Cyber Risk Alert: Scammers Posing as Regulatory Officials

In recent months there has been a resurgence of a scam targeting physicians, nurses, and other healthcare providers (HCPs) that involves criminals posing as regulatory officials. Scammers contact healthcare providers by telephone, email or mail claiming to be from the state or federal regulatory agency such as the Board of Medicine, Board of Nursing, US Department of Justice or the Drug Enforcement Administration. The caller will advise the HCP that their medical license has been suspended, or that they are under investigation for drug trafficking or illegal prescribing and will demand payment either to resolve the investigation or as bond to ensure cooperation with the investigation.

Scammers use many different techniques to gain the confidence of their victims. Spoofed phone numbers, emails or badge numbers may be used to give the appearance of legitimacy. Scammers are often well-prepared with details about the targeted victim such as their full name, license number and National Provider Identification number and will use that information to gain the trust of the victim. Once the victim is engaged in the conversation, scammers will convey a sense of urgency, dissuade the victim from independently verifying the caller’s identity with the agency and will suggest that the victim refrain from discussing the investigation with others. 
 

Risk Recommendations:

These scams and others like them, may be hard to spot, especially if employees are not trained to recognize them. The best way to protect your organization from these cybercrimes is by promoting employee vigilance, heightened security awareness, and well-crafted policies and procedures. Consider the following when reviewing your organization’s response to this scam and others like it:

• Provide security awareness training. Train employees how to recognize fraudulent phone calls, emails or letters such as misspellings, typos, urgent requests, requests for money or attempts to dissuade verification of credentials. Remind HCPs that legitimate regulatory agencies will never ask for money, require an urgent response, advise against speaking to a lawyer or ask you to confirm personal details such as a social security number, date of birth or financial information.
• Verify communications. If you are contacted by a state or federal regulatory agency, independently contact those agencies to verify the authenticity of the communication you receive and the identity of the purported official. 
• Tag external emails. Work with software vendors to clearly identify or “tag” all emails originating from outside the organization. Carefully review all tagged emails prior to responding and never click on suspicious links or download suspicious attachments. Train employees how to report and handle suspicious emails.
• Optimize security software. Work with your IT department to optimize antivirus software and firewalls to protect against cyberattacks. Regularly update software to block new and emerging cyber threats before they cause harm.
• Report. If you are unsure whether an alleged Board complaint is legitimate, report it immediately to your insurance carrier. If you have been the victim of an attack, report it immediately to your organization’s risk management department, file a complaint with your state attorney general, the FBI Internet Crime Complaint Center, and your cyber liability insurance carrier.