Kusserow on Compliance: FBI reports rise in schemes involving the COVID-19 pandemic

The FBI reported that fraudsters are taking advantage of COVID-19 pandemic to steal your money, personal information, or both. Fraudsters see a vulnerable population scared and looking for help to protect themselves and their families. They are increasingly resourceful and view the current crisis as an opportunity to advance their schemes. Today, many are looking for medical attention, equipment, and supplies. As a result, a new fraud threat involves fake cures or treatments for the virus, many of which can be extremely dangerous or even fatal.

People who are at home and out of work are vulnerable to work-from-home scams where up-front money is requested—such requests are not something a legitimate employer does. One of the most prevalent schemes is where criminals make contacts pretending to be from the government to require mandatory COVID 19 testing in order to gain personal information, money, or to hack into a computer. Other scams involve acquiring personal information under the pretense of determining eligibility to receive government benefits. In some cases, fraudsters are even going door-to-door to try to convince individuals that they need to provide money for COVID-19 testing, financial relief, or medical equipment. The FBI has teams of agents working on these cases and have arrested and filed charges against many engaging in these crimes. They FBI advises everyone to be on the lookout for the following “red flags” involved in email contacts:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via phone or video
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

The following tips have been offered to help protect against these schemes:

  1. Be very wary of any attachments or links.
  2. Be suspicious of anyone offering you something that’s “too good to be true”
  3. Beware of contacts purporting to be a government agency requiring taking a COVID-19 test
  4. Beware of individuals offering to sell you a COVID-19 test kit or supplies
  5. Beware of medical professionals requesting payment for treating a friend or relative
  6. Be skeptical of last-minute changes in wiring instructions or recipient account information
  7. Verify addresses of emails from those you know; it may be just one letter difference
  8. Never contact a vendor solicitation via the number provided in the email
  9. Ensure URL in emails is exactly as seen in the past for the business it claims to be from
  10. Be alert to hyperlinks that may contain misspellings of the actual domain name
  11. Accept a medical treatment or virus test only from known doctor or pharmacist
  12. Use extreme caution in online communication
  13. Seek out legitimate sources of information and not accept what is sent without request

For more information, the HHS OIG issued a COVID-19 Fraud Alert Video to warn about several health care fraud scams.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increase guard on cybersecurity during COVID-19 pandemic

Many health care organizations are facing attacks by cyber-criminals who are using the COVID-19 crisis to get individuals to be less vigilant about security. Hackers are taking advantage of the fears and uncertainty about the pandemic to gain access to systems through malware. These hackers impersonate health authorities such as NIH, CDC, and FDA to get individuals to open attachments that purportedly have important information on the spread of the disease, lockdowns, and quarantine. These new phishing scams have been rapidly spreading during the crisis. As organizations move to expanded teleworking, the vulnerabilities to such attacks greatly increase. As new systems are being introduced for remote working, steps need to be taken to ensure that security and privacy controls are in place. This is particularly important because employees may lower their guard when introduced to new unfamiliar communication methods. Even government agencies are subject to attack. HHS had a cyber-attack on its computer system, intended to disrupt and undermine the response to the coronavirus pandemic. The attack involved overloading the HHS servers with millions of hits over several hours in order to impair operation of the systems. Fortunately, HHS had no degradation of the functioning of its networks.

Tips and Reminders

  1. Alert employees to beware of COVID-19 communications
  2. Re-educate employees on phishing and social engineering defense tactics
  3. Remind employees to not click on email links/attachment, or respond to inquiries
  4. Review third-party vendors’ access to information systems
  5. Authenticate access, particularly as more employees work remotely
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Monitor those accessing sensitive data

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: New FBI warning about scammers and the COVID-19 crisis

On March 20th, the FBI issued a new warning to the public about a rise in schemes related to the coronavirus (COVID-19) pandemic. The FBI warned to guard against opening documents and to research sources before clicking on links purporting to provide information on the virus; donating to a charity online or through social media; contributing to a crowdfunding campaign; purchasing products online; or giving up your personal information in order to receive money or other benefits. The FBI specifically warned to look out for fake CDC, NIH, HHS, and CMS emails. The agency noted to be particularly wary of websites and apps claiming to track COVID-19 cases worldwide and phishing emails asking to verify personal information in order to receive an economic stimulus check from the government. The fact is that government agencies are not sending unsolicited emails seeking private information in order to send money. The FBI also urges the public to be cautious of anyone selling products that claim to prevent, treat, diagnose, or cure COVID-19.  Other new scams involve seeking charitable contributions, financial relief airline carrier refunds, fake cures and vaccines, and fake testing kits. Failing to follow this advice can permit fraudsters to use links in emails to deliver malware to computers to steal personal information or to lock the computer and demand payment. With the current crisis, the FBI is concerned that many will lower their guard against scammers and, therefore, need to be reminded about these threats.

Tips for Compliance and Privacy Officers

  • Alert employees to beware of COVID-19 communications
  • Remind employees to not click on email links/attachment, or respond to inquiries
  • Regularly test users to make sure they are on guard
  • Configure email servers to block zip or other files that are likely to be malicious

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: FBI Reports on business email compromise scams

BEC Scams Accounted for 50% of cyber losses last year

The FBI once again reported on the increase in cyber-criminal activity related to ransomware and business email compromise (BEC) scams. During 2019, BEC accounted for almost a half million internet and cyber-crime complaints and caused losses of more than $3.5 billion. Approximately half of the reported loses were as result of BEC, sometime referred to as EAC (Email Account Compromise) crimes, which averaged $75,000 per incident reported. This was the most damaging and effective type of cyber-crime last year. The 23,775 BEC victims accounted for $1.77 billion in losses for victims, which was on average $75,000 per complaint.

These are sophisticated scams targeting business activities and individuals performing wire transfer payments. They normally come about as result of either a compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices for business contractors. Sometimes they are sent to employees. They are designed to trick people into wiring money into the wrong bank accounts. An example of this relates to the diversion of payroll funds, wherein HR or payroll receives an email appearing to be from an employee requesting to update and change their direct deposit information for the current pay period, generally routing it to a pre-paid card account.

The most recent innovation has been scammers mimicking employee’s own CEO to steal funds from the payroll department. They hack into a company’s email server and identify which executives’ email addresses they can spoof to trick unsuspecting employees. The FBI also noted a decrease in the number of ransomware complaints, however a rise in the amount of losses per incident. Additionally, 764 health care providers reported being ransomware victims in 2019.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.