Sham veterinarian caller 'Dr. J' returns
Dr J follow-up art
Dr. J is back.
The purported colleague who left odd voicemails for veterinarians across the country in 2023 is showing up again with the same message: He says he's "in the process of retiring" and wants to pass along patient files. "If you could have the doctor give me a quick call back," he continues, "I'd appreciate it."
The caller explains that he's reaching out because he's located "not too far from you." But veterinarians all over the country are receiving the same call. Each appears to originate from a local number, which presumably is spoofed.
Further, veterinarians who return the call report reaching only voicemail and if they leave a message, never being called back.
More than a year since members of the Veterinary Information Network, an online community for the profession, first reported calls from so-called Dr. J, veterinarians are reporting anew that they're receiving his recordings, typically in the very early morning, outside of business hours.
"The mystery [doctor] called and left a voicemail right before we opened one morning," Dr. Jack Schmidt told the VIN News Service by email. A practitioner in Florida, Schmidt received the call in September. "I did not leave any voicemail message because my warning radar went off. I don't know what the scam is or how it plays out, but it's very strange."
Like Schmidt, other recipients of Dr. J calls suspect it to be some sort of robocall spam, but to what end?
Cybersecurity experts Derek Rowe and Collin Orner of Montana-based LMG Security are penetration testers, also known as "ethical hackers." Their job is to try to break through their clients' security systems to expose vulnerabilities that their clients can then fix. As such, they have special insight into the minds of scammers. The Dr. J voicemail is similar to calls they've made themselves, Rowe said.
At the request of VIN News, Rowe dialed one of Dr. J's callback numbers to hear the message. Rowe and Orner concluded that the calls could be an early step in an "attack framework," an escalating procedure intended for identity theft, financial gain or other nefarious endgames. These attacks begin by gathering information about potential targets.
"For me, this is a prime example of that active information-gathering," said Rowe. "The more information that this attacker is able to build, they're going to start moving into the next step, which is, 'OK, now I've got all this information. Now I'm going to start actually trying to move on to exploitation.' "
Understanding scammers
Rowe and Orner suspect that the scammer behind Dr. J could be leaving messages to lure recipients into responding, similar to email or text phishing schemes. Those who call back and leave their name and phone number may enable the scammer to refine their list of potential targets. In this scenario, this refined list can be the focus of the next step of the attack framework — such as calling the clinic and getting a staff member to download malware under the guise of patient files or gathering enough personal information to steal the doctor's identity.
If the purpose of the Dr. J calls is information-gathering, that could explain why veterinarians who call Dr. J back never reach a person, because the role of Dr. J in the scammer's process is complete. Completing an attack framework can take years from start to finish, Rowe said.
Orner gives this analogy for how scammers think of knowledge-gathering:
"It's almost like a dartboard, where the bullseye gets bigger and bigger," Orner said. "The bullseye is how much information they have, so if they have your email, your phone number, your full name, your pet's name, where you live, the bullseye gets bigger and bigger. And whenever they actually plan to execute some sort of exploit, that bullseye is a lot easier to hone in on and perform whatever they need to do."
Targeting health care professionals
While Dr. J's initial call specifically mentions a "vet" clinic, his answering machine message contains clues that he may be targeting other medical professionals, as well: "If this is a patient and this is a medical emergency, please hang up and dial 911." There is no 911 for veterinary emergencies. And veterinary patients wouldn't be calling Dr. J. Indeed, VIN News heard from a physician in Colorado who received a Dr. J call in December, and a dentist in Maine reported the same on a blog post last February.
Health care professionals are vulnerable to scams like this because of how they're wired, Rowe believes. When Dr. J implies he has patients who need a doctor, that message can compel practitioners to respond.
"What are medical staff trained to do? Help," Rowe said. "I think medical staff are even more prone to social engineering … because when somebody comes in, or somebody approaches them or communicates with them, the first thing anyone in the health care or the medical industry [thinks] is, 'How can I help this individual?' because that's their culture."
Knowing that scammers may try to take advantage of their desire to help, Rowe and Orner encourage veterinarians to look for red flags. The first red flag Rowe noted about Dr. J was the time of the calls — in the early hours of the morning before clinics are open. This is a suspicious time for a call, putting its legitimacy in question, Rowe said.
Another common red flag is a sense of urgency — so the best thing veterinarians can do when they get an out-of-the-ordinary call like this is to stop to think before responding. Share information with others to see if they've had similar experiences, Rowe advised.
Rowe also recommends cybersecurity training sessions in clinics or other places of employment every few months. Even short sessions of a few minutes can help teams stay on top of the latest threats and keep cybersecurity top of mind.
As for practitioners who called back Dr. J and left their name and number? Don't panic, Rowe said, just keep an eye on security.
"We should always have a security mindset," he recommended. "Now that that information may have been given, let's do better next time. Let's use this as lessons learned."