The FBI and law enforcement agencies across the country continue to investigate a growing number of reports related to cybercrime involving fraudulent purchase orders posing as a legitimate business.

“Over the past several months we have seen that Partners and MGH are among many well-known companies being used by criminals as part of this nationwide scam,” says Daniel Coleman, senior investigator, MGH Police, Security and Outside Services. “We have investigated these incidents, and there is no known financial loss to either Partners or the MGH.”

According to the FBI, this is how the scam works:

Criminals create fraudulent websites, email address and “spoof” telephone numbers to appear legitimate. 

Often the email address will be close to a real URL – but will be misspelled or include a different ending, such as “Parnters.net” versus “Partners.org.”

Communications may feature official logos and names that may be associated with the business.

Using sophisticated techniques, criminals will engage in “phishing” to conduct social engineering to contact vendors or suppliers to gather information about a company’s purchasing accounts. They then contact the company and request a quote for products.

They use forged documents, complete with letterhead and sometimes even the name of the organization’s product manager, posing as an institution like Partners, MGH or other well-known businesses.

They request shipments be made on a 30-day credit and since the real institution often has good credit basis, vendors usually agree.

They provide a U.S. shipping address that might be a warehouse, self-storage facility or the residence of another online scam victim.

Not knowing they are being scammed, these other victims are provided with shipping labels and directed to send the merchandise to a foreign location, under the belief that they will be paid for their assistance.

The vendor eventually bills the real institution – for example, Partners or MGH – at which time the fraud is discovered. By then, the items have been re-shipped overseas, and the supplier must absorb the financial loss.

What can you do?

Be vigilant in your review of purchase orders and requests for payments or services.

If a request is received by email, pay close attention to the address. Hover over it without clicking and confirm that it is a valid Partners email. Check every letter for accuracy.

Validate all orders that may appear suspicious or contain unusually large volume or dollar values, or request delivery to a non-affiliated location.

Recognize that Partners or MGH logos, employee names, etc. may be used as part of the effort to fraudulently obtain goods and services from a third party.

If you have received a fraudulent purchase order:

Immediately report it to MGH Police and Security and Partners Information Security. Email MGHpolice@partners.org and CISPO@partners.org or call 617-726-2121.



Read more articles from the 04/05/19 Hotline issue.