2) Fake invoices
Business email compromise—in which a scammer infiltrates or spoofs legitimate email accounts to redirect money—is “one of the most financially damaging online crimes,” according to the Federal Bureau of Investigation.
In some cases, a scammer will break into a finance worker’s email account and spend weeks learning the patterns of when and how certain companies tend to send invoices. Then, they’ll set up a filter to automatically direct future invoices into a “trash” or “spam” folder—and either change the routing and bank account numbers before placing it back in the inbox, or generate their own message and invoice that looks the same, but with their own financial information.
If a scammer has infiltrated email addresses of top executives or supervisors, they can even create fake email exchanges pretending to approve the change in payment, to make it look more believable.
“It looks perfectly legitimate. The email is normal—the invoice looks great, no problems,” said Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security and a former health system chief information officer. So the employee processes the invoice and pays it.
To prevent against that type of scam, he suggested hospitals establish processes that flag changes to payment methods and confirm adjustments with vendors directly before processing.
“Have good processes built,” DeFord said. “If you follow (the) processes, it becomes way harder to fall for one of these scams.”
3) Fake email requests
Email phishing, where a cybercriminal sends a message while posing as a trusted source, such as a CEO, isn’t new. But scammers are getting more sophisticated in how they make their messages appear legitimate, reviewing previous messages from the person they’re imitating and gleaning information from social media to personalize the email.
They might imitate an employee’s direct supervisor or even an executive, while asking them to wire money for a supposedly pending transaction or to buy gift cards for an upcoming event.
Scammers sending phishing emails have also tried to prey on the urgency around the COVID-19 crisis, posing as if they’re selling gloves and masks amid a shortage of such supplies.
“A lot of the time, phishing emails are going to rely on a certain emotion,” said James McQuiggan, a security awareness advocate at IT security training company KnowBe4.
If something seems unusual, employees should be encouraged to trust their gut and double-check with executives to get a clear sign-off on the transaction they’ve been asked to make—particularly if it’s for a large sum of money. “Trust, but verify,” McQuiggan said. “Sometimes it takes a couple extra seconds to save what potentially could be millions lost.”
4) Fake job listings
Scammers will advertise job listings that organizations aren’t actually hiring for and work their way through a fraudulent hiring process—all the way through interviewing applicants and sending a fake job offer. The scammers then collect the victim’s personal and banking information when they accept the fake job.
Even though the scammers aren’t targeting hospitals directly in these scams, it can hurt an organization’s reputation.
Hospitals’ HR departments should regularly monitor mentions of the organizations’ job listings online in an effort to catch these scams, DeFord suggested. “If you’re mentioned, and it’s something like this, get on it right away,” he said, recommending hospitals report incidents to the FBI and local law enforcement. “Try to get these things nipped in the bud.”
