BlogLine

Combating FraudGPT: new guidance to healthcare providers

2/8/24

By: Alexia R. Roney

To combat phishing attacks supercharged by AI, the Health Sector Cybersecurity Coordination Center (HC3) has provided guidance to the healthcare industry through its white paper, “AI-Augmented Phishing and the Threat to the Health Sector.” Phishing is the most common avenue of attack, representing fifty percent of attacks on the healthcare industry.  

A phishing attack is a fraudulent communication, usually by email, which appears to come from a reputable source and induces the recipient to provide sensitive data like passwords or inadvertently install malware onto the computer system. Thus, the phishing attack is the tip of the spear to gain access to secure systems. Until now, one of the easiest tells for a phishing attack is the use of misspelled, awkward, and ungrammatical English in the email. Unfortunately, with free access to AI language models, threat actors have been able to craft more literate and convincing phishing emails. They’ve gone as far as developing their own AI model named with admirable self-awareness – FraudGPT.   

In its white paper, HC3 recommends that organizations take a multi-layered approach to cybersecurity, including employee training, technical controls, and incident response planning. Two aspects that HC3 strongly emphasizes are multifactor authentication (MFA) and employee training to identify phishing emails even when generated by AI.  

MFA is a two-step verification process for entering secure online services where a user provides first a password and username and then must provide a second confirmation, such as through a code sent via text message, a telephone call, or a separate application on a cellphone, to confirm the user’s identity. Thus, if a hostile actor successfully gains password credentials, the next verification process will impede their access to the secure system. This has been a recommended practice long before the AI threat. The Cybersecurity & Infrastructure Security Agency has provided free instruction to implement phishing-resistant MFA, available at https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf.  

In regard to employee education, HC3 recommends that employees check the email address and domain name of the sender to confirm the email comes from a legitimate organization; watch for red flags such as requesting money or information, hovering over links to see if they match the sender site; and avoid the download of attachments until the recipient is confident the email is legitimate. Employee training must be ongoing – AI refined phishing attacks are just the most recent development in cybersecurity threats – because new threats will continue to arise.  

HC3 remains an excellent source of reliable and free information to the healthcare organizations regarding threats, sector alerts, and advise such as that found in “AI-Augmented Phishing and the Threat to the Health Sector.” The white paper is available here: https://www.hhs.gov/sites/default/files/ai-and-phishing-as-a-threat-to-the-hph-white-paper-tlpclear.pdf 

For more information, please contact Alexia Roney at aroney@fmglaw.com or your local FMG attorney.