4 cyberscams for hospitals to watch out for

One thing the pandemic did not slow down in 2020 was the rash of cyberattacks on healthcare organizations. The year ended with a record number of data breaches—641—being reported to HHS, and that number will surely grow.

But ransomware and other breaches into systems aren't the only dangers healthcare organizations need to defend against. Cybersecurity experts warn about four common scams they’ve seen permeating the industry.

1) Fake vaccine appointments
People are “desperate and eagerly awaiting vaccine information,” said David Nides, a principal at consulting firm KPMG’s cybersecurity services practice who works with healthcare and life sciences organizations—and scammers haven’t hesitated to take advantage of that.

In Florida, scammers early this month set up an online registration site posing as local health departments, charging seniors for vaccination appointments that didn't actually exist.

These scams are not only taking place online—in the case above, the fake appointment scheme was posted on website Eventbrite—but also through email, telephone calls and text messages, according to Nides. Scammers might employ caller-ID spoofing, so that it appears as if a phone call is coming from a local hospital and pose as a worker scheduling patients for vaccine appointments while requesting demographic and payment information.

Many of the vaccine scams Nides has seen are targeting healthcare workers, specifically, since the attackers know they’re first in line for the vaccines.

He suggested hospitals raise awareness about their process for administering vaccines so workers know what to anticipate and what to be skeptical of.

2) Fake invoices
Business email compromise—in which a scammer infiltrates or spoofs legitimate email accounts to redirect money—is “one of the most financially damaging online crimes,” according to the Federal Bureau of Investigation.

In some cases, a scammer will break into a finance worker’s email account and spend weeks learning the patterns of when and how certain companies tend to send invoices. Then, they’ll set up a filter to automatically direct future invoices into a “trash” or “spam” folder—and either change the routing and bank account numbers before placing it back in the inbox, or generate their own message and invoice that looks the same, but with their own financial information.

If a scammer has infiltrated email addresses of top executives or supervisors, they can even create fake email exchanges pretending to approve the change in payment, to make it look more believable.

“It looks perfectly legitimate. The email is normal—the invoice looks great, no problems,” said Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security and a former health system chief information officer. So the employee processes the invoice and pays it.

To prevent against that type of scam, he suggested hospitals establish processes that flag changes to payment methods and confirm adjustments with vendors directly before processing.

“Have good processes built,” DeFord said. “If you follow (the) processes, it becomes way harder to fall for one of these scams.”

3) Fake email requests
Email phishing, where a cybercriminal sends a message while posing as a trusted source, such as a CEO, isn’t new. But scammers are getting more sophisticated in how they make their messages appear legitimate, reviewing previous messages from the person they’re imitating and gleaning information from social media to personalize the email.

They might imitate an employee’s direct supervisor or even an executive, while asking them to wire money for a supposedly pending transaction or to buy gift cards for an upcoming event.

Scammers sending phishing emails have also tried to prey on the urgency around the COVID-19 crisis, posing as if they’re selling gloves and masks amid a shortage of such supplies.

“A lot of the time, phishing emails are going to rely on a certain emotion,” said James McQuiggan, a security awareness advocate at IT security training company KnowBe4.

If something seems unusual, employees should be encouraged to trust their gut and double-check with executives to get a clear sign-off on the transaction they’ve been asked to make—particularly if it’s for a large sum of money. “Trust, but verify,” McQuiggan said. “Sometimes it takes a couple extra seconds to save what potentially could be millions lost.”

4) Fake job listings
Scammers will advertise job listings that organizations aren’t actually hiring for and work their way through a fraudulent hiring process—all the way through interviewing applicants and sending a fake job offer. The scammers then collect the victim’s personal and banking information when they accept the fake job.

Even though the scammers aren’t targeting hospitals directly in these scams, it can hurt an organization’s reputation.

Hospitals’ HR departments should regularly monitor mentions of the organizations’ job listings online in an effort to catch these scams, DeFord suggested. “If you’re mentioned, and it’s something like this, get on it right away,” he said, recommending hospitals report incidents to the FBI and local law enforcement. “Try to get these things nipped in the bud.”