Indictments for business email compromise of health insurance programs.

On Friday the US Department of Justice (DoJ) announced the indictment of ten individuals on charges related to fraud "that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims." Specifically, the charges allege wire fraud, business email compromise (BEC), and money laundering. In the aggregate, victims lost, the DoJ says, some $11.1 million.

Alleged fraud concentrated on Medicare, Medicaid, and other health insurance programs.

The alleged fraudsters concentrated on diverting payments intended for hospitals. The BEC scams are said to have directed insurers to send funds to new bank accounts, and these are alleged to have been under the criminals' control. "For example, fraudulent emails from accounts resembling those associated with actual hospitals were allegedly sent to public and private health insurance programs requesting that future reimbursements be sent to new bank accounts that did not belong to the hospitals. Unwittingly, five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers allegedly were deceived into making payments to the defendants and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals. The defendants and their co-conspirators allegedly laundered the proceeds fraudulently obtained from these health care benefit plans and from other victims by, among other things, withdrawing large amounts of cash, layering them through other accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies, transferring them overseas, and purchasing luxury goods and exotic automobiles."

Most of those charged are in the US Southeast, in Virginia, South Carolina, and (especially) Georgia. While most of the victims targeted were insurance programs, some individuals were also affected directly. Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division is quoted in the DoJ's announcement as pointing out that, of course, “Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs. These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine health care systems across the United States," But he also noted that the victims included elderly people who became enmeshed in what the DoJ characterized as "elderly romance fraud. “Elder fraud and romance fraud schemes utilized by the subjects often target our most vulnerable citizens," Assistant Director Quesada said, "and the FBI is committed to pursuing justice for those who were victimized by these schemes.” The deliberate exploitation of the lonely, the naive, and the trusting indeed seems particularly loathsome and conscienceless.

Industry expert comment: "language-based" threats go unrecognized by automated defenses.

The continuing success of business email compromise and other forms of social engineering points out that natural language understanding remains a hard and so-far imperfectly solved problem fpr artificial intelligence in general, and for security in particular.

SafeGuardCyber CEO Chris Lehman commented on the indictment, and what it means for current trends in business email compromise. He characterizes the threat as "language-based," and thus difficult for defenses to parry, and the sense of urgency the threat seeks to impart can override even much security awareness training:

"Cybercriminals continue to evade legacy protection-based email applications. Enterprise employees fall victim to spoofed email accounts and language-based threats that largely go undetected by native controls or their SEG. This news indicates that the government is concerned - the question is how enterprises will react. We are seeing an increase in customers looking for NLU tools based on incidents that target business email accounts. The challenge is that language-based urgency takes people off guard, and while security awareness training is part of the solution, technical controls are necessary to provide contextual analysis and are an additional layer of protection against BEC. Typically we see victims socially engineered by these crafty cybercriminals, and business email is just one communication channel that is easy to target. These sophisticated attacks target email as just one way to move across communication channels in an organization. While we see an increase in our customer's business communication move to mobile chat, and collaboration channels, we know that social engineering tactics are not just happening in business email. Our customers tell us that they have less than 30% visibility in their business communications, and together we are finding that native controls are not detecting data leakage, and social engineering attacks.”