Scammers are impersonating Medicare to trick providers into handing over sensitive records through fake fax requests.
What happened
The Centers for Medicare & Medicaid Services (CMS) issued a warning to healthcare providers and suppliers after identifying a phishing scam in which fraudsters impersonate CMS officials. The attackers send fraudulent fax requests for medical records under the false pretense of conducting a Medicare audit. CMS clarified that it does not initiate audits through faxed document requests and urged providers not to respond to suspicious messages.
Going deeper
The scheme is a form of phishing, a type of social engineering attack designed to extract sensitive information by pretending to be a trusted source. In this case, scammers are exploiting the perceived authority of CMS to pressure providers into disclosing medical records and documentation. CMS advised providers to verify any such request with their official medical review contractor before taking any action.
The warning comes amid a broader uptick in targeted social engineering schemes across the healthcare sector. These incidents are increasingly sophisticated, often combining multiple tactics to deceive staff at various access points.
What was said
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, stated that scams often follow public attention and headlines. He confirmed that the AHA is actively monitoring a rise in other social engineering attempts, particularly those targeting hospital IT, HR, and help desks.
“These schemes may involve a combination of phone, text, and synthetic audio and video,” Riggi noted. He urged organizations to implement strict multifactor authentication, improve help desk challenge questions, and train staff to recognize social engineering patterns. He also recommended reporting any incidents to the FBI’s Internet Crime Complaint Center at ic3.gov.
FAQs
What are the signs that a fax request might be fraudulent?
Look for urgent language, generic sender information, or requests for records outside of standard channels. CMS does not request records by fax to initiate an audit.
How should providers verify the legitimacy of audit-related communications?
Contact your designated medical review contractor directly through verified contact details; never reply to the faxed request itself.
What is synthetic audio or video in a social engineering context?
Synthetic media, or “deepfakes,” can use AI to impersonate real people via fake voice calls or videos, often used to trick staff into granting access or information.
Why are help desks frequent targets for social engineering?
Help desks often manage password resets and user access, making them ideal entry points for attackers pretending to be staff or vendors.
What steps can organizations take to prepare for these threats?
Implement multi factor authentication, train help desk teams to recognize social engineering, enhance identity verification questions, and regularly review incident response protocols.
Kirsten Peremore
