When Fake IT Support Comes Knocking: A Healthcare Story
Why doctors and nurses are vulnerable to this hack
It’s a quiet afternoon at home, and you're halfway through your third telemedicine appointment of the day. Somewhere in the distance, the family dog barks at the mail carrier, and your coffee has gone cold again. The patient on your screen is explaining their new back pain—sharp, radiating, worse when they breathe deeply. You're already mentally drafting the chart note, deciding how best to rule out something serious.
Then it starts. An email notification. Then another. And another. Within minutes, your inbox is a war zone: hundreds of emails piling up, shouting over one another in all caps. Subject lines scream "URGENT!" or "ACTION REQUIRED!" Others promise "unclaimed rewards" or remind you of accounts you don’t even have.
You try to focus on the patient. After all, their back pain doesn’t care about your inbox. But the deluge becomes impossible to ignore. You glance at your email client, flag a few suspicious messages, and click the option to report phishing attempts. It's protocol: report it, notify IT, and move on.
Then, just as you finish the appointment and hit "save" on your notes, a new notification pops up—not an email this time, but Microsoft Teams.
"Hi, this is Jason from IT Support," the message says. "We noticed some unusual activity on your account. Can I help you resolve this?"
Jason sounds friendly. Efficient. Like the kind of person who has fixed countless computer problems and is ready to add yours to the list. You’ve already flagged the phishing emails. You’ve done what you’re supposed to do. Why wouldn’t IT be reaching out now? Jason offers remote assistance. It makes sense—they’re the experts, after all.
But Jason isn’t IT. Jason is an imposter.
The Hack in Action
Here’s what’s really happening: The deluge of emails was phase one of the attack. It’s called a "spam flood," designed to overwhelm your inbox and create a sense of urgency. When overwhelmed, people act impulsively, focusing on solving the immediate problem rather than stopping to verify what’s real.
Phase two is the Teams message. Hackers use external accounts to pose as tech support, exploiting the default settings in Microsoft Teams that allow outsiders to message employees. It’s a subtle move, one that relies on trust and the assumption that tech support would naturally follow up on flagged activity.
Once the victim grants remote access, the real damage begins:
Hackers deploy malware through remote screen control.
They use your credentials to disable multifactor authentication and antivirus protections.
They create command shells and access sensitive files, potentially including protected health information (PHI).
From there, they move laterally across the network, searching for more systems to compromise.
Why Healthcare Is a Target
Healthcare workers, particularly those working remotely, are uniquely vulnerable to this kind of attack. Doctors and nurses are trained to triage problems quickly. The impulse to fix and move on is hardwired, which is exactly what these schemes exploit.
Additionally, the reliance on legitimate remote tech support in healthcare settings blurs the lines between real and fake help. If you’re accustomed to remote IT providers swooping in to solve issues, why would you question "Jason" showing up in your Teams chat?
The broader problem is that most training focuses on spotting fake emails or avoiding phishing links. Few organizations prepare staff to handle a scam that arrives through legitimate internal communication platforms.
A Wake-Up Call for Healthcare
The fallout from these attacks can be devastating, not just for individuals but for entire organizations. Patient data can be exposed, schedules disrupted, and networks compromised. And all because someone trusted "Jason."
To reduce vulnerability, healthcare organizations need to take action:
Configure Default Settings: Restrict external messaging on platforms like Microsoft Teams.
Update Training: Teach staff how to verify IT contacts and question unexpected messages.
Enhance Authentication: Use robust multifactor authentication and audit access regularly.
As for the doctors and nurses working remotely, juggling patients, families, and inboxes full of chaos? Pause. Verify. If "Jason" messages you out of the blue, don’t hand over the keys to your kingdom. Remember, not all helpers are here to help.
Recent Cyber Incidents Highlight the Risks
The healthcare sector has witnessed significant cyberattacks recently, underscoring the importance of vigilance:
Change Healthcare Breach: In February 2024, the BlackCat ransomware group attacked Change Healthcare, disrupting U.S. healthcare services and costing UnitedHealth Group an estimated $872 million in the first quarter alone.
National Public Data Breach: This breach exposed 2.9 billion records across the U.S., UK, and Canada, making it one of the largest data breaches in history.
These incidents serve as reminders of the vulnerabilities within the healthcare system and the critical need for robust cybersecurity measures and education. I think real like stories like this are key for learning.
Salim Afshar