Social engineering scams have become more common and more costly—especially for health care organizations. These scams can result in significant financial and reputational loss, especially when an attack leads to a data breach. Digital transformation initiatives, mergers and acquisitions (M&A), and the increasing prevalence of these scams all make organizations vulnerable. However, the greatest threat organizations face comes from their lack of awareness and understanding about how these scams work. It is becoming increasingly crucial to be vigilant and aware of the threats posed by social engineering scams.
Emerging Social Engineering Attacks
Bad actors use various social engineering techniques to attack vulnerable parties. The following are the most common:
- Phishing – Phishing, the most common form of social engineering attack, occurs when fraudsters create false communications that appear to be coming from an official source. They may then link the victim to a false website disguised to look like the site of an official organization. Ultimately, their goal is to convince the victim to provide sensitive data such as banking details, log-in credentials, or personally identifiable information (PII).
- Vishing/Smishing – Vishing is phone-based phishing, where fraudsters call victims and impersonate an official or trusted source. Smishing is an attack launched through an SMS text message. Like phishing scams, these techniques have the aim of convincing the victim to provide sensitive data.
- Baiting – These attacks occur when a scammer sends the victim an offer to get the victim to provide personal information in return. The “bait” offered may come in the form of money, gift cards, or digital media, and may be presented with the intent of enticing a specific victim based on their needs or interests.
- Quid Pro Quo – A Quid Pro Quo often involves a scammer impersonating an IT professional who encourages the victim to disable their antivirus software so they can perform a “software upgrade” that is actually malicious software or a remote access tool (RAT). This allows them to assume control of the victim’s computer.
- Pretexting – In these attacks, scammers work to create a false sense of trust with their victim. They may go to extreme lengths to craft a story the victim will find credible, claiming they are a distant family member, coworker, or friend who needs personal information which the scammer then uses to steal the victim’s identity which they use to scam others as well.
Exposed: Health Care Laid Bare
The health care industry is targeted mostly due to its combination of diverse points of vulnerability. The following are areas that open health care organizations to social engineering attacks:
- Digital Transformation – Health care organizations are relying more on digitally driven and automated processes and operations. This has made life more convenient, but it has also made both individuals and organizations more susceptible to digital-based scams. With an increase in digital communications comes more opportunities for scammers to insert themselves. these attacks can occur even at organizations with robust cyber-security systems, therefore it is imperative that organizations are prepared to respond with back-ups and clear continuity plans to limit exposure should such attack occur.
- Sensitive Information – The health care industry possesses large amounts of sensitive information. When data is breached as a result of a social engineering scam, it leaves the organization vulnerable to legal action. Lawsuits and settlements resulting from data breaches can compound losses and lead to detrimental consequences.
- M&A – When organizations are acquired and workforces expand, as often happens in the health care industry, it can take time to assimilate teams and organize communications. During these stages, staff may be especially vulnerable to scams, as they may not yet know when communications are coming from a trustworthy source.
Willful Ignorance Breeds Risk
Social engineering scams can always be attributed to human error. Unlike ransomware or DDoS attacks, which can happen without the consent or knowledge of the victim, social engineering scams rely on the victim’s compliance with the scammer’s request. Insurers are apprehensive to write for social engineering attacks with a high level of confidence as these scams hinge on human error.
Historically, coverage for social engineering attacks has been included in both cyber and crime insurance policies. As these scams rely more on human vulnerabilities than IT system weaknesses, they might more adequately fit in crime policies.
To make sure your organization is protected, it is important to begin the renewal process early and stay up to date on changes in cyber security coverage. Equally, mitigating social engineering risks from the root by providing all staff with mandatory social engineering awareness training ensures a crucial safety net.
Want to learn more?
Find Rob Rosenzweig on LinkedIn, here. Find Allen Blount on LinkedIn, here.