The information published in this column was provided by the Healthcare Distribution Alliance Pharmaceutical Cargo Security Coalition.
Healthcare Distribution Alliance Pharmaceutical Cargo Security Coalition (PCSC) is warning the pharmacy industry of several product ordering/recall fraud incidents, several of which have resulted in losses. To help licensees be aware of current trends, PCSC notes the following:
- Several incidents have occurred in a major city (eg, New York City) rather than in rural areas, which have been more commonly targeted in the past.
- In at least one case, a national pharmacy retailer was involved; whereas, smaller community pharmacies have been more likely to be targeted in the past.
- Some customer service representative(s) have been tricked into disclosing login information, passwords, and texted codes, despite the use of multifactor authorization.
- The amount of illicitly “mis-shipped” products has increased, and losses have potential to be more significant.
- In one incident, a small health care provider was contacted by an individual falsely representing a reverse distributor, requesting product to be returned. The perpetrator included shipping labels in the written correspondence to the provider to assist in illicitly “returning” the product.
These incidents represent common forms of distributor/pharmacy fraud. The scammer poses as a legitimate pharmacy to the distributor to place an order. The distributor then sends the product to the pharmacy; and the scammer contacts them, now posing as the distributor, to say they have shipped the product to the pharmacy in error and request that the shipment be returned via a courier who picks it up. In several incidents, rather than use a major national courier service to make the initial pickup, the perpetrators use a local courier the victim has never used themselves. These couriers typically repackage the shipment for a national carrier for further shipping.
Scammers sometimes try to appear legitimate using one or more of the following methods:
- Spoofing telephone numbers and email addresses;
- Researching site addresses and names of individuals who work at specific locations to appear familiar with the target;
- Utilizing social engineering and knowledgeable of unique product names, National Drug Codes, and industry language; and
- Speaking calmly and confidently to “disarm” a pharmacy, distributor, or other representative and convince them to provide account information, login credentials, and/or passwords. With pharmacies in particular, the scammer often tells a target that a current ordering system has “issues” or “trouble,” or that there are “multiple accounts” with the customer that they are attempting to clarify.
If you receive any type of a correspondence asking for account information, login credentials, or passwords, never provide it until you have confirmed, with a known and trusted entity from the stated requestor, that the request is legitimate. If it is a phone call, ask for a name and number and hang up. If it is an electronic request, do not click any connection (or apply any texted code) until you have confirmed the request with your ordering/shipping department. If it is written correspondence, check with your own ordering/shipping department before acting on it.
Remember that in normal business practices with your partners, you will not be asked to suddenly confirm things like account information, logins, or passwords.
Finally, when a successful attempt to divert product occurs, many victims say they have seen advisories like this, but have not read through them. With that knowledge, PCSC respectfully asks that providers educate all employees about these vulnerabilities.
If anyone does encounter such activity, even if you thwart the attempt, report the incident to PCSC so any intelligence gleaned can be shared with law enforcement.