Sunday, July 1, 2018

Cell phone financial fraud – often an inside job

By Greg Wright
Certified Fraud Examiner
National Speaker

Increasingly, financial fraud victims report a scam in which their cell phone number is transferred to a new carrier without their knowledge, and financial accounts were then looted.

Once the cellphone number has been “ported” (transferred) to another carrier, the fraudster can gain access to the victim's various financial accounts by claiming to have forgotten their password and requesting a password reset via text message. He doesn’t physically need your phone to do this.  Moreover, if it is at night, you’ll be asleep . . .

The fraudster then changes your password, gains access to your financial accounts, and begins transferring money out of your banking, retirement and securities accounts. The fraudster acts quickly before you notice.

Because of the increased frequency of this scam, it may not be that you lost your cell.  Often, an accomplice employed by the cellular network contractor may have been used.  Yes, often it is an inside job.

My advice is to avoid using portable devices to conduct financial advice.  Never, never use WIFI.  But, if you must, whenever using the internet to make financial transactions, always use two-factor authentication*. 

I use checks, stamps, and USPS big blue mailboxes.  Old fashion, yes.  However, much safer.

Two-factor authentication involves using your mobile phone to receive one time passwords from the financial institution.  Without these codes, which are usually comprised of four numerical digits, the fraudster cannot carry out any transactions on your account, and even if he tried, you would be alerted to the fact that someone is in your online banking account because you would receive real-time confirmations.

Thursday, February 1, 2018

Latest Data Breaches. Are you exposed?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Three Indiana data breaches reported by the Identity Theft Resource Center includes Hallmark Home Mortgage, Lincoln National Life Insurance and the Pension Fund of the Christian Church.

The reporting of all data breaches, since they have become more common, appears to provide less and less information.  Also, it has been determined that many data breaches are never reported.  

The Hallmark Home Mortgage was discovered, according to publicly reported data, on Nov. 17, 2018, and published (drumroll) on January 12, 2018.  Apparently, a former employee may have accessed some customers' personal information.  the company motto is "Our only interest is you."

Lincoln National Life Insurance Company data breach was published on January 26, 2018.  We have been unable to learn any other facts about this data breach.  The company motto is "Its name indicates its character."  Maybe they notified its policy-holders.  We do not know.

Pension Fund of the Christian Church became of the data breach and notified its membership, according to its official letter.  The data breach was published on January 16, 2018.  The organization's motto is "Strong Smart Secure."

It is a dangerous world.  You trust those that take your money and give them the keys to your identity.  Be careful.  Your identity is probably already for sale on the dark web.  Also, someone is using your Social Security number without your permission. 

What is your plan? 

Monday, January 15, 2018

Black Swan Events

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

A black swan event is a metaphor that describes an event that is unexpected and has a significant effect on your way of life.  It can impact politics, economics and science.  The concept was introduced by Nassim Taleb, who studied randomness, probability, and uncertainty.   

Black swan events can also refer to your personal life as well as national or international economic/political events.  As a Certified Financial Planner, I have advised folks about the need for contingency plans covering uncertainty. 

When the term “black swan” first came into use, black swans were presumed not to exist.  This phrase was a common expression in 16th century London as a statement of impossibility: "A rare bird in the lands and very much like a black swan."  However, in 1697, Dutch explorers became the first Europeans to see actual black swans in Australia.  The term subsequently became a metaphor to connote the idea that a perceived impossibility or unlikely event might later be disproven. 

I do not limit black swans to politics, economics, and science.  Here are a few personal black swan events that can be life-altering:
  • Home or business destroyed
  • Bankruptcy
  • Public accusations or arrest
  • Accidental death or suicide

Here are a few recent Black Swan economic/political events you may recall:
  • 9/11/2001
  • 2008 financial crisis
  • 2009 European debt crisis
  • 2011 Fukushima nuclear disaster
  • 2014 oversupply of oil
  • 2015 Brexit

Here are a few potential 2018 black swans for you to ponder:
  • EU break-up
  • China real estate bubble
  • Global internet shut down
  • Japan gains nuclear weapons
  • Saudi Arabia gains nuclear weapons  
  • Trump impeached
  • Supervolcano eruption
  • 2% US unemployment rate
  • Deadly pathogen ravages world

What is your plan B?

Saturday, December 30, 2017

Is your financial adviser protecting your data?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Small financial planning and investment advisory firms are cyberattack targets.  Many have been a data breach victim and do not know it.  Some know that they have been a victim and did not report it as required by law.  They did not tell you either. 

All of your financial and personal data – investments, tax returns, loved ones, business interests – may already be in the hands of a cyber-thief.  You may not find out until your assets have been compromised. 

Ask your financial planner, insurance agent and investment advisor a few basic questions;

  • How often do they conduct a cybersecurity audit?
  • Who conducts that audit?
  • The name of their cybersecurity third-party consultant.
  • Request a copy of the most recent audit.
  • Request a copy of their data breach response plan.
  • Where is your data stored?  Is the data stored in the U.S.?
  •  Is it encrypted?
  • The name of the software

Be prepared for a request for time to respond.  You may need a plan “B” 

Tuesday, September 5, 2017

Has the Indiana Dept of Education neglected our children’s safety?

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Last year USA TODAY graded Indiana an “F” on teacher background checks. 

The DOE has had an opportunity to improve that grade; but, appears to have done llittle or nothing since that article was published. 

While the Indiana DOE is responsible for verifying teacher’s degrees and licensing them, they do not check their background for felony convictions, sex crimes, inappropriate contact with students, etc.   

The DOE maintains that background checks are the responsibility of the school districts.  Not their responsibility!  No sir.  School district responsibility.  Thank you very much.

I asked a large school district if the DOE is helpful providing guidance, a “best practices” model, suggested background verification vendors, etc.

What does the DOE do to help your school district avoid hiring pedophiles or felons? She said:


An Indiana DOE staff attorney said her main responsibility is to work on teacher license, suspensions, and revocations.  Since 2013, the DOE revoked 48 teacher’s licenses for sexual misconduct with a minor and child molestation. 

I asked if any of the 48 had a prior criminal history.  The DOE did not know.

I asked if the 48 had undergone a background check before being hired.  The DOE did not know.

Did the DOE analyze these teachers -  these child sex offenders – to find out about their background?  That information could be helpful in knowing if the current background checking process and teacher licensing process might need to be adjusted.  Apparently, the DOE has no interest in learning how to keep child sex offenders out of our classrooms. 

I was quickly diverted to their media relations department.  They do not want to discuss this issue.  It is the school district problem.  Not the DOE’s problem.

Meanwhile, we continue to read about cases involving teachers and school coaches:
  • A basketball coach from private school pled guilty to coercing a 15-year old into exchanging sexually explicit messages.
  • Last summer a high school teacher faced charges of felony child seduction involving two female students.
  • A few months ago police arrested a High School teacher on two counts of child seduction.
·       Meanwhile, our state legislature has drafted a series of bills to – hopefully – lock this barn door.  However, each suggested change keeps the responsibility at the school district level.  The Indiana DOE is off the hook.  However, are Indiana's school districts equipped to conduct a background investigation of teachers, coaches, and volunteers?  Probably not.

It is easy to mess up a background check.  For example, a few years ago an Ohio State University employee killed a co-worker and shot two others.  Ohio State had conducted a background check on Mr. Nathaniel Brown that did not reveal that he had been in prison and had been charged with assaulting his girlfriend’s child. 

According to prison and court documents, Mr. Brown’s birthday was June 5, 1959.  However, Ohio State’s records listed it as June 4, 1959 – Only one single day difference!  The Ohio State background check showed Mr. Brown had a clean record.  One day made a big difference.  One person died and two were wounded.

School Districts do little to verify full legal name, maiden name, date of birth, etc.  They simply do not know how.  Most checks of parents and volunteer coaches are done over the internet.  The school volunteer can use any sort of name combination and date of birth to shield his or her past conviction of criminal assault, felony child seduction or rape.

How does your school district check out teachers, coaches, and volunteers?  Is the Indiana DOE doing its job to protect your kid?  How safe is your child while at school? 


Sunday, July 30, 2017

CPA Data Breach

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 

The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:

CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.


Wednesday, July 5, 2017

You’ve Been Hacked Red Flags

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes it takes years – yes years – to realize that you have been hacked and your identity is being used without your permission.  This is especially true with the most insidious form of ID theft: “synthetic identity theft.”  One-third of Social Security numbers are being used by more than one person. 

As you read this, your Social Security number may be used illegally by another person and you do not realize it. 

 Here is a short list of ID theft red flags:

  •  No mail in your mail box for two or more regular delivery days
  • ·       You are having problems with a spouse or member of your household
  • ·        You are a victim of domestic violence, stalking or cyber bullying
  • ·        You receive notice that you have changed your address
  • ·        Someone close to you had their ID stolen
  • ·        Errors on your medical “explanation of benefits” (EOBs)
  • ·        A vendor you do business with has a data breach
  • ·        Suspicious mail arrives for your minor child
  • ·        Bogus charges on your credit card or bank statement
  • ·        Errors in your credit file
  • ·        You’ve been traveling – especially in another country
  • ·        Collection notices arrive
  • ·        Credit cards arrive that you did not order
  • ·        Strange credit card statement arrives in the mail

The weakest link in your identity security is your smart phone.  Also, most businesses provide more security for their toilet paper than your personal identifiable information. 

If your group needs someone to speak about these issues and how to reduce the risk of identity theft, contact me.