The rise in 'vishing' attacks and ways to mitigate HIPAA violations

By now, regardless of the industry that one works in, the term “phishing” is common vernacular. The National Institute of Standards and Technology (NIST) defines “phishing,” a form of social engineering, as a “technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.” Stated another way, it is a method of solicitation to gain access to certain information and use it for a nefarious purpose.

“Vishing” is a form of phishing that specifically uses voice and a telephone. As the Office of Information Security (OIS) relayed in its August 19, 2022, Report No. 202208191500, “[v]oice phishing, also known as vishing, is the practice of eliciting information or attempting to influence action via the telephone.” Fast-forward two years to April 2024, when OIS published “Social Engineering Attacks Targeting the HPH Sector.” This publication provides an overview of social engineering, as well as targeted campaigns, the role of artificial intelligence (AI) and risk mitigation suggestions.

Some notable points are as follows:

• Advancements in technology and AI are lowering the barrier to entry for cybercriminals and increasing the sophistication of social engineering attacks.
• A combination of technical and nontechnical mitigations is essential in defending against social engineering attacks.
• Telephone-Oriented Attack Delivery (TOAD) lures potential victims into contacting fraudulent call centers managed by threat actors to steal credentials or install malware on their systems. TOAD moves the attack channel from the initial email to the telephone. Emails initiating TOAD attacks often do not contain URLs or attachments, which makes them difficult to detect.
• In 2023, an average of 1.99 health care data breaches of 500 or more records were reported each day, and an average of 364,571 health care records were breached every day.
• Health care and finance were the top sectors targeted.
• Multi-factor authentication (MFA) techniques are being bypassed by SIM swapping, adversary-in-the-middle (AITM), MFA prompt bombing, token theft and vishing/smishing.
• Since the launch of ChatGPT in November 2022, vishing, smishing and phishing attacks have increased by a staggering 1,265%.
• Training was the top mitigating risk factor.

So, what is the latest trend to pop up in relation to vishing attacks?

By now, almost everyone uses MFA for a variety of purposes, from Amazon logins to workplace software access. Okta is a commonly used MFA, and vishing attacks on these systems have increased through “attackers simply call[ing] the victim or an IT help desk and convince[ing] them to weaken or reset…MFA.” Utilizing the NIST approach of prevention, detection and correction is a good framework for cybersecurity and HIPAA compliance requirements. Training is a form of prevention, software or a human being catching a potential vishing scam is detection, and reporting the incident for immediate action, whether through a technology alert or a user communicating with their IT department, falls under correction.

Cybercriminals, the frequency and intensity of attacks, and the use of AI to perpetrate vishing and other forms of social engineering are only going to increase. The February 2026 announcement by the U.S. Department of Health and Human Services Office for Civil Rights regarding a HIPAA settlement stemming from a successful phishing attack due to insufficient safeguards, including an annual risk analysis, should serve as a warning to covered entities and business associates alike.

Addressing all forms of phishing, the evolving threat landscape, and actions to take against vishing or other forms of social engineering is critical to mitigating both the risk of an attack and potential liability.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.