Social engineering attacks remain some of the most efficient and effective ways for threat actors to exploit victims and gain network access, and the healthcare sector is no exception. Baiting, tailgating, and pretexting are all popular social engineering attacks. But in healthcare, phishing and its sub-categories are dominant.
The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) found that phishing was the most frequently reported cybercrime of 2021. IC3 received 323,972 phishing complaints in 2021, compared to 241,342 in 2020.
Additionally, a survey by H-ISAC and Booz Allen Hamilton found that behind ransomware, surveyed cybersecurity, IT, and non-IT executives identified phishing and spear-phishing as their top concerns.
In the following sections, HealthITSecurity will define social engineering, dive into the many different types of social engineering attacks, and identify tips for mitigating risk in the healthcare sector.
WHAT IS SOCIAL ENGINEERING?
“Social engineering is the use of deception, through manipulation of human behavior, to target and manipulate you into divulging confidential or personal information and using it for fraudulent purposes,” the FBI explained in its Protected Voices series.
“In the context of information security, social engineering might also mean psychologically manipulating people to take action to inadvertently give adversaries access to protected information or assets.”
Social engineering attacks are designed to make victims feel comfortable and safe giving up information. These attacks require no technical knowledge to execute and have a high success rate, making them extremely popular tactics among threat actors.
“An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network,” the Cybersecurity and Infrastructure Security Agency (CISA) explained.
“If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.”
Phishing is the most common type of social engineering attack and one of the biggest healthcare cybersecurity threats, which is why this article will dive deeper into phishing and its sub-categories. However, it is important to be aware of other social engineering attack types that threat actors use to exploit victims.
Pretexting involves attackers fabricating a scenario to steal information. The threat actor typically impersonates a trusted individual and asks the victim to confirm their identity by giving compromising information, Tripwire explained in a blog post.
“More advanced pretexting involves tricking victims into doing something that circumvents organization’s security policies,” the post explained.
“For example, an attacker might say they’re an external IT services auditor so that the organization’s physical security team will let them into the building.”
Phishing often relies on fear and urgency, while pretexting leverages trusted relationships with victims.
Scammers who use baiting dangle the promise of a reward such as free movie downloads in front of the victim to convince them to give up credentials.
Carnegie Mellon University defined baiting as “a type of social engineering attack where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. The trap could be in the form of a malicious attachment with an enticing name.”
QUID PRO QUO
Quid pro quo attacks are similar to baiting, but scammers typically request the exchange of sensitive information in exchange for services rather than goods. For example, someone might impersonate the US Social Security Administration and ask victims to confirm their Social Security numbers, the Tripwire blog post continued.
Alternatively, a threat actor may pose as an IT expert offering free technical assistance in exchange for credentials.
Tailgaiting is another common social engineering attack in which someone without proper authentication follows someone with authentication into a restricted area.
The scammer might impersonate a delivery driver or custodian and get an employee to open a door for them in order to gain access to the building.
“Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization,” CISA explained.
“For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.”
Often, threat actors will take advantage of natural disasters, holidays, elections, or public health scares to execute their attacks.
The Health Sector Cybersecurity Coordination Center (HC3) observed an uptick in COVID-19 vaccine-related email phishing scams in late 2020. The emails typically promised early access to the vaccine if the recipient was willing to pay or provide compromising information.
“Most threat actors today continue to rely on phishing to compromise their targets. Using the various types of phishing threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to increase chances of successful exploitation,” HC3 noted in a September 2021 brief.
“HC3 has observed numerous high-profile attacks in the [healthcare and public health] sector in the past year and HC3 assesses that these trends will continue due to previous successful exploitation. Organizations need to be aware of new trends and lures to ensure staff are properly vigilant against this threat.”
Email phishing is the most common phishing technique and has been used consistently since the 1990s, HC3 stated. Hackers often send emails to any address they can find in order to increase their chances of success.
Telltale signs of traditional email phishing attacks include suspicious sender email addresses, generic greetings (e.g., “Dear Valued Customer” or “Sir/Ma’am”), poor grammar and sentence structure, and suspicious attachments, CISA explained. The sender may try to imitate a legitimate business by using an email address that closely resembles a real business but omits a few characters.
Sometimes the sender includes malicious attachments, spoofed hyperlinks, or suspicious URLs in the email.
“Fishing with a pole may land you a number of items below the waterline – a flounder, bottom feeder, or piece of trash. Fishing with a spear allows you to target a specific fish. Hence the name,” Trend Micro explained.
Spear phishing targets a specific group or individual, such as system administrators or members of the human resources department, HC3 continued. The scammer typically pays more attention to the department or industry that its victim works in to make the scam sound more convincing.
Whaling casts an even smaller net, targeting CEOs, CFOs, CIOs, or other high-level employees.
Whaling emails might say that the targeted company is facing legal action and must click a link to get more information.
Smishing uses short message service (SMS) or text messaging to get the victim’s attention.
“Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number,” CISA explained.
For example, a text might appear to be from a financial institution letting the victim know that their account has been compromised.
“Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information,” CISA stated.
“Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.”
Vishing attackers can also leverage voice-changing software to obscure the caller’s identity.
PREVENTING SOCIAL ENGINEERING ATTACKS IN HEALTHCARE
Due to the popularity of phishing and other social engineering attacks, along with the frequency of healthcare cyberattacks, organizations should take action to mitigate risk and prevent these attacks from causing damage to their systems and operations.
Organizations can prevent social engineering attacks by investing in regular employee cybersecurity training and encouraging employees to watch out for common signs of phishing.
In addition, users should secure VoIP servers and confirm receipt of emails from known senders. HC3 recommended creating a blacklist and blocking malicious domains to prevent access to risky websites.
In addition, HC3 suggested that organizations remove company data from data brokers. Data brokers, such as Zoominfo, specialize in collecting data and selling it for third-party use. Bad actors can easily leverage this data and create highly specific phishing emails that are harder to detect.
Organizations should also consider integrating anti-spoofing technologies and antivirus software into their security programs.
Implementing technical and administrative safeguards, conducting regular employee training, and following security best practices can help healthcare organizations avoid falling victim to a social engineering attack.