10 Common Scams Targeting Healthcare Workers

Technological advances like telehealth and artificial intelligence have made it much easier for scammers to target medical professionals successfully. Here are some of the most common scams impacting the healthcare industry.

1. Recruitment Scam

Recruitment scams typically involve a fake job posting or a cold call, where scammers offer a lucrative position. Once the victim engages, they ask for personal information like a social security number, email address, and date of birth. Since these details are standard in a new application, many medical providers don’t think twice about sending them.

The Federal Bureau of Investigation warns recruitment scams are challenging to detect because technology has made it easier for fraudsters. For example, they can use generative AI to craft convincing emails, spoof their phone number, or mimic an actual website.

Medical professionals can protect themselves from recruitment scams by paying close attention to the job listing. Any odd wording, strange language, or improper formatting should be a red flag. Further, they should contact the company separately to see if it’s legitimate.

2. Business Email Compromise Scam

A business email compromise scam is a form of phishing where scammers hand-craft an attack strategy for a single staff member. They send emails with malicious links or data requests in the hopes of accessing patient records. Although these types of messages sound easy to spot, they often seem legitimate and look harmless.

In healthcare, business email compromise scams are on the rise. In fact, their frequency increased by nearly 280% in 2022 alone. This fact is concerning, considering it only takes one person making a single misclick to cause extensive damage to an organization.

Fortunately, medical professionals can protect themselves by remaining vigilant. If they come across a normal email asking for funds, patient records, or confidential data, they should double-check the sender’s address and never click on attachments.

If they want to be sure, they can send a separate email to the alleged sender to confirm the original request.

3. Whaling

Whaling is an all-or-nothing type of phishing. In the healthcare industry, the scammer targets high-ranking medical professionals — like executive directors or chief financial officers — to maximize their payout.

Instead of sending the same copy-paste email to thousands of people in an organization, they’ll only target a select few to minimize suspicion.

Since high-ranking professionals often don’t experience phishing scams or standard awareness training, they have a higher chance of becoming a whaling victim. This is unfortunate, considering they often have unique privileges regarding fund management or organization records.

4. Phishing

Phishing uses emails as a medium for deception and manipulation. In this scam, the scammer aims to get valuable data, steal login credentials, or install malware. They accomplish this by sending messages with malicious links or attachments to various medical providers.

Only one staff member must click on the malicious email to grant the scammer access to their systems. Unfortunately, every data breach in the healthcare industry costs roughly $10 million on average. To make matters worse, traditional phishing training isn’t as practical anymore.

Historically, misspellings and improper formatting have been obvious telltale signs of phishing. However, technological advances — like generative AI — have made scam messages much more convincing. Fortunately, medical providers can watch out for strangely formulaic language and avoid clicking unknown links to protect themselves.

5. Impersonation Scam

In an impersonation scam, a scammer poses as someone else to lower the victim’s guard and get what they want without raising suspicion. Usually, they pretend to be a higher-up, colleague, vendor, or authority figure. If they have enough insider information, they’ll have no trouble pulling it off.

Usually, the fraudster reaches out with a believable, threatening claim. For example, they might say the victim missed a court date where they were supposed to provide expert testimony. Usually, the goal is to get money in exchange for resolution. In reality, the medical provider is in no trouble and doesn’t owe anything.

Impersonation scams are on the rise in the U.S. — so much so that multiple federal agencies have published warnings. According to a 2023 alert from the U.S. Federal Trade Commission, scammers have specifically targeted medical providers with threats of arrest and hefty fines.

6. Vishing

Vishing stands for voice phishing. Using this method, fraudsters call their target to get access to sensitive information or request fund transfers. Although many medical professionals believe they would never fall for such an obvious scam, it’s more challenging to detect than most people assume.

Scammers often spoof phone numbers so their call appears legitimate. Realistically, their chance of success increases substantially the moment their target picks up the phone. Additionally, many have also begun using generative AI to clone an individual’s voice and impersonate them.

If a medical professional gets a call from an executive’s number and the voice sounds exactly like it should, they won’t think twice about divulging sensitive information over the phone. In reality, many people fall for it. In fact, the healthcare industry experienced over 680 data breaches in 2021 alone, exposing roughly 82 million patient records.

7. Social Engineering

In a social engineering scam, the scammer creates false urgency or builds trust to make the victim feel pressured to comply with demands. In healthcare, its goal is to get medical providers to share patient records, visit malicious websites, or divulge confidential information.

Social engineering is a complex form of manipulation, so even the most cautious medical providers are susceptible to it. In fact, healthcare organizations lose an average of $756,750 for every single incident. Insider threats — negligent or disgruntled workers — are profoundly expensive.

Although social engineering threats are more challenging to defend against, it’s possible to remain protected. Medical providers should be wary of new contacts, reach out to the alleged sender in a separate email, and do research to confirm they’re speaking to who they think they are.

8. Smishing

As of the beginning of 2023, roughly 35% of adults have experienced a smishing — SMS phishing — scam. It involves a scammer sending text messages to collect data or money.

Usually, they pretend to be someone else or make their request sound urgent to increase their chances of success.

Since medical providers may not have the same anti-phishing software on their personal phones as they do on their work computers, they may be more susceptible to these scams. Even if they only click the message or link out of pure curiosity, they immediately compromise their identity — making it easier for fraudsters to successfully carry out future attacks against the healthcare facility.

9. Extortion Scam

The latest extortion scams to target the healthcare industry involve fraudsters claiming to be from the Drug Enforcement Administration (DEA) or the medical licensing board. They reach out to the victim, claiming their career is at stake or they’re the focus of an ongoing investigation.

While traditional extortion scams use embarrassing photos or incriminating information as leverage, those targeting healthcare threaten people’s medical licenses. If a scammer’s first attempt is successful, they’ll keep making up reasons to demand new payments. For example, they might claim a court date is pushed back and need more money to make things right.

The DEA stated it would never demand money from medical professionals. However, its public statement doesn’t stop scammers from trying to dupe unassuming professionals. Medical professionals can defend against these extortion scams by contacting the alleged caller separately. Also, they should never send money over the phone — no agency will ask this of them.

10. Deepfake Scam

In a deepfake scam, a scammer impersonates a patient or executive to gain personally identifiable information. Using generative AI, they can clone anyone’s voice and appearance in minutes using only short audio clips or a handful of pictures.

With telehealth on the rise, deepfake scams are becoming much more common. A 2023 statement from the American Hospital Association claims that deepfake scams have abruptly increased and present a significant problem to the healthcare industry.

If scammers have enough insider information, they can pose as anyone in an organization. Although most medical professionals are trained to spot typical scam signs, it’s very unlikely they’ll assume the live video they’re watching is doctored.

To defend against deepfakes, medical professionals should watch for strange instances of lag and visual glitching. During live calls, misaligned audio and video is an obvious sign of a potential scam.

Healthcare Scams Are on the Rise

Since many of these scams rely on advanced technology, medical professionals must remain vigilant. After all, the traditional protection strategies are mostly outdated. Still, they can protect themselves and their organization if they remain aware.