IT support desk person providing customer support over the phone.

Social Engineering Scams Targeting IT Help Desks In The Health Sector

The U.S. Department of Health and Human Services (HHS) issued a warning statement indicating that attackers are attempting to target hospital IT help desks to gain access to critical medical systems.

The Health Sector Cybersecurity Coordination Centre (HC3) released a sector alert outlining strategies that allow attackers to access targeted organisations’ systems. They enrol their own multi-factor authentication (MFA) devices to execute these strategies.

A threat actor calling the IT help desk under the fake identity of an employee of the finance department initiates the attack. They utilise a local area code to make it appear as if they are near the targeted company.

The fraudster claims that their mobile device is malfunctioning and demands that a new device be registered for multi-factor authentication (MFA) to get access to their account. They make convincing calls when they have authentic details about the employee they are impersonating, such as their business ID number and Social Security number.

This provides attackers with a link to corporate resources, enabling them to execute business email compromise (BEC) attacks to redirect bank transactions. HHS states that the threat actor intentionally targeted login credentials associated with the payer websites.

Threat actors then used this data to modify the ACH information for payer accounts. Once inside staff email accounts, they dispatched instructions to payment processors, redirecting legitimate funds to the attackers’ U.S. bank accounts.

Later, they transferred the funds to foreign accounts. In addition, the threat actor registered a domain during the malicious campaign that differed slightly from the target organisation’s spelling. They also created an account acting as the target organisation’s Chief Financial Officer (CFO).

HHS alert mirrors the strategies of the infamous cybercrime group Scattered Spider

The identity of the threat actors behind the recent hits on the health sector is yet unknown. HHS has noted, nevertheless, that Scattered Spider used similar social-engineering techniques to obtain first access, which is similar to their approach prior to the ransomware attack on MGM Resorts in September 2023.

The 0ktapus campaign, targeting over 130 organisations, brought Scattered Spider hackers into the limelight. Major corporations, including Microsoft, Binance, Coinbase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy, fell victim to their attacks.

In addition, the group uses phishing, MFA bombing (also known as MFA weariness), and SIM swapping to get early access to networks.

In November, the FBI and CISA released an alert exposing Scattered Spider’s tactics, methods, and procedures (TTPs). This was a response to their ransomware attacks and data theft that targeted several well-known companies.

Attackers may use AI voice cloning technologies in these kinds of events to trick targets, making it more difficult to verify identities remotely. Recent global study found that 25% of people have either experienced or know of someone who has fallen victim to an AI voice scam, demonstrating the huge prevalence of this strategy.


Healthcare companies can bolster the security of their IT help desks by employing various techniques. These measures aim to safeguard confidential information and mitigate potential online risks. Implementing callback verification for password resets and new MFA devices is a recommended tactic.

Organisations should also consistently monitor ACH activities to detect any signs of suspicious behavior early on. Regularly revalidating user access to payer websites is crucial for maintaining a secure environment.

Furthermore, obtaining in-person requests for confidential information can add an extra layer of verification and protection. Strengthening supervisor verification methods enhances the authentication process. Lastly, comprehensive training for help desk personnel is imperative. This equips them to recognise and report social engineering attempts while validating caller IDs.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts