The Health Sector Cybersecurity Coordination Center (HC3) sent an alert in August 2022 detailing an increase in vishing attacks targeting healthcare organizations. Health systems were warned to watch for attacks impersonating their organizations and targeting their providers and patients. “Social engineering techniques continue to remain successful in providing initial access to target organizations, and the Healthcare and Public Health (HPH) sector should remain alert to this evolving threat landscape with an emphasis on user awareness training,” HC3 explained. Let’s take a look at two examples.
Vishing attacks target Asante healthcare employees for patient information and passwords
Asante healthcare reports that scammers are posing as patients or authorized caregivers and calling Asante healthcare employees requesting confidential patient information. They try to fool Asante employees into giving up confidential patient information. What are their tactics when they call? The scammers tell a compelling story or create a sense of urgency. Asante also reports that bad actors are vishing IT (Information Technology) staff for passwords and system information that they can use to access Asante computers and information.
Vishing attacks target patients of Spectrum/Priority Health for member numbers and PHI
Scammers posing as employees of Spectrum Health or Priority Health carried out a vishing campaign that involved calling patients to steal their member numbers and protected health information (PHI). To add legitimacy to the vishing calls, the scammers “spoofed” the phone number belonging to the healthcare entity. As a result, the victim’s caller ID displayed a legitimate phone number for the healthcare entity. The stage was now set for the scammers to begin the swindle. As reported by the Spectrum Health newsroom, using tactics such as flattery and threats, the scammers obtained identification information, money, and even access to personal devices.
User awareness training – Test. Educate. Protect.
Human interaction played a key role in both vishing attacks we mentioned. A real person was on the phone using social engineering techniques to try to fool their target. In view of this, human interaction should play a key role in the security awareness testing and education that you choose. With Social-Engineer’s Managed Vishing Service, you will get security awareness testing and education based on human interaction. We do not use script-driven call center staff, and we never use robocallers. Instead, we deploy real people; professionally trained, certified social engineers to elicit critical information from your employees. Our Human Risk Analysts can pivot and adjust their conversations just like a real attacker would. The experts at Social-Engineer, LLC can help you test, educate, and protect, your first line of defense, your employees. Please contact us today for a consultation.