According to the Department of Health and Human Services (HHS), social engineering threat actors are prolific in targeting the healthcare sector. In its April 2024 briefing entitled “Social Engineering Attacks Targeting IT Help Desks in the Health Sector,” HHS observes that social engineering attacks are on the rise and that the Healthcare and Financial sectors are the top targeted industries.

HHS defines social engineering as “the psychological manipulation of people into performing actions or divulging confidential information.” In healthcare, the targets are employees, patients, and vendors. The goals of social engineering are many, and include obtaining sensitive patient information, gaining unauthorized access, disrupting operations and/or committing fraud.

Common types of social engineering attacks include:

• Phishing - leverages email, phone, SMS, social media or other forms of personal communication to entice users to click a malicious link, download infected files, or reveal personal information, such as passwords and account numbers.
• Whaling - highly targeted phishing attack aimed at senior executives. Whaling often encourages victims to perform a secondary action, such as initiating a wire transfer of funds.
• Baiting - when scammers make false promises to users to lure them into revealing personal information or installing malware.
• Quid pro quo - the threat actor requests sensitive information from the victim in exchange for a desirable service, i.e. fake tech support.
• Pretexting - a form of social engineering that involves composing plausible scenarios, or pretext, that are likely to convince victims to share valuable and sensitive data.
• Smishing / SMS-phishing - a social engineering attack conducted specifically through SMS messages where scammers attempt to lure the user into clicking on a link, which directs them to a malicious site and downloads malicious software and content.
• Vishing - short for voice phishing and uses phone calls to trick victims into providing sensitive information.

Recent Frequently Exploited Attack Vector

HHS states that social engineering of IT Help Desks is now frequent in healthcare organizations. Multiple sophisticated social engineering attacks have targeted IT help desk employees via phone calls originating from an area code local to the targeted healthcare organizations, with an end goal of conducting payment fraud scams. The threat actor (TA) convinces the IT help desks to enroll a new mobile device to gain access to corporate resources whereafter the threat actor can perpetrate multiple types of attacks using its legitimately enrolled device. (More on IT Help Desk attacks in a future CHIME post.)

Social Engineering Threat Actors Leverage AI

HHS indicates that AI is enabling social meeting threat actors:

• Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.
• Research reveals that 76% of enterprises lack sufficient voice and messaging fraud protection, as AI-powered vishing and smishing have skyrocketed following the launch of ChatGPT.
• Advancements in technology and AI are lowering the barrier to entry for cybercriminals and increasing the sophistication of attacks.
• Generative AI tools like ChatGPT are predicted to play a role in crafting more effective cyberattacks in 2024.

State-Sponsored Use of AI and LLMs

Nation-state actors are in the social engineering game as well:

• In February 2024, Microsoft and OpenAI partnered to publish a report about nation-state threat actors linked with China, Iran, North Korea, and Russia experimenting with artificial intelligence (AI) and large language models (LLMs) to enhance their cyberattacks.

• Multiple state-sponsored threat actors have used OpenAI’s services to generate content likely for use in phishing and spear phishing campaigns, including Charcoal Typhoon (China), Crimson Sandstorm (Iran), and Emerald Sleet (North Korea).

• These social engineering tactics use LLMs for assistance with drafting and generating content likely used in spear phishing campaigns. They generate various phishing emails, and leverage LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.

HHS Resources

• Social Engineering Attacks Targeting IT Help Desks in the Health Sector

• AI and Phishing as a Threat to the HPH White Paper

• QR Codes and Phishing as a Threat to the HPH White Paper

• AI, Cybersecurity and the Health Sector

• AI for Malware Development Analyst Note

• Vishing Attacks on the HPH Sector Analyst Note

• The Impact of Social Engineering On Healthcare