The modus operandi involves threat actors, likely based abroad, contacting IT help desks armed with stolen personally identifiable information. They adeptly answer security questions posed by help desk personnel and proceed to request password resets and the enrollment of new devices, typically cell phones with local area codes. This maneuver effectively circumvents multi-factor authentication (MFA), granting full access to compromised email accounts and other applications.
Once access is gained, threat actors exploit compromised email accounts to manipulate payment instructions with processors, rerouting legitimate payments to fraudulent U.S. bank accounts or introducing malware into hospital networks. It’s suspected that the diverted funds are swiftly transferred overseas, highlighting the international scope of these cyber schemes.
John Riggi, AHA’s national advisor for cybersecurity and risk, reiterated the severity of the threat, emphasizing the need for stringent IT help desk security protocols. Recommendations include mandatory call-back verification to employee numbers on record, contacting supervisors for validation, and implementing additional verification measures like video calls and presentation of government-issued IDs.
The evolution of such schemes underscores the agility of cyber adversaries in bypassing technological defenses through social engineering tactics. Riggi urges organizations to promptly report any incidents to financial institutions and the FBI, emphasizing the critical window of 72 hours for potential recovery of diverted funds.