Millions of dollars have been stolen from healthcare companies after fraudsters gained access to customer accounts and redirected payments.

In a newly-published advisory directed at the healthcare payment industry, the FBI warns that cybercriminals are using a cocktail of publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.

With compromised login credentials for healthcare payment processors exploited, the criminals divert payments to bank accounts under their own control.

As the FBI describes, in February 2022 a malicious hacker who managed to obtain access to accounts at a major healthcare company managed to change direct deposit banking information from a hospital to that of the criminal’s own checking account, resulting in a loss of $3.1 million loss. In the same month, a different cybercriminal used the same method to steal approximately $700,000 in a separate incident.

Then two months later, a healthcare company with over 175 medical providers discovered that a cybercriminal posing as an employee had changed payment instructions to direct funds, successfully stealing $840,000 in two transactions before being discovered.

And the threat is clearly not new. From June 2018 to January 2019, the FBI reports, cybercriminals broke into at least 65 healthcare payment processors across the United States and replaced legitimate customer banking and contact information with accounts controlled by the criminals. One victim reported losing approximately $1.5 million as a result.

Tell-tale signs that a healthcare organisation may be being targeted include: