As GP’s you are trained to see the best in everyone – unfortunately, however, there are some very unscrupulous people out there who prey on a GP’s good nature.

A medical practice is no different to any type of small business in that there is potential to be scammed –  small businesses simply don’t have the resources or systems to manage and detect security breaches. And for that matter, neither do some large organisations.

So in recognition of National Scams Awareness week (May 21-25), below are some of the common ways in which GP’s have been scammed.


Cyber Crime


A risk for all businesses – large and small. The main ways in which criminals scam:

Phishing – sending bogus emails that look like they are coming from the real company. The link inside the email takes you to a “fake website” where you are asked to enter your credentials such as banking passwords or credit card numbers.

Malware – similar to phishing,  the cybercriminal will send a bogus email with attachments. The opened attachment will “introduce” software onto your system (usually without you knowing) – where the cybercriminal can access files, steal data or gain access to your entire network.

Ransomware – a more upfront form of cybercrime where the criminal will disable your entire system until you pay a “ransom” and is normally triggered by clicking on a link in a phishing email.

How to protect your practice:

  • Don’t open or click on any suspicious emails. If the email is from your bank or telco and you’re not convinced its legitimate – call them prior to opening the email to check
  • Your bank/s, services provider/s and utility companies will NEVER ask you to confirm information from a link within an email
  • Have your systems checked and audited by an IT professional on a regular basis
  • Get all your staff on-board – it only takes one person to open an infected email to impact your entire system
  • Keep up to date on your IT housekeeping – change passwords regularly, ensure staff have access to the right systems, back up your data and make sure you have a data recovery plan


Shonky directory listings


Scammers will offer medical practices the opportunity to list in an online directory and then – using scrupulous methods – lock you into paying ridiculous fees for an essentially worthless service.

Scammers will be friendly, warm and engaging and it will seem the offer is coming from a reputable business, which they back up with “proven results”. They often prey on receptionists and administration staff with innocent request such as “we are just updating your information”.

How to protect your practice:

  • Never sign or accept anything from someone you haven’t had any previous dealings with – even if they “claim” to have spoken with other members of your practice
  • Always read the fine print before you sign anything – or get a lawyer to review on your behalf
  • Don’t give staff the authority to sign on your behalf


Dodgy Phone Call


We’ve all heard about the person who got scammed by someone calling up pretending to be their bank / phone / power company…… well don’t be one of them!!

How to protect your practice:

  • Never provide verification information, passwords, pin numbers or credit card details over the phone – your bank / telco / utility company will NEVER ask for this information.
  • If you’re not sure whether its legitimate hang up and call the company back via their customer service line
  • Never provide someone with remote access to your computer – even if the request appears to be coming from an IT provider or well-known company
  • If you do think you’ve been scammed in this way contact the organisation straight away so that can put a block on all your accounts


Insider job


Unfortunately, as much as we all trust and believe our staff, there are some less then honest people out there who we need to guard against. GP’s – being busy and focused on patient care, often leave the running of the business to their admin staff, without ever thinking about potential theft and fraud.

For example, staff can:

  • Use business credit card/s for personal expenses
  • Bill for hours they didn’t work or expenses that never happened
  • Transfer money from business accounts to their own personal accounts
  • Create false invoices via which they pay “themselves”
  • Take small amounts of cash or medical supplies here and there that goes unnoticed
  • Download patient files and data

How to protect your practice:

  • Don’t let one person oversee everything; have multiple signatories on accounts and multiple authorisation on payments.
  • Do regular reconciliation of accounts and stock.
  • Have staff work across multiple roles and tasks
  • Change rosters and hours of work (if appropriate) so staff aren’t always doing the same shifts
  • Last but not least, ask questions or ask to see business account summaries every now and then so people know you are watching!!

If you think a member of staff is up to foul play –get in touch with a lawyer straight away – there are many implications in relation to unfair dismissal and proceedings.


What next?


It always pays to have good policies and procedures around data handling, IT and security. Get in touch with us today to discuss your data or security legal requirements.


* This blog is for general guidance only. Legal advice should be sought before taking action in relation to any specific issues.