top of page
Search

Don’t Fax That Back: How to Spot Medicare Audit Phishing Scams

Updated: Jul 23

What wound care providers need to know about the latest CMS fraud warning — and how to protect your clinic from costly mistakes.


The Fraud: What’s Happening


In a recent alert, the Centers for Medicare & Medicaid Services (CMS) warned providers about a phishing scam targeting Medicare-enrolled clinics and suppliers. Scammers are impersonating CMS and faxing fraudulent requests for medical records under the guise of a Medicare audit.


Let’s be clear: CMS does not initiate audits by fax.


If you receive a fax requesting records, protected health information (PHI), or clinic documentation — especially if it claims to be urgent or audit-related — treat it as suspicious and do not respond without verifying it first.


Close-up of a fax machine ejecting a red-labeled “Audit Request” as warning signs flash on screen — illustrating the urgency of CMS fraud awareness.

Why Wound Care Clinics Are at Risk


Wound care programs are a prime target for this type of fraud. Why?


  • High Medicare patient volume

  • Frequent medical record requests for compliance checks and audits

  • Time-sensitive environments with fax machines still in use


Scammers know that wound care centers handle extensive documentation and may be accustomed to urgent audit requests. That makes fax-based phishing a particularly effective — and dangerous — tactic in our space.


How to Spot a Fake Audit Request


Here are common red flags that may signal a fraudulent audit fax:


  • The request comes by fax, not secure mail or portal

  • There’s no contact information for a specific Medicare contractor

  • It uses vague language like “you are being audited” or “urgent compliance required”

  • The tone is alarming or threatening, pressuring immediate response

  • It includes poor formatting, typos, or suspicious logos


Example scam phrasing:


“This is an official notice of a Medicare audit. Records must be faxed within 24 hours to avoid penalty.”


When in doubt, don’t fax back — and don’t hand over any PHI without confirming authenticity.


What to Do If You Get a Suspicious Fax


Here’s what to do if a questionable fax arrives:


  1. Do not respond or send documentation.

  2. Do not share any PHI, patient data, or billing details.

  3. Contact your Medical Review Contractor directly to verify whether the request is real.

  4. Report the incident to CMS or your MAC’s fraud hotline.


If you’re unsure who your review contractor is, we can help point you in the right direction.


SHS Compliance Tip: Stay Vigilant, Stay Protected


Shared Health Services is here to support your team — from CEO to CNA — with tools that strengthen compliance and reduce audit stress.


A few extra tips to consider:


  • Post a warning near your clinic’s fax machine about this phishing scam

  • Educate front desk and administrative staff to recognize red flags

  • Use secure portals or encrypted communication for all documentation sharing

  • Ask SHS if you need help verifying a request or setting up an internal response protocol


Protecting your wound care program starts with protecting your data — and staying one step ahead of emerging threats like this.

Comments

bottom of page