HHS Watchdog Agency Issues Phone Scam WarningAlert to Consumers Details Steps for Avoiding Fraudsters
The Department of Health and Human Services has issued a warning for consumers to be on alert for fraudsters pretending to be calling from a HHS' Office of Inspector General hotline number with requests for personal information.
See Also: 2020 State of the Phish Report
HHS OIG, which is ironically the federal watch dog agency whose stated mission is "to fight waste, fraud and abuse in Medicare, Medicaid and more than 100 other HHS programs" has become an unwilling party involved with the scam.
In an April 17 blog posting, HHS writes, "the OIG hotline phone number for reporting fraud - 1-800-HHS-TIPS - had been spoofed, a malicious practice of making a phone number appear on caller ID to be legitimate in order to obtain confidential information. Thousands of calls using the spoofed number were made to people across the nation, although only a handful of people have apparently sent money to the perpetrators."
HHS says, for instance, that in Jacksonville, Florida, a woman received a call in March that appeared to be from the HHS OIG hotline. "The caller told her that she had won a $9,000 grant from the federal government and all she had to do was either wire $250 to him through Western Union or give him the confirmation code for a $250 iTunes gift card. The man also wanted her to confirm her name, address and some other personal facts. She became suspicious and eventually ended the call."
HHS notes that while that woman did not send money, "she was scammed into confirming and giving out personal information that could be used to steal money from her bank account or for other fraudulent activity."
HHS writes that OIG was first informed of the spoofing scheme in February by a member of the public who reported receiving a call from the OIG hotline.
"OIG immediately launched an investigation...Verizon Communications, which handles calls for several government agencies at a call center at Louisiana State University in Baton Rouge, noted that thousands of outgoing calls were being made from the hotline. But the OIG hotline doesn't make outgoing calls, it only receives them," HHS says.
The calls typically tell individuals that they will receive "government grant money" as an incentive for paying taxes on time. "The caller will then ask for personal or financial information, such as a Social Security number or bank account number. You may also be asked to wire a payment to cover 'processing fees.'"
The HHS blog says OIG is actively investigating this latest scam, working with the FBI and other agencies' Inspectors General and sharing information and best practices. The blog notes that "other HHS agencies may have also been attacked by scam artists who spoofed their phone numbers."
The blog notes that at least one criminal case is underway and two people are under investigation related to these scam.
OIG's Special Investigations Branch, in a statement to Information Security Media Group, says the schemes are also taping social media. "Scammers are now using compromised Facebooks accounts to contact victims. These victims think they are being contacted by their friends about free Federal grants. The victims are then redirected to other fraudulent Facebook accounts, or fraudulent email addresses to continue their communication."
OIG tells ISMG, "the current victim pool is small, but growing every day. The type of victim varies."
As for the phone spoofing, OIG tells ISMG "the perpetrators typically pose as HHS employees that work in the Federal 'Grants' Department, but this can vary slightly."
Verizon declined to comment on the situation. "We don't comment specifically on the work we do for clients. As for more advice to consumers, the Federal Communications Commission is great resource," a Verizon spokesman says.
Keith Fricke, principle consultant at tw-Security says these and related schemes have become more common than most people realize. "We tend to see news stories about electronic versions of spoofing scams - phishing - because they are often the root cause when breaches are involved. Scamming over the phone has been around for a long time. It may catch people off guard because we communicate less often via phone than we do via email."
HHS OIG has "proactively examined its data systems for a breach, and thankfully, they had not been accessed," HHS says in the blog.
Of course, HHS isn't the first government entity that has been the purported caller or email sender in a phone spoofing or email phishing scam.
For instance, the IRS has been battling reoccurring spoofed call schemes for several years, and in January issued a warning of one of the "most dangerous" kinds of phishing scams in which fraudsters are successfully tricking organizations into sending wage data on employees and then making fraudulent wire transfers (see IRS: New Email Phishing Combines W-2 Theft, Wire Fraud).
To prevent further nefarious uses of the OIG hotline number, OIG officials note in the blog that they have worked with Verizon on ways to prevent the spoofed number from being used for outgoing calls.
"People with legitimate calls about potential frauds and scams can safely call the hotline or report suspicious calls to firstname.lastname@example.org. They may also file a complaint with the Federal Trade Commission by calling 1-877-FTC-HELP."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says fraudsters are intent on finding ways victimize individuals in phone schemes like the one involving bogus HHS OIG calls. "A lot of scammers are really smart. So they think up creative ways to get past your defenses," he notes. "There have been a lot of IRS scams that prey on people's worries about their taxes. It is essentially psychology being used against people."
Nahra adds: "Sometimes it is really hard to tell what is real - my wife, who hears me talk about this all the time, almost fell for one the other day."
Besides the risk of victims actually sending money to fraudsters, the scammers are often able to trick someone into providing credentials used for a system containing protected health information, Fricke notes.
If that caller has a way of using the credentials for data access, a breach may result, he says. "Imagine if a caller pretended to be an IT person and told the person answering the call there was a system problem the day before and IT is checking to make sure the issue is fixed. 'Could I have your username and password to check the system?,'" Fricke says. "Note that an organization's help desk needs to be on their toes too. A fraudulent caller could pretend to be an employee having trouble remembering their password and asked for it to be reset. The help desk staff should have procedures to validate a caller's identity."
To help avoid falling victim to these schemes, "be wary of people pretending to be calling from an inside [number] when the caller ID indicates it is an outside call," Fricke suggests. "Also, if there is any question about the person's identity, ask for a number to call them back at or have them provide information that may help prove their identity. Lastly, ask yourself if the call seems out of place, out of context, or doesn't seem right for some other reason."
Other Steps to Take
The HHS blog notes that HHS' Office for Civil Rights, which enforces HIPAA, suggests that individuals who suspect they may be a victim of medical identity theft or other privacy violation, can take advantage of important rights under HIPAA, such as:
- Inspecting and receiving a copy of their medical records;
- Requesting to have records amended or corrected when inaccuracies are found;
- Filing a complaint if they believe their privacy rights have been violated.
The blog also notes that the "HHS CyberCARE team" suggests consumers conduct an annual "cyber checkup" that includes:
- Checking their social media privacy settings to make sure their sharing information only with friends;
- Adjusting privacy settings on watch computers and the health trackers;
- Checking social media sites visited, "including ones where you may have left restaurant or handyman reviews and delete any of your personally identifiable information.