I’m not sure if this story is embarrassing or eye-opening, but it was certainly educational for me.
An orthopedic group recently contacted us after they received an email from someone purporting to be a U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) agent. The client’s initial question was an astute one: how do we know this person is really a government agent?
As we’ve discussed before, this is a question everyone should ask when receiving communication from someone who claims to be one. I’ve worked on government investigations for 30 years now, so that felt like a softball.
But I was mistaken.
When dealing with the FBI, authenticating an agent is pretty easy. The agent’s business card will mention in which field office he or she is located. Simply Google the phone number for that local field office, call them, and verify the agent’s identity. Easy peasy.
I thought I had an even easier solution for the OIG. OIG agents are employees of HHS. HHS has a nice website that allows you to look up its employees. I did a quick search on this individual and didn’t find him, heightening my suspicions. But then I elected to search a few OIG agents I knew well. Those searches came up empty as well. Apparently, OIG agents aren’t included in the HHS employee database.
OIG agents are based in field offices. Next, I tried a trick I’d used with the FBI, Googling some of the field offices I know. Once again, no dice.
Now I was feeling somewhat frustrated, and very humbled. So, I started calling some of the agents I know. After getting a few voicemails, I spoke to an agent from Kansas City.
What I learned surprised me.
There really isn’t a very good way to easily verify the identity of an OIG agent. One of her suggestions was asking the agent to send you an image of their business card. That’s something, but if you don’t know that a person with that name actually works for the agency, it doesn’t seem terribly persuasive. By the end of the call, her main advice was “if you have any doubts, contact an agent that you know and allow them to verify the person’s identity.”
Here’s one thing you SHOULDN’T do. Don’t ask the person for a number to call. They can give you a number they control. Whatever number you call to verify them has to be a general number you can find from a reputable directory, not information given to you by a possibly phony agent.
I will add that emails actually make me less nervous than phone calls.
It’s more difficult for a wrongdoer to highjack the hhs.oig.gov domain than it is to spoof a phone number. It’s pretty easy to have a phone call come in looking like it’s coming from the FBI. It’s also possible to have an email appear to come in from the wrong address. But if you send an email to an address, I think it’s pretty difficult for someone to hijack that communication.
So, send an email to an agent at a domain that you are certain is probably relatively safe, as long as you are 100-percent certain that the domain address is truly one belonging to the U.S. government. Anyone who ever accidentally wound up at the defunct porn site whitehouse.com has likely learned the lesson that details matter.
The address extensions “.com” and “.gov” are very different.
The bottom line is that if you’re contacted by a government agent, you definitely want to be thinking about Roger Daltry and The Who. Ask “who are you,” and then take steps to check them out – because you want to make sure “you don’t get fooled again.”
