This week, a novel hoax has surfaced, targeting policyholders of VHI, Ireland’s largest health insurance provider, being duped with fraudulent medical expense reimbursements. This new wave of phishing scams resemble the tactics of those previously used against customers of other organizations, such as banks, utilities, credit unions, and Revenue, which encourage potential victims to click a link and input personal information to retrieve their alleged refund.
The scam email, impersonating the MyVhi portal, reads: “Upon meticulous assessment of your recent expenditures, we are delighted to announce your eligibility for a refund. To initiate the refund process, you must reply to this email with ‘CONFIRM MY REFUND’, following which you will receive an email containing the link to finalize the reimbursement.”
It is crucial to note that this email, having been distributed to both VHI policyholders and non-customers, does not originate from the insurance provider – a fact emphasized by a company representative at the start of the week when initial reports began to emerge.
The representative issued a warning, stating: “If you receive this mail, it’s advisable to remove it from your inbox right away. Replying to the mail or sharing personal information online is strenuously discouraged.”
It’s worth recognising that phishing scams have surged in recent years, both in Ireland and international landscapes. Banking and Payments Federation Ireland’s latest payment fraud report revealed a worrying trend, with nearly €100 million swindled from consumers in the last year, marking a 16% spike from 2022. As the largest health insurer in the Republic, with over a million members, many awaiting cash refunds at any one time, VHI’s customers are particularly susceptible to this new scam.
Card scams represented 95% of illicit transactions, equating to a sum of €35.2 million, consequently making up 36% of the entire financial loss. Other manners of fraud might have been lesser in occurrence, but consumers suffered more substantial financial damages due to them. Illicit electronic transfers, wherein lawbreakers purloin the mobile or net banking credentials of the victims and expend and transmit funds without gaining the permission of the account owner, comprised simply 3% of the whole volume, albeit making up 34%, or €33.8 million, of the losses.