The US Department of Justice announced charges against 10 defendants in multiple states in connection with multiple business email compromise (BEC), money laundering, and wire fraud schemes that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims and resulted in more than $11.1 million in total losses.
The charges stem primarily from BEC schemes in which individuals posing as business partners are alleged to have fraudulently diverted money from victims’ bank accounts into accounts they or co-conspirators controlled (sometimes through the use of recruited “money mules”) by using spoofed email addresses, bank account takeovers, and similar fraudulent methods designed to deceive victims into believing they were making legitimate payments.
The announced prosecutions include alleged schemes that fraudulently diverted payments intended for hospitals to provide medical services to patients. For example, fraudulent emails from accounts resembling those associated with actual hospitals were allegedly sent to public and private health insurance programs requesting that future reimbursements be sent to new bank accounts that did not belong to the hospitals. Unwittingly, five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers allegedly were deceived into making payments to the defendants and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals.
The defendants and their co-conspirators allegedly laundered the proceeds fraudulently obtained from these healthcare benefit plans and from other victims by, among other things, withdrawing large amounts of cash, layering them through other accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies, transferring them overseas, and purchasing luxury goods and exotic automobiles.
The charges were unsealed against six defendants in the Northern District of Georgia and against one defendant in the District of South Carolina. In addition, one defendant was previously charged in the Northern District of Georgia and one was previously charged in the Eastern District of Virginia. A third defendant previously charged in the Northern District of Texas has entered a guilty plea and been sentenced. The alleged schemes caused more than $4.7 million in losses to Medicare, Medicaid, and private health insurers, and $6.4 million in losses to other federal government agencies, private companies, and individuals, such as elderly romance fraud victims who were deceived into sending hundreds of thousands of dollars to the defendants and their co-conspirators.
If you or your facility fall victim to a BEC scam, it’s important to act quickly:
- Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
- Next, contact your local FBI field office to report the crime.
- Also, file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
You can read more about BEC schemes and how to protect yourself here.
Compliance Perspective
Issue
A Business Email Compromise (BEC) is a type of cyber scam which targets businesses that regularly conduct wire transfers. The scammer gains access to an email account belonging to an employee (often from the finance department) to learn about the business’s vendors. The scammer then sends a fraudulent request for a wire transfer payment to the vendors. The vendor is tricked into sending money to an account controlled by the scammer. BEC is also known as CEO fraud, as scammers also target CEOs and other executive level managers of businesses, because these are the faces of the company who have information posted about them on the company website. This allows the scammer to research before sending a phishing email to gain access to an email account the victim may not otherwise be wary of.
Discussion Points
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing phishing scams and BEC schemes.
- Train appropriate staff to be aware of BEC schemes and best practices to use when paying invoices or sending money to vendors. Also stress their individual responsibility to prevent, identify, and report concerns. Document that the trainings occurred, and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that recognized security practices are fully implemented, and that staff are adhering to data integrity security measures. Also audit to test email recipients’ understanding of the need to be on guard against BEC schemes, and to ensure that staff are knowledgeable and utilizing best practices.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*