New "Spearphishing" Scams Target Doctors

It may seem as though scams have become more prevalent over the last 10 years because of technology, but in reality they’ve just become more sophisticated. According to Bob Berg, an attorney with the national law firm of Epstein Becker & Green, P.C., technology has made scams more difficult to detect.

“If you get an email from someone who is proposing a business relationship, you immediately click and go to their website,” Berg explains. “And if they have a website and it looks normal, it gives them a little more credence than someone who just walks into your office in person. Technology lets them look more credible.”

And increasingly physicians -- most of whom are wealthier than the average American, and who have access to sensitive patient medical and insurance data -- are being targeted. FierceHealthIT recently reported on two “spearphishing” scams where criminals sent emails that looked as if they came from the U.S. Centers for Disease Control and Prevention, asking doctors and patients to register for an H1N1 vaccine database. In another incident, a physician at the University of California, San Francisco, Medical Center exposed personal data of more than 600 patients after responding to a spearphishing email that looked like it had come from the hospital's information-technology department.

Scammers Prey on Fear

Indeed, Berg believes that scams are more prevalent in healthcare than in other fields. The more complicated the field, the more regulated it is, and that oversight provides a reason for scammers to make contact. For example, if you receive an email and from a company offering a service that could help physicians better manage some specific type of regulation or requirement, it’s a much stronger hook than simply sending a generic message that could apply to any profession or industry.

“They’re preying on fear,” Berg says, noting that such requirements as the Stark Physician Self-Referral Rule and newly introduced anti-kickback laws have significant criminal or financial penalties attached to them. “Physicians are afraid. They read in the trade press all the time about very credible entities that are getting hit with Stark violations and anti-kickback violations, and so they’re worried,” he says. “And then they get an email from someone who says we can help you comply with these new rules on X, and there’s more [of an incentive] there because the physician doesn’t want to be out of compliance.”

These types of scams usually take one or two different approaches. In the first, the scam is mining for information -- attempting to convince the physician to either share or provide access to information. In the second, the focus is on convincing the physician to pay money up front for a bogus management service. At first blush they can seem very authentic, but there are ways to spot a scam.

Scrutinize Email Before Acting

The first bit of advice Berg provides to his physician clients is pretty basic: If it sounds too good to be true, it probably is too good to be true.

“It’s simple advice, but I am really stunned at how many times I will get an email forwarded to me from a physician practice asking if I think the offer is valid,” Berg says. “And I look at it and immediately it hits me, why would someone do this? Why would they approach you this way? Why would they send you an email offering this business relationship? That’s not how people do business.” He believes such physicians may be falling victim to these scams more often due to the recession and harder economic times. “The more depressed things are, the more physicians are hoping [the scam] is true, so that they become more susceptible,” he says.

Berg also suggests looking carefully at the email, because many scams have certain red flags that suggest the email is not legitimate. Is it a specific email to you, with identifiable contact information (your name, business address, telephone number, etc.), or is it more generic? Rather than including your practice’s city and state, does it say, “in your area”? Rather than including your name or the name of the practice, does it say “medical practice”? The less specific the contact information, the more likely the email is not legitimate.

Beyond that, are there inconsistencies in the email itself? Does the email address in the URL match up with the one in the body of the email? Are there glaring spelling errors, or is the phrasing of words in the email a bit off? Other than a link to find out more about the offer, is there any other identifiable contact information (business name, address, phone number, etc.).

“The beauty of technology is it works both ways. You can go online and find out about a lot of these scams,” Berg says. “Now, the more sophisticated the scam, the more they’ve anticipated your actions, and we’ve seen some pretty sophisticated bogus websites. So before you do anything in terms of commitment or even responding to the offer, check with friends and colleagues.”

Search the Better Business Bureau database (http://www.bbb.org/us/Find-Business-Reviews/ ) to see if any complaints have been lodged against the business. Then conduct a website search for the business’s name, and see of there have been any complaints lodged on the numerous “rip-off” sites on the web. If possible, have your IT expert evaluate the email before responding to it.

If you think you’re being scammed, don’t respond in any way to the email. If you get spam email that you think is deceptive, forward it to spam@uce.gov. The U.S. Federal Trade Commission uses the spam stored in this database to pursue law enforcement actions against scammers.