A phishing attack targeting Blue Cross/Blue Shield of Minnesota proved highly successful—until the FBI finally caught the criminals four years later. In July 2020, the health insurer made approximately 18 wire transfers totaling nearly $8 million to a pair of Nigerian scammers. The case was recently brought to light when the two were indicted in the scheme.
Blue Cross was swindled into sending money to accounts falsely represented as belonging to Minneapolis-based Fairview Health Services, according to the Minneapolis Star-Tribune. Fairview is a nonprofit that operates community hospitals, clinics, and senior facilities. Two other unidentified health insurers from the Twin Cities also wired Fairview $2.8 million and $1.5 million, respectively.
The scam was a classic credential phishing scheme, where the criminals created email accounts that mimicked those of Fairview’s CEO, general counsel, and a business analyst. Using these spoofed accounts, they sent emails to Fairview employees, tricking them into accessing a malicious link to steal usernames and passwords. Additionally, they set up a fake internet domain designed to resemble Fairview’s legitimate site.
With this information, the criminals obtained access to Fairview’s Optum Pay account, which collects payments from health insurers. They were then able to change vendor account details, redirecting funds intended for Fairview into unauthorized bank accounts.
Blue Cross reports that it was able to recover most of the funds lost in the scam.
A Growing Concern
Phishing has reached epidemic levels. According to Cofense’s 2024 Annual State of Email Security report, the number of malicious emails bypassing secure email gateways in the prior year more than doubled. Additionally, more than 90% of data breaches detected in 2023 were linked to credential phishing.
Few details have been released on the specific nature of phishing emails. However, security professionals caution users to always take their time when responding to emails from high-level executives—especially if it’s unusual for them to be reaching out directly.
Employees are often the weakest link in cyberattacks. As phishing campaigns become more sophisticated, employees may no longer be able to tell the difference between legitimate and fake emails.
“Organizations must regularly train their employees on sophisticated phishing tactics like this,” said Jennifer Pitt, Senior Analyst n Fraud and security at Javelin Strategy & Research. “Employees should be suspicious of any email they get asking them to click a link and provide more information. For this reason, it is best that organizations do not include links asking for information in legitimate company emails to avoid confusing employees.
Employees should NEVER give out their password, not even to someone claiming to be the CEO. Additionally, organizations should implement a two-person process for changing bank account or vendor information or approving large transfers/transactions. As fraudsters often prey on an employees’ sense of urgency, mandating that another person look at the email and approve changes or transactions will allow for more time to logically process the email and question its legitimacy. If employees at any level ever have questions about the legitimacy of an email or are unsure if what is being asked is the proper thing to do, they should be encouraged to contact the email sender — using the contact information already on file, not the contact information in the email.”
