The sprawling network of federal, state, and state-licensed third-party sites can make it difficult for people to tell a legitimate resource from a fly-by-night operation.
Signing up for health insurance through the network of state and federal insurance exchange websites has proven difficult enough in its own right. Now, millions of Americans attempting to navigate the myriad changes to the nation’s healthcare system also have to avoid a legion of online scammers looking to take advantage of widespread confusion about the law’s implementation.
Officials around the country have warned those attempting to sign up for insurance about the existence of fake exchange sites designed to steal users’ personal information and credit card numbers.
“I can say with a high degree of certainty … [these sorts of scams] will come,” Gary Davis, vice president of global consumer marketing at consumer cyber-security firm McAfee, told Fox Business. “We live in a world where people look at compelling events and look to do something malicious. This is just the nature of the beast.”
Christopher Budd, threat communication manager at cloud computing firm Trend Micro, charged that the sprawling network of federal, state, and state-licensed third-party sites can make it difficult for people to tell a legitimate resource from a fly-by-night operation. Determining the good actors from the bad ones is crucial because these sites require enrollees to enter extremely sensitive personal information—in some cases for their entire families.
“Put these two things together and you’ve got a situation where people are primed to give away their most critical personal information to legitimate sites but can’t be sure of finding their way to those legitimate sites,” wrote Budd. “This is a perfect environment for identity thieves and other criminals to put together bogus sites to get personal information they can use or sell on the digital underground.”
IT consultant John Bambenek wrote on the Internet Storm Center forum that, during the 24-hour period in which the exchange sites went live, more than 40 domain names were registered relating to the Affordable Care Act. While it isn’t a given that all—or even most—of the sites that could ultimately be parked on these domains will have a malicious intent, the flurry of activity does raise the specter of fraud.
“What makes the potential for Obamacare related scams to work is stability of the new site combined with some confusion to the details of the new law,” wrote Bambenek. “Where there isn’t clarity, fraud is possible.”
As a post on Trend Micro’s Security Intelligence Blog noted, spam messages about the new healthcare rules started flooding inboxes around the country weeks before the exchange sites even launched. These often official-looking emails typically linked to sketchy survey sites. “Spammers, unfortunately, see this as an opportunity to lure users into their schemes and disclosing personal information such as name, address, email address and the like,” explained Trend Micro. “The bad guys can either sell these to other cyber-criminals or be used in other, more menacing threats.”
Similar scams have occurred in the offline realm as well. Scammers have also taken to posing as government officials and calling or texting to ask people for social security or bank information under the auspices of checking their eligibility for the new health care program or issuing them an “Affordable Care Card.”
There is no such thing as an “Affordable Care Card.”
One way for people to ensure the exchange site they’re using is legitimate is get to it exclusively from the federal exchange site, HealthCare.gov. The federal site only directs visitors to official state exchange pages and hosts exchanges for the 16 states that declined to set up their own programs itself.
The Obamacare rollout isn’t the only recent large-scale government action attracting the attention of scammers. Online security firm Symantec recently posted a warning about spam messages advertising cheap cars and trucks for sale as a result of the government shutdown. Links in the emails directed users to what Symantec labeled “a bogus offer.”
Pure, uncut internet. Straight to your inbox.