A phishing attack targeting Blue Cross/Blue Shield of Minnesota proved highly successful—until the FBI finally caught the criminals four years later. In July 2020, the health insurer made approximately 18 wire transfers totaling nearly $8 million to a pair of Nigerian scammers. The case was recently brought to light when the two were indicted in the scheme.
Blue Cross was swindled into sending money to accounts falsely represented as belonging to Minneapolis-based Fairview Health Services, according to the Minneapolis Star-Tribune. Fairview is a nonprofit that operates community hospitals, clinics, and senior facilities. Two other unidentified health insurers from the Twin Cities also wired Fairview $2.8 million and $1.5 million, respectively.
The scam was a classic credential phishing scheme, where the criminals created email accounts that mimicked those of Fairview’s CEO, general counsel, and a business analyst. Using these spoofed accounts, they sent emails to Fairview employees, tricking them into accessing a malicious link to steal usernames and passwords. Additionally, they set up a fake internet domain designed to resemble Fairview’s legitimate site.
With this information, the criminals obtained access to Fairview’s Optum Pay account, which collects payments from health insurers. They were then able to change vendor account details, redirecting funds intended for Fairview into unauthorized bank accounts.
Blue Cross reports that it was able to recover most of the funds lost in the scam.
A Growing Concern
Phishing has reached epidemic levels. According to Cofense’s 2024 Annual State of Email Security report, the number of malicious emails bypassing secure email gateways in the prior year more than doubled. More than 90% of data breaches detected in 2023 were linked to credential phishing.
Few details have been released on the specific nature of phishing emails. Security professionals caution users to always take their time when responding to emails from high-level executives—especially if it’s unusual for them to be reaching out directly.
Employees are often the weakest link in cyberattacks. Phishing campaigns have become more sophisticated, making it harder for employees to distinguish between legitimate and fake emails.
“Organizations must regularly train their employees on sophisticated phishing tactics like this,” said Jennifer Pitt, Senior Analyst in Fraud and security at Javelin Strategy & Research. Employees should be suspicious of any email asking them to click a link and provide more information. For this reason, it is best that organizations do not include links in legitimate company emails to avoid confusing employees.
Employees should NEVER give out their password, not even to someone claiming to be the CEO. Organizations should implement a two-person process for changing bank account or vendor information or approving large transfers/transactions. Mandating that another person look at the email and approve changes or transactions will allow for more time to logically process the email and question its legitimacy. If employees ever have questions about the legitimacy of an email or are unsure if what is being asked is the proper thing to do, they should be encouraged to contact the email sender — using the contact information already on file, not the contact information in the email.”
Source
Arwen Volkov, A graduate of the University of St. Gallen in Switzerland with a degree in International Finance, Arwen specializes in sustainable finance and green investments. She began her career at an investment bank in London, where she developed financing models for environmentally friendly projects. Known for her analytical and strategic thinking skills, Arwen is a sought-after financial consultant. In her spare time, she mentors fintech startups, contributing to their growth strategies. She is also a nature enthusiast and an amateur photographer.
