Friday, May 19, 2017

Fake News & Yellow Journalism

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

“Fake News” was responsible for the Spanish-American War when American journalists fabricated atrocities which justified the US invasion of Cuba.  Historians agree that war was caused by what was then called “Yellow Journalism.”  At the heart of the era's newspapers’ propaganda were publishers Joseph Pulitzer (yes, that Pulitzer) and William Randolph Hearst.

Yellow journalism has been defined as journalism that features scandal-mongering, sensationalism, or other unethical or unprofessional practices by news media and individual journalists.   Today it is simply called Fake News. 

In 1901 separate newspaper articles, months apart suggested the assassination of President William McKinley. When McKinley was shot on September 6, 1901, critics accused journalists of driving assassin Leon Czolgosz  to kill the President of the United States.  The public made such an outcry that fake news and other offenses had to be addressed.   Joseph Pulitzer was haunted by his “yellow journalism” sins to the extent that it is believed that it led to his founding of the Pulitzer awards.

Perhaps as another response to “yellow journalism,” a few years later, students at DePauw University, a Methodist Church institution, founded Sigma Delta Chi journalistic fraternity.  This organization was based on the support of an honest and honorable press and was the forerunner of the Society of Professional Journalists (SPJ). 

Today, journalists find themselves – again -- accused of Yellow Journalism.  This is unfortunate for all of us. 

According to Gallup, Harvard, and others, in the minds of Americans, journalism has sunk to new lows not seen within living memory – perhaps since the 1880s’ Yellow Journalism. 

Only eight percent of Americans have a “great deal” of confidence in newspaper and television news according to Gallup.  Further, a May 18, 2017, Harvard University study illustrated that the tone of the press is decidedly “negative.”  Read the Harvard article and Gallup report for more details about press bias.

Several days ago, I became disgusted with a “news” article authored by a local reporter and published in a local news outlet.   Moreover, I was motivated to voice my complaint in the form of a formal written ethics complaint.  Yes, the Society of Professional Journalism has a “Code of Ethics.”  However, after I looked and looked for an internet link or address so that I could file an ethics complaint, I could not find one.  Nope. 

Both of my professional organizations have Codes of Ethics and will process and judge a complaint about one of its members.  If that member is found to have violated that code, he/she could have their membership suspended, or terminated.  Accountants, lawyers, engineers, and even meteorologists allow the public to submit ethics complaints.  Organizations protect their reputations by expelling those that violate their rules. 

An investigative journalist friend and a member of the SPJ Board of Directors (maybe she will de-friend me after she reads this article) said that there was no mechanism that would allow me to file a code of conduct complaint with the SPJ.  I said that this was like having a gun; but, no bullets.  It was like having speed limits; and, no traffic cops.  She did not disagree.

Next, I went to the head person and contacted the Society of Professional
Journalists’ Executive Director, Mr. Joe Skeel.  After a few days, he responded, “You are right that our Code of Ethics isn’t enforceable.”  Further, he said that “The reason we can’t enforce our Code is because (sic) doing so would violate Free Speech protections under the First Amendment.”  What??

Are we to believe that the U.S. Constitution prohibits journalists from enforcing their own Code of Ethics?  What deceptive nonsense.  Shame on the Joe Skeel and shame on the SPJ. 

The SPJ clearly does not have a Code of Ethics.  The Society of Professional Journalists has a list of unenforceable suggestions.  Are they hiding behind the First Amendment?  Is this partly the cause of the small percentage of Americans that trust the press? 


Monday, May 15, 2017

Ex-lover & ID theft

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

There is a thin line between love and hate. 

Scientists have an explanation.  Brain scans of people shown images of individuals they hated were similar to brain activity activated by individuals they love.  Love and hate appear to be controlled by the same section of the brain.  Therefore, when you no longer love a person, it is psychologically easy to shift into “hate” mode.  

Perhaps that has led to the popularity of “revenge” books and internet sites.

The mother of all revenge sources may have first been sold by the Paladin Press.  Named after that old TV Emmy-nominated show “Have Gun, Will Travel.”  Perhaps their long-time, best selling famous book was “Get Even – the complete book of 200 dirty tricks.”  First published in 1980.  The publisher’s current popular book is the “Revenge Encyclopedia.”

However, with the use of the internet, it may be easier to carry out revenge strategies today than in 1980.  Paladin’s dirty tricks have been amplified by the internet.  Today, it is even easier to get even and even remain anonymous.  Just Google “revenge”  to find out.  Maybe visit the dark net for even dirtier tricks.

Revenge porn.  The term "revenge porn" refers to the uploading to the internet sexually explicit material to humiliate an individual, who has broken off the relationship.  Illegal in most jurisdictions. The explicit images may be accompanied by the identity of the pictured individual, home address, and can even include links to their social media site, and employer.  The images can expose victims to professional ridicule.     

In addition to intimate details, former spouses and love interests may have had access to personal and financial information.  Often, lots of information.  Business and personal identifiable information (PII).  Tax information. Enough information to easily allow the misuse your identity.  It’s bad enough to post pornographic pictures of a former lover or spouse.  Some actors are more focused on revenge than avoiding breaking the law.

If you were in a relationship that went bad, take inventory.  Did he/she have access to your tax and business records? 

Take defensive action.

Google your name and picture.  Find out if someone else is using your Social Security number.  Has he/she arranged "synthetic ID theft" of your Social Security number?  Monitor social media using your name and business name. Check your credit for suspicious activities. 

If things don’t seem “right” or if the relationship was especially messy, contact an ID theft prevention and victim advisor. 


Tuesday, March 14, 2017

When synthetic identity theft meets the Medical Insurance Bureau

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Synthetic identity theft has become the predominate form of U.S. identity theft.  When this growing fraud meets your medical records, it could impact both your pocketbook and your health.   It could even harm your health.

Most of us think that identity theft is when someone uses our Social Security number, name and date of birth to get a credit card, borrow money or buy things.  The cost, time and pain associated with correcting this fraud may be painful.  However, synthetic identity theft may be worse. 

Synthetic identity theft is when a fraudster uses your Social Security number and a different name and even a different date of birth.  This type of fraud can continue for years and even decades without your knowledge.

In my lectures on fraud, I call synthetic identity theft an “electronic home invasion.” 

Synthetic identity theft can result in what’s known as a fragmented credit file.  When an identity thief uses a real Social Security number and a different name, it’s possible for the synthesized identity to become associated with the real credit file under the same Social Security number.

The same thing may happen with your medical records file. The medical information exchange organization may not know which is real and which is synthetic.  Hospital records too.  Ouch.

Often the fraudster – say an illegal immigrant -- uses your Social Security number to get a job and then signed up for employer-sponsored medical insurance. 

Following an illness or surgery, the medical diagnoses information may be transferred by the insurance company to the MIB Group (formerly known as the Medical Insurance Bureau). The MIB Group Inc. is an insurance "information exchange" organization founded in 1902 that is not unlike a consumer rating agency (e.g. Experian). 

The MIB receives consumer medical information from insurers that might impact health, long-term care, life, and other insurance underwriting. Insurers use the information to decide if they will cover you and issue health or life policies on you, and how much you should pay.

Similarly to consumer credit files, medically related account numbers may be associated with that file due to partial matching. In this way, the consequences of synthetic identity theft can be a lot more challenging to alleviate than those of true name identity theft.

While people who experience true name identity theft can have false or unauthorized credit accounts tied to their credit reports; synthetic identity theft victims can have entire identities (credit and medical) tied together.

Victims are often older and younger citizens.  These individuals typically are less apt to seek credit or change medical insurers.  Synthetic identity fraud can continue for years – even decades – without being discovered until it results in catastrophic results.  For example, when the younger victim applies for college admittance, applies for student financing, or the older American tries to change his/her Medicare Supplement or get a “reverse” mortgage. 

About one-third of American’s Social Security numbers are being used by someone else without our permission. 

Recently, I was asked by a CPA friend (male) to check to see if anyone was using his Social Security number.  I found a female individual that had used it to gain employment with a Pennsylvania manufacturer.  Based on the background research report, it appears that the person is an illegal immigrant.  I’ll bet ya that she has health insurance from her employer!

To avoid becoming one of a growing number of Americans that are victims of synthetic identity theft, frequently check your Social Security statements, consumer rating agencies reports, etc.  Also, you can check with the MIB Group to see if they will let you look at your medical file. 

For a more complete roadmap to ID theft prevention, attend one of my free public lectures on how to avoid identity theft. 

Tuesday, January 31, 2017

Little Red Door Hacked by The Dark Overlord

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

The Little Red Door Cancer Services of East Central Indiana was recently hacked by The Dark Overlord, a cyber criminal group, and faced a $43,000 ransom demand.

Increasingly, medically related and non-profit groups experience ransomware demands.  These organizations possess individual's medical and personal information, and typically have weak IT security.  

Sometimes data is encrypted by the cyber thief, and the ransom demand is to provide the decryption key to unlocking the data.  This is what happened in Madison County who paid the ransom.  In other cases; it is a blackmail demand to avoid the public embarrassment of having sensitive information published on the internet.   

The Dark Overload group, named after a comic book character, has been successful in multiple ransomware cases and have netted over $500 million last year alone, according to security sources.

These data breaches are more serious than previous credit card breaches because they affect not only Personal Identifiable Information (PII) but also include Medical Information covered by HIPAA.  PII has a value on the “dark net” of about $50 per individual and HIPAA information is valued at over twice that amount or about $100 per individual.  

Thus, an organization -- say a dental or physician office that has maybe 3,000 current and past client records -- could provide a cyber thief with $300,000 in revenue from the dark net sale of both the PII and medical information.  The ransomware demand is often only a minor revenue stream these fraudsters.  Many cyber criminals enjoy taunting its victims.

From the consumer’s standpoint, the theft of PII or credit card information is inconvenient to most victims and can take a long time to correct. About one in three Americans will be victims of that kind of theft this year.  The inconvenient for many is worst than the financial impact, and it can often be repaired without requiring professional help.  The loss of your medical identity can be worse, more difficult to correct, and sometimes life threatening to the victim.

From the medical provider’s standpoint, a data breach can be catastrophic. 

In some parts of the U.S., legal boutiques are springing up that focus on class-action data breach events that involve both PII and HIPAA.  If a medical-related organization experiences a data breach and it had not previously conducted a cyber security assessment or financial risk assessment, had insufficient safeguards, and have an ineffective (or non-existent) HIPAA supervisor, these issues could eventually result in liability costs that force the sale of the medical practice. 

In the case of the Little Red Door, there was no reported encryption of data; but, the demand was that the data would be released on the internet.  The LRD has reported that they refused to pay the demand.

Unfortunately, the staff’s Social Security numbers and other LRD information is already on the dark web. A spokesperson for The Dark Overlord, who forwarded an email to the media from within the Little Red Door’s internal email account, disputed that the data had yet to be published.  Obviously, The Dark Overlord is not finished with the Little Red Door. TDO claims that they acquired much personal information, including diagnoses of clients.

Few non-profits and smaller medical-related businesses have adequate safeguards to prevent the loss of sensitive client information.

Wednesday, January 18, 2017

Ransomware + Medical Identity Theft = Disaster

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes two bad things link, accelerate and produce an even larger tragedy. That’s what happening today when “ransomware” meets “medical identity theft.”   

Smaller personal service business offices are notoriously lacking in cyber security.  This includes smaller offices of physicians, optometrists, chiropractors, and dentists.  Cybercriminals are increasingly attacking these small businesses, encrypting their files and hold them for ransom.

Last year, the American Dental Association warned dentists about ransomware.

Many businesses cannot operate without access to its customer files. Moreover, once they become a ransomware victim, like Madison County Indiana recently, they will pay a ransom to the cyber criminal.  If the victim is a medical office, the data thief also gets to copy and sell the medical practice patient’s medical records too.  Ouch.

What could a cybercriminal do with your Social Security number, credit card info, insurance policy information, your address, and medical history?  Similar information is sold every day on the dark net.  Medical identity theft is one of the fastest growing cyber crimes.  Ransomware crimes are growing even faster and reaching down into profitable small businesses.

Medical businesses are a favorite.  Last year, for example, Hollywood Presbyterian Medical Center revealed it paid ransom to hackers who held the hospital's computer system hostage by encrypting its patient records.  I’ll bet that the hospital’s patient's medical information was also copied and sold. 

Ransomware is exactly what it sounds like -- malicious software used by cyber criminals to block access by a business owner to a computer system until a ransom is paid. It has become much more common in recent years. The number of ransomware attacks increased almost five times – 500% -- in 2016 compared with the prior year.

This particular type of cyber crime was first recorded in1989. The attack is relatively easy to deploy and profit.  It doesn’t take special skills and the software or malware is easily obtainable on the dark net.  The victim’s employees need only click on the wrong “innocent” appearing link to infect and compromise its computer system.

In the past, ransomware cyber-criminals targeted consumers connecting to porn sites and typically ask for modest amounts to release the victim’s personal computer files. The ransom is typically paid in Bitcoin.

The increased use of Bitcoin and other similar currencies has made this type of crime increasingly possible – it is easy to deploy, receive payments safely and transfer money anonymously. This has had a dramatic impact on the number and type of cybercrime opportunities. Bitcoin is the current engine of cybercrime, and it will continue to enable and expand cyber criminal activity.

Your stolen medical records can allow someone to see a doctor, get prescription drugs, file claims with your insurance provider, have surgery, etc.  The thief’s health information then is mixed with yours, your treatment history, blood type, allergies, and payment (or non-payment) records. This data mix can be physically dangerous to you, cause your insurance premiums to increase and result in you being denied certain insurance coverages.  It is very difficult to correct.

Stolen medical records can more troublesome than other type identity theft. 

Read your Explanation of Benefits (EOB) statement or Medicare Summary that your health plan sends after treatment. Check the name of the provider, the date of service, and the service provided. Do the claims that were paid match the care you received? If you see a mistake, contact your health plan and report the problem ASAP.

Signs of medical identity theft include bills for service you did not receive and calls from debt collector about medical debt you don’t owe. Since Federal law gives you the right to know what’s in your medical files, the thief may have impersonated you and received your complete records from other providers.  This could wreck your medical care for life.

If you think that something is amiss, ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The “accounting” is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months. 

Smaller medical service providers are frequently victims of combined ransomware and medical records theft.  If they are a ransomware victim, they probably have had client medical records compromised as well.  This likely qualifies under Indiana law as a “breach.”   It must be reported to the Indiana Attorney General.  Also, it probably is subject to HIPAA, OCR and HHS regulations  The medical or business professional organizational victim needs to report the information promptly.  Failure to do so can result in more fines and hassle than a multi-year full IRS audit. 

Small profitable businesses are particularly vulnerable to Ransomware and breach attacks.  The cost from “Ransomware” may be small compared to those associated with “breach,” HIPAA and other regulator’s fines.  Plus the negative publicity and client issues.  Ask yourself if you would consider a medical professional that did not actively prevent someone’s medical information from being compromised and sold on the dark net. 

Smaller businesses, particularly medical service providers, needs to have adequate cyber defense insurance from a company that has the staff experts that can apply corrective actions and guides the victims through the regulatory process.  

Tuesday, December 20, 2016

Veros Partners – the final shoe?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes the second shoe takes longer . . .

You may recall the SEC charges against our home-grown alleged Ponzi schemers Matthew E. Haab, Jeffrey Risinger and Tobin J. Senefeld. 

As reported here months ago, Veros Partners, an affiliate of Veros CPAs, was charged with fraudulently raising $15 million from local investors, many of whom were dentists.  Several of Veros’ tax and practice management clients purchased investments from an affiliate firm, Veros Partners.  How convenient.

When some of those investments lost money, the defendants allegedly took “new” money from clients to pay “old” clients – apparently straight from the classic Ponzi scheme playbook.  Madoff did the same thing. 

You may also recall that Mr. Haab, Veros Partners’ President, had touted his Certified Financial Planning credentials.  However, the Certified Financial Planning Board did not concur that Haab was, in fact, a CFP.  Further, some members of the community have told me that some of the Veros’ CPA partners may not have been, in fact, Certified Public Accountants because their names could not found on the State of Indiana Accountancy Board website.  Ooo shame! 

Veros CPAs assets (read, client list) have been sold to its former employees by the court-appointed receiver, William E. Wendling Jr.

Defendants Matthew Haab and Jeffrey Risinger, both settled the SEC civil suit with cash and agreed never to do it again; however, Senefeld and the SEC could not reach a settlement -- it appeared that they were headed to trial. 

Senefeld is no stranger to securities regulators. 

His securities career spans over two dozen years and eight securities firms, where he had been sanctioned a total of 17 times for alleged wrongdoing.  As was pointed out in FINRA Enforcement Dept. documents, in 1999, for example, Senefeld was censured, fined and suspended from the securities industry for 20 days.  Later in that year, because of other alleged conduct he was suspended for 12 months and fined.  Here is a link to his securities record thanks to the regulatory organization FINRA. 

According to a recently signed agreement, a Financial Industry Regulator Authority Letter of Acceptance, Waiver, and Consent ( a AWC in industry parlance), Tobin J. Senefeld, agreed to a lifetime sanction and is barred from the securities industry.  Here is a link  to AWC.  You may note on page four of the AWC that Senefeld agreed not to make any public statement about the AWC or “create the impression that the AWC is without factual basis.” 

Perhaps the “take-away” from these events is that some professionals do not have the credentials that appear on their website, and sometimes they have had run-ins with regulators that they hope you do not find.  Also, dig a little deeper when the CPA also sells investments or insurance products.

Friday, November 18, 2016

A “Credit Freeze” can be used against you

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Identity theft continues to be more frequent and is particularly troublesome for seniors.  Two simple changes by regulators could diminish identity theft by 90% or more.

Denise had heard me last year when I spoke to a group of seniors. She called recently telling me that her father was a victim of identity theft and asked for my help.  Her father was in a nursing home, and she just learned that his credit had been used in an attempt to finance improvements to a house not connected to him.  She had heard me speak and wanted to know if I could help.

I suggested that she contacted the Indiana Attorney General’s Identity Theft Unit and gave her the contact information. 

However, she wanted a prompt answer and wanted to know who had stolen her father’s identity. I explained that, unfortunately, few victims of identity theft ever discover who actually stole their identities or where they got the information. 

I suggested that she first placed fraud alerts with credit bureaus and request credit reports to review suspicious transactions.  Also, her father’s credit should be frozen[i].  More about a credit freeze later. 

The next step is to obtain copies of the credit application, and paperwork that might identify the fraudster.  Since the construction work had not started and her father had not been (yet) harmed financially, the vendor would not cooperate.  He voided the transaction and did not want to become involved.

Denise was insistent on knowing more, and she wanted information about the owner of the property.  It turned out that the property owner had over 50 judgments pending, evictions, history of bankruptcy, etc.  Again, I suggested that she turn the matter over to the Attorney General.  We both suspected that the point of compromise was her father’s nursing home.  This is not an unusual place for data compromise, and quite often the source of medical identity theft.

Identity fraudsters often use a mail drop to shield their identity.  The former insurance agent that stole 3,000 identities in Fishers a few years ago used the mailboxes at homes that were vacant.  Other fraudsters use “virtual” mail drops that do not supervise their clients and enforce the requirements set forth by the U.S. Post Office[ii]

Some identity theft fraudsters will issue a credit freeze on an account they are trying to loot.  Imagine what might happen if someone – posing as you -- established a “Credit Freeze” (also known as a Security Freeze) on your credit.  All it takes to freeze your credit is the following information:
  • Your full name
  • Social Security Number
  • Date of birth
  • Current address
  • All addresses where you have lived during the past two years
  • Email address
  • A copy of a government-issued identification card, such as a driver’s license or state ID card, etc.
  • A copy of a utility bill, bank or insurance statement, etc.

You can easily obtain a counterfeit driver’s license and copy of a utility bill.  There are several organizations selling false documents over the internet for “amusement purposes only.”  Someone could grab your picture from Facebook or Google and do this in a few minutes. 

Imagine that your credit has been frozen by a fraudster, and you cannot prove that you are you.  The fraudster can change your mailing address, file for a tax return, borrow money, even sell your home.  A credit freeze can be used against you.

Where will this end?

Two simple changes would end the identity theft nightmare:
  1. Enforce the “know your customer” rules for all financial institutions involved in the extension of credit.  These rules currently apply to all financial institutions and are designed to prevent money laundering, and violators face stiff fines.  Both the institution and the individual employee approving these transactions face fines.  Use these existing laws to deter identity theft.
  2. Mandate the Social Security Administration to allow credit reporting agencies to determine if a Social Security number matches the name provided.  Currently, approximately one-third of the Social Security numbers are concurrently used by two or more persons.  We’ll save that tidbit for a future column.

According to the U.S. government statistics, over 17 million citizens have been victims of identity theft.  Seniors and children are more frequent victims of this crime.  Criminals have pivoted to using identity theft because they believe that they are less likely to be caught than any other type of financial crime.

[i] A credit freeze, also known as a security freeze, is a consumer right provided by Indiana law.  Placing a credit freeze on your credit reports can block an identity thief from opening a new account or obtaining credit in your name. A credit freeze keeps new creditors from accessing your credit report without your permission. If you activate a credit freeze, an identity thief cannot take out new credit in your name, even if the thief has your SSN or other personal information, because creditors cannot access your credit report.
[ii] USPS Application for Delivery of Mail Through Agent Form 1583.