AI, Phishing, and Cybercrime: Unraveling the $7.5M HHS Grant Payment Heist

For even an entity as large as the federal government, a loss of $7.5 million due to cyberattacks is quite a hefty sum. There’s a buzz of speculation surrounding the method hackers used last year to swipe millions in grant payments from the U.S. Department of Health and Human Services.

One perspective suggests that the culprits possibly employed spear-phishing tactics enhanced by AI. However, some argue that this theft might have simply been the outcome of a classic financial con scheme.

There’s always a lot of public attention focused on issues of federal waste, fraud, and abuse. Interestingly, HHS also released guidelines on Wednesday, detailing “cybersecurity performance goals” for the entire healthcare industry. Consequently, it doesn’t reflect well when HHS, the very organization responsible for supervising cybersecurity and privacy within the healthcare sector, becomes a victim of hacking itself. The entire field is keeping a close eye on this.

The department kept the incident under wraps from the general public. However, they gave a vague confirmation when the media put them under pressure following Bloomberg’s initial report on the incident last week.

HHS confirmed that it has alerted its internal oversight body, the Office of Inspector General, regarding the “issue”. It’s highly likely that a call for an investigation from congressional members will soon ensue (see: Report: Hackers Duped $7.5M from HHS Grant Payment System).

The public is generally in the dark about the security breaches at HHS, which took place from the end of March to the middle of November 2023. The cybercriminals aimed their attacks at the grant payment system. They managed to siphon off millions of dollars that were supposed to go into five accounts – funds that were earmarked to aid rural areas and underprivileged patients, as reported by Bloomberg.

Is This Just Your Average Hoax?

What might make HHS blush even more is the high chance that the department and those who received its grants fell prey to one of the most longstanding and widespread forms of fiscal deceit – corporate email fraud.

Mike Hamilton, who co-established and currently serves as the CISO at Critical Insight, a security company, shared his experience with similar incidences. He cited an instance where a charity lost $800,000 through theft. This deceitful act started by compromising at least one employee’s credentials. The intruder then increased their access level, monitored internal emails, and impersonated a staff member who was liaising with the city on funding matters. Subsequently, the fraudster sent an email to the organization, instructing them to alter the bank’s routing number for the deposit.

Hamilton expressed his suspicion that the breach at HHS originated from email account intrusions at the five organizations receiving grants.

“That’s not a case of spear-phishing – it’s a legitimate email sent to the government funding agency from a recognized account – no alarm signals triggered – and requesting a password change,” he explained. “I’m fairly confident once the inquiry concludes, we’ll discover it was a standard business email breach.”

There’s no guaranteed way to completely avoid these frauds, but the danger they pose can be lessened. The issue of business email deception is far from fresh news. Hamilton emphasizes that the government bodies managing the allocation of funds must receive appropriate training in areas such as help desk operations and financial dealings. They should also employ methods like reverse contact to fully verify the identity of the person requesting changes.

Point the Finger at AI, Why Don’t We?

Chances are, someone might have become a victim of the most recent AI-assisted phishing emails. These emails are alarmingly convincing, thanks to the generative AI tools used to create them. The entire healthcare industry received a warning from HHS in October about this very issue.

Without a doubt, AI-enhanced phishing and social engineering assaults will make deceptive emails appear more convincing, stated Keith Fricke, a collaborator at the data protection and cybersecurity agency tw-Security. He further added that cybercrime organizations will likely begin providing AI as a service to a broad range of hackers soon.

“Sound files imitating demands from top-tier executives can deceive individuals into altering their passwords, modifying contact numbers associated with two-factor authentication messages, and can even manipulate them to approve hefty money transfers,” he stated.

Regardless of whether or not AI was involved, phishing emails have proven to be quite successful. As noted by Hamilton, “We are all subject to cognitive biases, our understanding of media is lacking, and we tend to accept information that aligns with our pre-existing perceptions. These aspects are all exploited by those aiming to deceive us.”

Even multifactor authentication isn’t a guaranteed safeguard.

In the current digital landscape, Hamilton pointed out, numerous phishing links trigger scripts that remove the session token and streamline the procedure of securing the second factor. The peril lies in the link itself, not merely in providing credentials to a fraudulent login page, he stated.

Surprisingly, AI-powered email security software does a commendable job in identifying if an email is safe and devoid of malware or risky links. However, Hamilton pointed out that, unless the company scrutinizes each message, the onus falls on the employees to identify dubious emails.

This implies that the healthcare industry needs to elevate its strategies, including education, to increase understanding of the role AI plays in phishing activities, as per Fricke’s statement.

“Employee education needs to take place more often, including demonstrations of phishing emails. Companies should collaborate with the providers of email screening services to comprehend how these providers are enhancing their detection and isolation methods,” he stated.

A Call for Openness

At present, there’s no clarity for anyone outside of HHS regarding whether the HHS grant payment employees, who were victims of fraudulent activities, had received proper training, established correct procedures, or had sufficient cybersecurity measures.

Perhaps the most ironic aspect of all this is the absence of transparency we’ve seen so far.

Over the past several years, hospitals, medical organizations, and their business partners have been relentlessly targeted by ransomware attacks and data breaches, impacting the personal data of hundreds of millions of individuals. The Department of Health and Human Services (HHS) has been proactive in taking punitive measures in response to significant data breaches. This was evident in December when they imposed the first-ever fine resulting from a phishing attack.

HHS collaborates with various agencies to provide advice on risk management and implementing appropriate security measures. A significant principle of this program is the exchange of information. HHS promotes healthcare organizations to communicate cyber-related information with the Health-Information Sharing and Analysis Center, and also with CISA in the event of an incident.

Thus, this monetary breach will pose a significant challenge to HHS and the nation’s government. Will they establish a precedent of transparency and knowledge dissemination, as they advocate others to practice? Will the revelations be awkward? Quite likely. Could it potentially impact professional trajectories? It’s a possibility.

Site Footer