employees out of payment processor accounts.
The FBI recommends that organizations use security software that is well maintained, conduct regular network security assessments, train employees to identify phishing, use multi-factor authentication for all accounts, implement an incident response plan, patch vulnerabilities in third-party solutions, and implement mandatory passphrase changes for potentially compromised accounts.
Related: FBI Warns of Unpatched and Outdated Medical Device Risks
Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain
Related: US Agencies Warn of ‘Vice Society’ Ransomware Gang Targeting Education Sector