Protect Your Practice from Fraud, Part 1
Fraud is something you hope your business never falls victim to, but unfortunately, it’s occurring more often these days. Fraud—particularly internet fraud—continues to increase, given the simplicity of conducting at a large scale combined with minimal risk of prosecution. These same factors mean that small offices can be the target almost as often as large companies. Criminals know that small organizations may be less prepared to stop fraud compared to large organizations, making them in some ways a more ideal target.
It’s important to recognize the common areas of fraud—cyber fraud, embezzlement, and inventory fraud—to better protect your practice. If you know potential at-risk areas, you can put appropriate measures in place to deter fraud and protect your valuable assets. Fraud is common and can affect any organization, even a small office, but a few simple precautions can significantly reduce your risk.
Cyber Fraud
Cyber fraud involves the use of the internet to gain sensitive information through trickery. This knowledge is then used to either access networks or profiles for monetary gain or malicious intent.
A few popular schemes today are:
Phishing
Case study: A small office recently received a reply to an ongoing message with a corporate representative from one of the office’s regular suppliers. The email asked the office to change the payment details for the supplier. While the email looked legitimate and was a copy of the actual email exchanged between that of the office and the supplier. The email did not actually come from supplier. Instead, a cybercriminal had:
1. Gained access to that office’s email, probably through phishing or malware.
2. Gotten a copy of the email between the office and the supplier.
3. Created an email address that looked like the supplier’s but was not the correct email address.
4. Sent the office worker a convincing but fraudulent message to attempt payment fraud by redirecting funds to the wrong location.
This type of fraud is hard to notice, so it is often successful, resulting in business or personal losses. This type of cybercrime, called Business Email Compromise (BEC), is very common because it is profitable and requires minimal effort by the criminal. The FBI’s Internet Crime Complaint Center (IC3) estimates BEC scams resulted in $1.8 billion in losses in 2020.
- About:
- Phishing is the sending of malicious and/or fraudulent emails.
- These emails are the most common attack vector on the internet and the source of many data breaches.
- Common types of phishing emails try to steal usernames and passwords, install malware on the recipient’s computer, or initiate fraud.
- Impacts:
- Theft of patient information.
- Malicious access to office systems.
- Fraudulent business transaction to benefit the criminal, such as potentially ordering supplies and/or changing bank information.
- Data theft, such as personal information of office clients.
- Enabling other fraud, such as contacting office patients and attempting to scam them. An example of that downstream scam could be a call to an office patient, using stolen office information, and saying, “When you were in last Tuesday, your payment did not go through, can I please get your credit card information so we can process that?”
- Mitigation tips:
- Be diligent and suspicious when opening emails; do not trust an email even if it appears to come from someone you know.
- Enable multi-factor authentication on office email whenever possible, similar to how your bank may text you a code to enter in after you enter your password. This ensures a stolen password cannot be used maliciously.
- Be suspicious of messages that are unusual, such as a message from someone you don’t often interact with asking for information.
- Call the email sender to confirm unusual or financially impactful emails, using a known number rather than a phone number in the email.
Ransomware
Case study: A practice administrator goes to her desk and notices that her computer isn’t displaying her normal desktop. Instead, there is a lock symbol and the following message: “Your network files are encrypted. If $10,000 in payment is not received, your files will be deleted.” An unauthorized person has gained access to the practice’s system (likely through a phishing scheme), making this practice the latest victim of ransomware. The owner refuses to pay the ransom, losing patient records, payment information, and appointment schedules. The loss is so great that recovery is impossible without a backup system, and the practice is forced to close.
- About:
- Ransomware is a highly profitable—thus prolific—type of fraud in which the criminal encrypts all the information on computer(s), making that information inaccessible and the computer(s) unusable unless payment is made.
- This type of fraud comes in two main versions:
- (1) those affecting individual computers and thus impacting individual people, and
- (2) business-level attacks in which a criminal uses access into an office or organization to encrypt all systems in that office.
- Impacts:
- Office systems offline, disrupting business activities.
- Expensive recovery cost to restore systems.
- Ransom costs (ranging from hundreds to tens of thousands of dollars, but millions have been paid).
- According to a May 13 Bloomberg report, Colonial Pipeline paid nearly $5 million in ransom for a decryption key.
- Also earlier this year, CNA Insurance made a $40 million payment to recover data after a ransomware attack, according to a May 20 Bloomberg article.
- Mitigation tips:
- Caution employees against phishing, since many instances come from phishing.
- Run antivirus on all office computers.
- Have offline backups of office computers.
Knowledge is Power
IC3 estimates cyber fraud resulted in $4.2 billion in losses in 2020. Many of these losses were from small businesses and individuals. There are many other forms of fraud. A list of common fraud scams is available on the FBI website.
Part 2 of this article will cover non-cyber-based fraud schemes you should be aware of and tips for how to protect your practice. If you suspect fraud, please contact local law enforcement.
Ready to Claim Your Credits?
You have attempts to pass this post-test. Take your time and review carefully before submitting.
Good luck!
Recommended
- ASDS 2024 Annual Meeting
ASDS: Ethics and Social Media Panel Discussion
Fatima Fahs, MD, FAAD
Kavita Mariwalla, MD
Evan A. Rieder, MD
DiAnne Davis, MD, FAAD
- Practice Management
Unleashing Revenue Growth:Harnessing Patient Data
Ali Glasser
- Practice Management
Virtual Events: Put Your Practice’s Best Face Forward
Naren Arulrajah