Scams can be difficult to recognize — especially when employees have not been trained to spot the warning signs.

Recently, there has been an increase in scams targeting physicians, nurses, and other healthcare providers. In these schemes, criminals pretend to be representatives from government or regulatory agencies such as medical or nursing boards, the Department of Justice, or the Drug Enforcement Administration (DEA).

Scammers may contact healthcare providers by phone, email, or mail claiming that the provider’s license has been suspended or that they are under investigation for issues like illegal prescribing or drug trafficking. The scammer then pressures the individual to make a payment — often described as a fine, bond, or fee — to resolve the matter or avoid further action.

To appear legitimate, scammers often use sophisticated tactics. They may spoof phone numbers, email addresses, or badge numbers so the communication looks authentic. In many cases, they already have personal or professional details about the provider, such as their full name, license number, or National Provider Identifier (NPI) number, and use that information to gain trust.

Once engaged, scammers typically create a sense of urgency and may discourage the provider from independently verifying the information or discussing the situation with others.

Risk Recommendations

The best defense against scams like these is employee awareness, strong cybersecurity practices, and clear internal procedures. Organizations should consider the following steps to help reduce risk:

Provide Security Awareness Training

Train employees and healthcare providers to recognize common warning signs of fraud, including:

Misspellings or unusual wording
Urgent demands or threats
Requests for payment
Attempts to prevent verification of credentials or identities

Remind staff that legitimate regulatory agencies will never:

Demand immediate payment
Require urgent action over the phone
Advise against contacting an attorney
Ask for sensitive personal or financial information such as Social Security numbers, dates of birth, or banking details

Verify All Communications

If you receive communication claiming to be from a regulatory or law enforcement agency, independently contact the agency using publicly available contact information to confirm the legitimacy of the request and the identity of the individual involved.

Clearly Identify External Emails

Work with your IT team or software providers to label or “tag” emails that originate outside your organization.

Encourage employees to carefully review external emails before responding and to avoid clicking suspicious links or downloading unexpected attachments. Staff should also be trained on how to report suspicious messages.

Strengthen Cybersecurity Protections

Ensure antivirus software, firewalls, and other cybersecurity tools are properly configured and regularly updated to protect against evolving cyber threats.

Routine software updates and security monitoring can help block attacks before they cause harm.