Tricking five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers, the scammers posed as hospitals to alter payment details.
Apparently, all it takes is some rather simple impersonation of a legitimate business and some savvy social engineering to take in millions. According to the U.S. Department of Justice, a group of ten scammers based in Georgia and Virginia were indicted on charges of business email compromise and money laundering.
The group pretended to be legitimate hospitals, communicated with Medicare, Medicaid, health insurance companies, and other victims, using well-crafted email communication to trick unsuspecting victims into modifying payment details to send reimbursement payments to scammer-controlled bank accounts.
In total, $4.7 million in losses were experienced by Medicare, Medicaid, and private health insurers, with $6.4 million in losses to other federal government agencies, private companies, and individuals.
Phishing, as part of a BEC attack, is an effective tool – especially when the recipient isn’t observant, particularly when it comes to requests to change banking information (which should be a red flag). Organizations who make their employees undergo continual Security Awareness Training are less prone to such attacks, as malicious emails can easily be spotted by the recipient and discarded before they can do financial damage.