H-ISAC TLP White Threat Bulletin: Emerging SMS/Voice OTP Toll Fraud via Account Sign-up and Patient Portal Flows

Health-ISAC is tracking an emerging fraud pattern where threat actors exploit SMS and voice One-Time Password (OTP) mechanisms used in account sign-up, patient portal enrollment, telehealth registration, and MFA flows. Attackers mass-create bogus accounts and then repeatedly abuse OTP resend and password reset functions to generate large volumes of SMS and voice calls to premium-rate or high-cost international numbers under their control. 

This technique results in direct financial losses from elevated telecommunications charges, potential service disruption, and reputational damage with carriers and patients. It is highly likely that healthcare organizations with lightly protected OTP flows and global SMS/voice reach are at elevated risk. 

Members are strongly encouraged to review OTP implementations, implement rate limiting and high-risk destination controls, and establish telecom monitoring and anomaly detection for OTP traffic.

View the detailed report below.