Spoofing’s Not a Joke: Thousands Hit by Phone Scam
A Jacksonville, Florida, woman received a call last month that appeared to be from the HHS Office of Inspector General’s (OIG) hotline. The caller told her that she had won a $9,000 grant from the federal government and all she had to do was either wire $250 to him through Western Union or give him the confirmation code for a $250 iTunes gift card. The man also wanted her to confirm her name, address and some other personal facts. She became suspicious and eventually ended the call.
The Jacksonville woman may not have sent money, but she was scammed into confirming and giving out personal information that could be used to steal money from her bank account or for other fraudulent activity.
She wasn’t alone. The OIG hotline phone number for reporting fraud —1-800-HHS-TIPS (1-800-447-8477) — had been spoofed, a malicious practice of making a phone number appear on caller ID to be legitimate in order to obtain confidential information. Thousands of calls using the spoofed number were made to people across the nation, although only a handful of people have apparently sent money to the perpetrators, said Thomas O’Donnell, Assistant Inspector General for Investigations at HHS. One criminal case is underway and two people are under investigation.
Just as a reminder: The federal government never calls you unsolicited.
The office was first informed of the spoofing attack in February by a member of the public, who reported receiving a call from the hotline number. OIG immediately launched an investigation. O’Donnell said Verizon Communications, which handles calls for several government agencies at a call center at Louisiana State University in Baton Rouge, noted that thousands of outgoing calls were being made from the hotline. But the OIG hotline doesn’t make outgoing calls, it only receives them, O’Donnell said.
The calls typically tell you that you will receive “government grant money” as an incentive for paying taxes on time. The caller will then ask for personal or financial information, such as a Social Security number or bank account number. You may also be asked to wire a payment to cover “processing fees.”
The HHS OIG office is actively investigating this latest scam, working with the FBI and other agencies’ Inspectors General and sharing information and best practices. O’Donnell said other HHS agencies may have also been attacked by scam artists who spoofed their phone numbers. “They can spoof any legitimate number,” he said.
O’Donnell said OIG proactively examined its data systems for a breach, and thankfully, they had not been accessed.
To prevent further nefarious uses of the OIG hotline number, O’Donnell said they have worked with Verizon on ways to prevent the spoofed number from being used for outgoing calls. People with legitimate calls about potential frauds and scams can safely call the hotline or report suspicious calls to firstname.lastname@example.org. They may also file a complaint with the Federal Trade Commission by calling 1-877-FTC-HELP (1-877-382-4357).
How to Protect Your Privacy
HHS is aggressively fighting to protect patient privacy on other levels as well. These efforts are important to safeguard against the negative effects that may follow a breach of patient information; assure patient confidence in the health care system, including Medicare and Medicaid; and support the use of electronic health records.
The Department’s Office for Civil Rights (OCR) enforces the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) for health plans and most health care providers to safeguard patient health information, mitigate harmful effects of a breach, and take remedial action to avoid future breaches.
People, including those who suspect they may be a victim of medical identity theft or other privacy violation, can take advantage of important rights under HIPAA, such as the right:
- To inspect and receive a copy of their medical records;
- To have records amended or corrected when inaccuracies are found; and
- To file a complaint if they believe their privacy rights have been violated.
What Should You Do to Be Cyber Secure?
The HHS CyberCARE team also urges you to add a cyber checkup to your annual to-do list. Your online posts, comments, tags and followers create a wealth of personal information that bad actors can use to steal your identity and manipulate you into giving up even more confidential information. The Cyber Doc includes the following suggestions for your annual cyber checkup:
- Check your social media privacy settings to make sure you’re sharing information only with friends.
- Adjust privacy settings on your watch computer and the health tracker on your wrist.
- Check out social sites you visit, including ones where you may have left restaurant or handyman reviews and delete any of your Personally Identifiable Information.
The OIG’s O’Donnell also cautioned people not to be fooled by a caller’s knowledge of their name and other personal information. Callers may use a variety of tactics, he said, to obtain some initial personal information, including by working for otherwise legitimate marketing centers. And he stressed that the OIG will never initiate contact with the public through the hotline to request or confirm personal information.
Besides, he added, the government doesn’t “sell” grants.
“We don’t hand these [grants] out like candy,” O’Donnell said. “Nobody’s getting free money in this country.”
Protect Yourself from Telephone or Email Scams
No matter how authoritative a caller may sound, privacy specialists urge you to not give or confirm your name or provide any personal information to unknown individuals, including such details as your:
- Social Security number
- Date of birth
- Credit card or bank account information
- Mother’s maiden name
This article was originally published on the U.S. Department of Health & Human Services blog and is republished here with permission.