Thursday, February 1, 2018

Latest Data Breaches. Are you exposed?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Three Indiana data breaches reported by the Identity Theft Resource Center includes Hallmark Home Mortgage, Lincoln National Life Insurance and the Pension Fund of the Christian Church.

The reporting of all data breaches, since they have become more common, appears to provide less and less information.  Also, it has been determined that many data breaches are never reported.  

The Hallmark Home Mortgage was discovered, according to publicly reported data, on Nov. 17, 2018, and published (drumroll) on January 12, 2018.  Apparently, a former employee may have accessed some customers' personal information.  the company motto is "Our only interest is you."

Lincoln National Life Insurance Company data breach was published on January 26, 2018.  We have been unable to learn any other facts about this data breach.  The company motto is "Its name indicates its character."  Maybe they notified its policy-holders.  We do not know.

Pension Fund of the Christian Church became of the data breach and notified its membership, according to its official letter.  The data breach was published on January 16, 2018.  The organization's motto is "Strong Smart Secure."

It is a dangerous world.  You trust those that take your money and give them the keys to your identity.  Be careful.  Your identity is probably already for sale on the dark web.  Also, someone is using your Social Security number without your permission. 

What is your plan? 

Monday, January 15, 2018

Black Swan Events

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

A black swan event is a metaphor that describes an event that is unexpected and has a significant effect on your way of life.  It can impact politics, economics and science.  The concept was introduced by Nassim Taleb, who studied randomness, probability, and uncertainty.   

Black swan events can also refer to your personal life as well as national or international economic/political events.  As a Certified Financial Planner, I have advised folks about the need for contingency plans covering uncertainty. 

When the term “black swan” first came into use, black swans were presumed not to exist.  This phrase was a common expression in 16th century London as a statement of impossibility: "A rare bird in the lands and very much like a black swan."  However, in 1697, Dutch explorers became the first Europeans to see actual black swans in Australia.  The term subsequently became a metaphor to connote the idea that a perceived impossibility or unlikely event might later be disproven. 

I do not limit black swans to politics, economics, and science.  Here are a few personal black swan events that can be life-altering:
  • Home or business destroyed
  • Bankruptcy
  • Public accusations or arrest
  • Accidental death or suicide

Here are a few recent Black Swan economic/political events you may recall:
  • 9/11/2001
  • 2008 financial crisis
  • 2009 European debt crisis
  • 2011 Fukushima nuclear disaster
  • 2014 oversupply of oil
  • 2015 Brexit

Here are a few potential 2018 black swans for you to ponder:
  • EU break-up
  • China real estate bubble
  • Global internet shut down
  • Japan gains nuclear weapons
  • Saudi Arabia gains nuclear weapons  
  • Trump impeached
  • Supervolcano eruption
  • 2% US unemployment rate
  • Deadly pathogen ravages world

What is your plan B?

Saturday, December 30, 2017

Is your financial adviser protecting your data?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Small financial planning and investment advisory firms are cyberattack targets.  Many have been a data breach victim and do not know it.  Some know that they have been a victim and did not report it as required by law.  They did not tell you either. 

All of your financial and personal data – investments, tax returns, loved ones, business interests – may already be in the hands of a cyber-thief.  You may not find out until your assets have been compromised. 

Ask your financial planner, insurance agent and investment advisor a few basic questions;

  • How often do they conduct a cybersecurity audit?
  • Who conducts that audit?
  • The name of their cybersecurity third-party consultant.
  • Request a copy of the most recent audit.
  • Request a copy of their data breach response plan.
  • Where is your data stored?  Is the data stored in the U.S.?
  •  Is it encrypted?
  • The name of the software

Be prepared for a request for time to respond.  You may need a plan “B” 

Tuesday, September 5, 2017

Has the Indiana Dept of Education neglected our children’s safety?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Last year USA TODAY graded Indiana an “F” on teacher background checks. 

The DOE has had an opportunity to improve that grade; but, appears to have done llittle or nothing since that article was published. 

While the Indiana DOE is responsible for verifying teacher’s degrees and licensing them, they do not check their background for felony convictions, sex crimes, inappropriate contact with students, etc.   

The DOE maintains that background checks are the responsibility of the school districts.  Not their responsibility!  No sir.  School district responsibility.  Thank you very much.

I asked a large school district if the DOE is helpful providing guidance, a “best practices” model, suggested background verification vendors, etc.

What does the DOE do to help your school district avoid hiring pedophiles or felons? She said:


An Indiana DOE staff attorney said her main responsibility is to work on teacher license, suspensions, and revocations.  Since 2013, the DOE revoked 48 teacher’s licenses for sexual misconduct with a minor and child molestation. 

I asked if any of the 48 had a prior criminal history.  The DOE did not know.

I asked if the 48 had undergone a background check before being hired.  The DOE did not know.

Did the DOE analyze these teachers -  these child sex offenders – to find out about their background?  That information could be helpful in knowing if the current background checking process and teacher licensing process might need to be adjusted.  Apparently, the DOE has no interest in learning how to keep child sex offenders out of our classrooms. 

I was quickly diverted to their media relations department.  They do not want to discuss this issue.  It is the school district problem.  Not the DOE’s problem.

Meanwhile, we continue to read about cases involving teachers and school coaches:
  • A basketball coach from private school pled guilty to coercing a 15-year old into exchanging sexually explicit messages.
  • Last summer a high school teacher faced charges of felony child seduction involving two female students.
  • A few months ago police arrested a High School teacher on two counts of child seduction.
·       Meanwhile, our state legislature has drafted a series of bills to – hopefully – lock this barn door.  However, each suggested change keeps the responsibility at the school district level.  The Indiana DOE is off the hook.  However, are Indiana's school districts equipped to conduct a background investigation of teachers, coaches, and volunteers?  Probably not.

It is easy to mess up a background check.  For example, a few years ago an Ohio State University employee killed a co-worker and shot two others.  Ohio State had conducted a background check on Mr. Nathaniel Brown that did not reveal that he had been in prison and had been charged with assaulting his girlfriend’s child. 

According to prison and court documents, Mr. Brown’s birthday was June 5, 1959.  However, Ohio State’s records listed it as June 4, 1959 – Only one single day difference!  The Ohio State background check showed Mr. Brown had a clean record.  One day made a big difference.  One person died and two were wounded.

School Districts do little to verify full legal name, maiden name, date of birth, etc.  They simply do not know how.  Most checks of parents and volunteer coaches are done over the internet.  The school volunteer can use any sort of name combination and date of birth to shield his or her past conviction of criminal assault, felony child seduction or rape.

How does your school district check out teachers, coaches, and volunteers?  Is the Indiana DOE doing its job to protect your kid?  How safe is your child while at school? 


Sunday, July 30, 2017

CPA Data Breach

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 

The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:

CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.


Wednesday, July 5, 2017

You’ve Been Hacked Red Flags

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes it takes years – yes years – to realize that you have been hacked and your identity is being used without your permission.  This is especially true with the most insidious form of ID theft: “synthetic identity theft.”  One-third of Social Security numbers are being used by more than one person. 

As you read this, your Social Security number may be used illegally by another person and you do not realize it. 

 Here is a short list of ID theft red flags:

  •  No mail in your mail box for two or more regular delivery days
  • ·       You are having problems with a spouse or member of your household
  • ·        You are a victim of domestic violence, stalking or cyber bullying
  • ·        You receive notice that you have changed your address
  • ·        Someone close to you had their ID stolen
  • ·        Errors on your medical “explanation of benefits” (EOBs)
  • ·        A vendor you do business with has a data breach
  • ·        Suspicious mail arrives for your minor child
  • ·        Bogus charges on your credit card or bank statement
  • ·        Errors in your credit file
  • ·        You’ve been traveling – especially in another country
  • ·        Collection notices arrive
  • ·        Credit cards arrive that you did not order
  • ·        Strange credit card statement arrives in the mail

The weakest link in your identity security is your smart phone.  Also, most businesses provide more security for their toilet paper than your personal identifiable information. 

If your group needs someone to speak about these issues and how to reduce the risk of identity theft, contact me.  


Thursday, June 22, 2017

Elder lawyer in estate misappropriation case receives 8-year sentence

By Greg Wright
Certified Fraud Examiner

Certified Financial Planner™

Stephen Schuyler Mug Shot
My article about attorney Stephen Schuyler dated March 2, 2016 concerned the estate of Sarah Wilding.  Today, following his guilty plea, former elder law attorney Schuyler was sentenced to eight years in prison in connection with the misappropriation of funds from Ms. Wilding’s and five other estates totaling more than $700,000.

Below is a reprint of my 2016 article:

Sarah Wilding trusted her attorney to give the remainder of her estate to her church’s building fund.  Elder attorney, Stephen W. Schuyler had other uses for the money.  Only recently, it finally came to light that Schuyler had over-charged and diverted as much as $500,000 from some of the 130 estate cases he was administering.

East Lynn Christian Church is a small Anderson Indiana church.  Following Sarah Wilding’s death on April 20, 2012, Schuyler paid her final expenses and distributed funds and assets to her named beneficiaries.  That was the plan.  The remainder, $145,003, was to go to the church building fund toward paying off the 2005 sanctuary expansion. 

The church was aware that Sarah had made a final gift to them, and they sought payment from Schuyler.  He stalled and requested the court approve yet another payment for additional attorney fees.  Undeterred, the church pressed him to close the estate and pay them.  Schuyler’s check bounced.

Finally, the police and prosecutor investigated.  They ascertained that, in addition to Wilding, other estates had been looted.  They identified four other estates specifically, and 130 unsettled estates that were eventually assigned to other attorneys.

The East Lynn Christian Church filed a civil complaint against Schuyler and his girlfriend, Kem Golden, for conversion of $164,101 from the Wilding estate. In addition to the civil complaints,

Charges have been made that involve the estate of Frances Clem from 2010 to 2014 of $156,790. Other victims may include other churches, and the local Humane Society. 

Unsurprisingly, Schuyler’s law license was suspended indefinitely, and he is facing 13 felony counts. 

Since supervision may be lax or even non-existent, there are probably similar cases in other communities that have simply not been reported.  The deceased had counted on a trusted attorney to carry out their final requests and not to loot the estate.  But, the lawyer treated the estate assets like his personal piggy bank.

Inheritance hijacking is not that rare.  Thieves who target the elderly and the dead are cunning and patient.  The vulnerable elderly within us are perfect targets – 20 percent are victims.

Strongly consider not waive the requirements that executors be bonded, as many attorneys suggest.  Consider not giving your attorney authority to be your executor.