Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
January 16, 2021 01:00 AM

4 cyberscams for hospitals to watch out for

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Modern Healthcare Illustration / Getty Images

    One thing the pandemic did not slow down in 2020 was the rash of cyberattacks on healthcare organizations. The year ended with a record number of data breaches—641—being reported to HHS, and that number will surely grow.

    But ransomware and other breaches into systems aren't the only dangers healthcare organizations need to defend against. Cybersecurity experts warn about four common scams they’ve seen permeating the industry.

    1) Fake vaccine appointments
    People are “desperate and eagerly awaiting vaccine information,” said David Nides, a principal at consulting firm KPMG’s cybersecurity services practice who works with healthcare and life sciences organizations—and scammers haven’t hesitated to take advantage of that.

    In Florida, scammers early this month set up an online registration site posing as local health departments, charging seniors for vaccination appointments that didn't actually exist.

    These scams are not only taking place online—in the case above, the fake appointment scheme was posted on website Eventbrite—but also through email, telephone calls and text messages, according to Nides. Scammers might employ caller-ID spoofing, so that it appears as if a phone call is coming from a local hospital and pose as a worker scheduling patients for vaccine appointments while requesting demographic and payment information.

    Many of the vaccine scams Nides has seen are targeting healthcare workers, specifically, since the attackers know they’re first in line for the vaccines.

    He suggested hospitals raise awareness about their process for administering vaccines so workers know what to anticipate and what to be skeptical of.

    Mapping how a business email compromise scam gets through
    1. Scammer uses phishing techniques to break into a finance worker’s email account.
    2. Scammer observes the email inbox for weeks, learning the patterns of how certain companies tend to send invoices—such as when they send them, what they look like and for what amount.
    3. Scammer sets up a filter to automatically direct future invoices to a “trash” or “spam” folder.
    4. Scammer either changes the real email or creates their own message and invoice that look the same, but with their own routing and bank account numbers.
    5. Scammer falsifies email exchanges from top executives or supervisors pretending to approve the change in payment.
    6. Scammer waits for the invoice to be paid by a staffer, who doesn’t realize the funds are actually being sent to the scammer, not the legitimate vendor.

    2) Fake invoices
    Business email compromise—in which a scammer infiltrates or spoofs legitimate email accounts to redirect money—is “one of the most financially damaging online crimes,” according to the Federal Bureau of Investigation.

    In some cases, a scammer will break into a finance worker’s email account and spend weeks learning the patterns of when and how certain companies tend to send invoices. Then, they’ll set up a filter to automatically direct future invoices into a “trash” or “spam” folder—and either change the routing and bank account numbers before placing it back in the inbox, or generate their own message and invoice that looks the same, but with their own financial information.

    If a scammer has infiltrated email addresses of top executives or supervisors, they can even create fake email exchanges pretending to approve the change in payment, to make it look more believable.

    “It looks perfectly legitimate. The email is normal—the invoice looks great, no problems,” said Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security and a former health system chief information officer. So the employee processes the invoice and pays it.

    To prevent against that type of scam, he suggested hospitals establish processes that flag changes to payment methods and confirm adjustments with vendors directly before processing.

    “Have good processes built,” DeFord said. “If you follow (the) processes, it becomes way harder to fall for one of these scams.”

    3) Fake email requests
    Email phishing, where a cybercriminal sends a message while posing as a trusted source, such as a CEO, isn’t new. But scammers are getting more sophisticated in how they make their messages appear legitimate, reviewing previous messages from the person they’re imitating and gleaning information from social media to personalize the email.

    They might imitate an employee’s direct supervisor or even an executive, while asking them to wire money for a supposedly pending transaction or to buy gift cards for an upcoming event.

    Scammers sending phishing emails have also tried to prey on the urgency around the COVID-19 crisis, posing as if they’re selling gloves and masks amid a shortage of such supplies.

    “A lot of the time, phishing emails are going to rely on a certain emotion,” said James McQuiggan, a security awareness advocate at IT security training company KnowBe4.

    If something seems unusual, employees should be encouraged to trust their gut and double-check with executives to get a clear sign-off on the transaction they’ve been asked to make—particularly if it’s for a large sum of money. “Trust, but verify,” McQuiggan said. “Sometimes it takes a couple extra seconds to save what potentially could be millions lost.”

    4) Fake job listings
    Scammers will advertise job listings that organizations aren’t actually hiring for and work their way through a fraudulent hiring process—all the way through interviewing applicants and sending a fake job offer. The scammers then collect the victim’s personal and banking information when they accept the fake job.

    Even though the scammers aren’t targeting hospitals directly in these scams, it can hurt an organization’s reputation.

    Hospitals’ HR departments should regularly monitor mentions of the organizations’ job listings online in an effort to catch these scams, DeFord suggested. “If you’re mentioned, and it’s something like this, get on it right away,” he said, recommending hospitals report incidents to the FBI and local law enforcement. “Try to get these things nipped in the bud.”

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    data-breaches_i.png
    Omnicell discloses ransomware incident
    Tenet Health sign
    Tenet investigating cybersecurity incident that led to ‘temporary disruption'
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing