Tuesday, January 31, 2017

Little Red Door Hacked by The Dark Overlord

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

The Little Red Door Cancer Services of East Central Indiana was recently hacked by The Dark Overlord, a cyber criminal group, and faced a $43,000 ransom demand.

Increasingly, medically related and non-profit groups experience ransomware demands.  These organizations possess individual's medical and personal information, and typically have weak IT security.  

Sometimes data is encrypted by the cyber thief, and the ransom demand is to provide the decryption key to unlocking the data.  This is what happened in Madison County who paid the ransom.  In other cases; it is a blackmail demand to avoid the public embarrassment of having sensitive information published on the internet.   

The Dark Overload group, named after a comic book character, has been successful in multiple ransomware cases and have netted over $500 million last year alone, according to security sources.

These data breaches are more serious than previous credit card breaches because they affect not only Personal Identifiable Information (PII) but also include Medical Information covered by HIPAA.  PII has a value on the “dark net” of about $50 per individual and HIPAA information is valued at over twice that amount or about $100 per individual.  

Thus, an organization -- say a dental or physician office that has maybe 3,000 current and past client records -- could provide a cyber thief with $300,000 in revenue from the dark net sale of both the PII and medical information.  The ransomware demand is often only a minor revenue stream these fraudsters.  Many cyber criminals enjoy taunting its victims.

From the consumer’s standpoint, the theft of PII or credit card information is inconvenient to most victims and can take a long time to correct. About one in three Americans will be victims of that kind of theft this year.  The inconvenient for many is worst than the financial impact, and it can often be repaired without requiring professional help.  The loss of your medical identity can be worse, more difficult to correct, and sometimes life threatening to the victim.

From the medical provider’s standpoint, a data breach can be catastrophic. 

In some parts of the U.S., legal boutiques are springing up that focus on class-action data breach events that involve both PII and HIPAA.  If a medical-related organization experiences a data breach and it had not previously conducted a cyber security assessment or financial risk assessment, had insufficient safeguards, and have an ineffective (or non-existent) HIPAA supervisor, these issues could eventually result in liability costs that force the sale of the medical practice. 

In the case of the Little Red Door, there was no reported encryption of data; but, the demand was that the data would be released on the internet.  The LRD has reported that they refused to pay the demand.

Unfortunately, the staff’s Social Security numbers and other LRD information is already on the dark web. A spokesperson for The Dark Overlord, who forwarded an email to the media from within the Little Red Door’s internal email account, disputed that the data had yet to be published.  Obviously, The Dark Overlord is not finished with the Little Red Door. TDO claims that they acquired much personal information, including diagnoses of clients.


Few non-profits and smaller medical-related businesses have adequate safeguards to prevent the loss of sensitive client information.

Wednesday, January 18, 2017

Ransomware + Medical Identity Theft = Disaster

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Sometimes two bad things link, accelerate and produce an even larger tragedy. That’s what happening today when “ransomware” meets “medical identity theft.”   

Smaller personal service business offices are notoriously lacking in cyber security.  This includes smaller offices of physicians, optometrists, chiropractors, and dentists.  Cybercriminals are increasingly attacking these small businesses, encrypting their files and hold them for ransom.

Last year, the American Dental Association warned dentists about ransomware.

Many businesses cannot operate without access to its customer files. Moreover, once they become a ransomware victim, like Madison County Indiana recently, they will pay a ransom to the cyber criminal.  If the victim is a medical office, the data thief also gets to copy and sell the medical practice patient’s medical records too.  Ouch.

What could a cybercriminal do with your Social Security number, credit card info, insurance policy information, your address, and medical history?  Similar information is sold every day on the dark net.  Medical identity theft is one of the fastest growing cyber crimes.  Ransomware crimes are growing even faster and reaching down into profitable small businesses.

Medical businesses are a favorite.  Last year, for example, Hollywood Presbyterian Medical Center revealed it paid ransom to hackers who held the hospital's computer system hostage by encrypting its patient records.  I’ll bet that the hospital’s patient's medical information was also copied and sold. 

Ransomware is exactly what it sounds like -- malicious software used by cyber criminals to block access by a business owner to a computer system until a ransom is paid. It has become much more common in recent years. The number of ransomware attacks increased almost five times – 500% -- in 2016 compared with the prior year.

This particular type of cyber crime was first recorded in1989. The attack is relatively easy to deploy and profit.  It doesn’t take special skills and the software or malware is easily obtainable on the dark net.  The victim’s employees need only click on the wrong “innocent” appearing link to infect and compromise its computer system.

In the past, ransomware cyber-criminals targeted consumers connecting to porn sites and typically ask for modest amounts to release the victim’s personal computer files. The ransom is typically paid in Bitcoin.

The increased use of Bitcoin and other similar currencies has made this type of crime increasingly possible – it is easy to deploy, receive payments safely and transfer money anonymously. This has had a dramatic impact on the number and type of cybercrime opportunities. Bitcoin is the current engine of cybercrime, and it will continue to enable and expand cyber criminal activity.

Your stolen medical records can allow someone to see a doctor, get prescription drugs, file claims with your insurance provider, have surgery, etc.  The thief’s health information then is mixed with yours, your treatment history, blood type, allergies, and payment (or non-payment) records. This data mix can be physically dangerous to you, cause your insurance premiums to increase and result in you being denied certain insurance coverages.  It is very difficult to correct.

Stolen medical records can more troublesome than other type identity theft. 

Read your Explanation of Benefits (EOB) statement or Medicare Summary that your health plan sends after treatment. Check the name of the provider, the date of service, and the service provided. Do the claims that were paid match the care you received? If you see a mistake, contact your health plan and report the problem ASAP.

Signs of medical identity theft include bills for service you did not receive and calls from debt collector about medical debt you don’t owe. Since Federal law gives you the right to know what’s in your medical files, the thief may have impersonated you and received your complete records from other providers.  This could wreck your medical care for life.

If you think that something is amiss, ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The “accounting” is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months. 

Smaller medical service providers are frequently victims of combined ransomware and medical records theft.  If they are a ransomware victim, they probably have had client medical records compromised as well.  This likely qualifies under Indiana law as a “breach.”   It must be reported to the Indiana Attorney General.  Also, it probably is subject to HIPAA, OCR and HHS regulations  The medical or business professional organizational victim needs to report the information promptly.  Failure to do so can result in more fines and hassle than a multi-year full IRS audit. 

Small profitable businesses are particularly vulnerable to Ransomware and breach attacks.  The cost from “Ransomware” may be small compared to those associated with “breach,” HIPAA and other regulator’s fines.  Plus the negative publicity and client issues.  Ask yourself if you would consider a medical professional that did not actively prevent someone’s medical information from being compromised and sold on the dark net. 


Smaller businesses, particularly medical service providers, needs to have adequate cyber defense insurance from a company that has the staff experts that can apply corrective actions and guides the victims through the regulatory process.  

Tuesday, December 20, 2016

Veros Partners – the final shoe?


By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Sometimes the second shoe takes longer . . .

You may recall the SEC charges against our home-grown alleged Ponzi schemers Matthew E. Haab, Jeffrey Risinger and Tobin J. Senefeld. 

As reported here months ago, Veros Partners, an affiliate of Veros CPAs, was charged with fraudulently raising $15 million from local investors, many of whom were dentists.  Several of Veros’ tax and practice management clients purchased investments from an affiliate firm, Veros Partners.  How convenient.

When some of those investments lost money, the defendants allegedly took “new” money from clients to pay “old” clients – apparently straight from the classic Ponzi scheme playbook.  Madoff did the same thing. 

You may also recall that Mr. Haab, Veros Partners’ President, had touted his Certified Financial Planning credentials.  However, the Certified Financial Planning Board did not concur that Haab was, in fact, a CFP.  Further, some members of the community have told me that some of the Veros’ CPA partners may not have been, in fact, Certified Public Accountants because their names could not found on the State of Indiana Accountancy Board website.  Ooo shame! 

Veros CPAs assets (read, client list) have been sold to its former employees by the court-appointed receiver, William E. Wendling Jr.

Defendants Matthew Haab and Jeffrey Risinger, both settled the SEC civil suit with cash and agreed never to do it again; however, Senefeld and the SEC could not reach a settlement -- it appeared that they were headed to trial. 

Senefeld is no stranger to securities regulators. 

His securities career spans over two dozen years and eight securities firms, where he had been sanctioned a total of 17 times for alleged wrongdoing.  As was pointed out in FINRA Enforcement Dept. documents, in 1999, for example, Senefeld was censured, fined and suspended from the securities industry for 20 days.  Later in that year, because of other alleged conduct he was suspended for 12 months and fined.  Here is a link to his securities record thanks to the regulatory organization FINRA. 

According to a recently signed agreement, a Financial Industry Regulator Authority Letter of Acceptance, Waiver, and Consent ( a AWC in industry parlance), Tobin J. Senefeld, agreed to a lifetime sanction and is barred from the securities industry.  Here is a link  to AWC.  You may note on page four of the AWC that Senefeld agreed not to make any public statement about the AWC or “create the impression that the AWC is without factual basis.” 

Perhaps the “take-away” from these events is that some professionals do not have the credentials that appear on their website, and sometimes they have had run-ins with regulators that they hope you do not find.  Also, dig a little deeper when the CPA also sells investments or insurance products.






Friday, November 18, 2016

A “Credit Freeze” can be used against you

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Identity theft continues to be more frequent and is particularly troublesome for seniors.  Two simple changes by regulators could diminish identity theft by 90% or more.

Denise had heard me last year when I spoke to a group of seniors. She called recently telling me that her father was a victim of identity theft and asked for my help.  Her father was in a nursing home, and she just learned that his credit had been used in an attempt to finance improvements to a house not connected to him.  She had heard me speak and wanted to know if I could help.

I suggested that she contacted the Indiana Attorney General’s Identity Theft Unit and gave her the contact information. 

However, she wanted a prompt answer and wanted to know who had stolen her father’s identity. I explained that, unfortunately, few victims of identity theft ever discover who actually stole their identities or where they got the information. 

I suggested that she first placed fraud alerts with credit bureaus and request credit reports to review suspicious transactions.  Also, her father’s credit should be frozen[i].  More about a credit freeze later. 

The next step is to obtain copies of the credit application, and paperwork that might identify the fraudster.  Since the construction work had not started and her father had not been (yet) harmed financially, the vendor would not cooperate.  He voided the transaction and did not want to become involved.

Denise was insistent on knowing more, and she wanted information about the owner of the property.  It turned out that the property owner had over 50 judgments pending, evictions, history of bankruptcy, etc.  Again, I suggested that she turn the matter over to the Attorney General.  We both suspected that the point of compromise was her father’s nursing home.  This is not an unusual place for data compromise, and quite often the source of medical identity theft.

Identity fraudsters often use a mail drop to shield their identity.  The former insurance agent that stole 3,000 identities in Fishers a few years ago used the mailboxes at homes that were vacant.  Other fraudsters use “virtual” mail drops that do not supervise their clients and enforce the requirements set forth by the U.S. Post Office[ii]

Some identity theft fraudsters will issue a credit freeze on an account they are trying to loot.  Imagine what might happen if someone – posing as you -- established a “Credit Freeze” (also known as a Security Freeze) on your credit.  All it takes to freeze your credit is the following information:
  • Your full name
  • Social Security Number
  • Date of birth
  • Current address
  • All addresses where you have lived during the past two years
  • Email address
  • A copy of a government-issued identification card, such as a driver’s license or state ID card, etc.
  • A copy of a utility bill, bank or insurance statement, etc.

You can easily obtain a counterfeit driver’s license and copy of a utility bill.  There are several organizations selling false documents over the internet for “amusement purposes only.”  Someone could grab your picture from Facebook or Google and do this in a few minutes. 

Imagine that your credit has been frozen by a fraudster, and you cannot prove that you are you.  The fraudster can change your mailing address, file for a tax return, borrow money, even sell your home.  A credit freeze can be used against you.

Where will this end?

Two simple changes would end the identity theft nightmare:
  1. Enforce the “know your customer” rules for all financial institutions involved in the extension of credit.  These rules currently apply to all financial institutions and are designed to prevent money laundering, and violators face stiff fines.  Both the institution and the individual employee approving these transactions face fines.  Use these existing laws to deter identity theft.
  2. Mandate the Social Security Administration to allow credit reporting agencies to determine if a Social Security number matches the name provided.  Currently, approximately one-third of the Social Security numbers are concurrently used by two or more persons.  We’ll save that tidbit for a future column.


According to the U.S. government statistics, over 17 million citizens have been victims of identity theft.  Seniors and children are more frequent victims of this crime.  Criminals have pivoted to using identity theft because they believe that they are less likely to be caught than any other type of financial crime.


[i] A credit freeze, also known as a security freeze, is a consumer right provided by Indiana law.  Placing a credit freeze on your credit reports can block an identity thief from opening a new account or obtaining credit in your name. A credit freeze keeps new creditors from accessing your credit report without your permission. If you activate a credit freeze, an identity thief cannot take out new credit in your name, even if the thief has your SSN or other personal information, because creditors cannot access your credit report.
[ii] USPS Application for Delivery of Mail Through Agent Form 1583.

Monday, October 10, 2016

Tulip Bulb Speculation

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Rembrandt tulips with virus
It is difficult to believe that Holland Tulip bulbs once sold for thousands of dollars each.  True.  However, a few years later the same bulb could be purchased for the price of a common onion. 

Tulips were first seen in Europe in 1554 and quickly became the rage of nobility and the wealthy merchant class. They were seen as more attractive than another flower at that time and had an intense petal color, unlike any other plant. 

Holland’s recent independence at that time allowed its economic resources to be channeled into commerce, and the country began its “Golden Age.”  It was at the center of the lucrative East Indies trade, where one voyage could yield profits of 400%.  The newly rich merchants displayed their success by setting up grand estates surrounded by flower gardens, and the plant that became the center attraction was the sensational tulip.

As a result, tulips rapidly became a coveted luxury item; however, tulip’s lengthy propagation time caused a supply squeeze.  Compounding the supply shortage was a profusion of varieties followed by the discovery of a rare multicolor tulip.

The multicolor effects of intricate lines and flame-like streaks on the petals were vivid and spectacular and made the bulbs that produced these even more exotic-looking plants highly sought-after.  These bulbs caused the speculation.

The biology of the tulip contributed to the supply-squeeze that fueled the speculation, in that a tulip grown from a bulb that cannot be produced quickly. Normally it takes 7–10 years to grow a flowering bulb from seed. Bulbs can also produce two or three bud clones annually, but the "mother bulb" lasts only a few years. Properly cultivated, the bud clones  will become flowering bulbs after one to three years. Supply was way behind demand.

This exotic multi-color tulip was rare and in high demand.  The highly sought-after "breaking” or multi-color pattern could only be reproduced through bud clones, not seeds. Unfortunately, the sought-after effects also acted adversely on the bulb, weakening propagation of offsets, so cultivating the most appealing varieties now took even longer.

These rare bulbs became valuable.  Soon, by 1635, prices were rising so fast and became so high that people were selling anything they could liquidate to get more tulip bulbs. Some Dutch believed they would sell their bulbs to unenlightened foreigners, thereby reaping enormous profits. Somehow, the overpriced tulip bulbs enjoyed a twenty-fold increase in value - in one month!

When word got out that tulip bulbs were being sold for ever-increasing prices, more and more speculators piled into the market.

According to one account, by 1623, the sum of 12,000 guilders – considerably more than the value of a smart townhouse in Amsterdam – was offered to tempt one tulip owner into parting with only ten bulbs of the beautiful, and extremely rare, Semper Augustus – the most coveted tulip variety. It was not enough to secure a deal.

As people heard stories of acquaintances making unheard-of profits simply by buying and selling tulip bulbs, they decided to get in on the act – and prices skyrocketed. In 1633, a single bulb of Semper Augustus was already worth an astonishing 5,500 guilders. By the first month of 1637, this had almost doubled, to 10,000 guilders. One historian put this sum in context: “It was enough to feed, clothe and house a whole Dutch family for half a lifetime.”

Needless to say, the prices were not an accurate reflection of the value of a tulip bulb. As it happens in many speculative bubbles, some prudent people decided to sell and take their profits. A domino effect of progressively lower and lower prices took place as everyone tried to sell while few were buying. The price quickly fell, causing people to panic and sell regardless of losses. 

Dealers refused to honor contracts and people began to realize they traded their assets for a tulip bulb; panic set in throughout the land. The government attempted to step in and halt the crash, but then the market plunged even lower, making such restitution impossible. No one emerged unscathed from the crash. Even the people who had locked in their profit by getting out early suffered under the following country-wide depression.


It is now known that "breaking” or multi-color pattern effect is due to the bulbs being infected with a type of tulip-specific virus, known as the “Tulip Breaking Virus” so-called because it "breaks" the one petal color into two or more. 

Monday, September 19, 2016

I left the Colts because of the BMT

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™


Big Monkey at the Top
We had a 30-year history as season ticket holders.  Except for one year, my wife Betty and I had season tickets since 1984 when Mayor Hudnut helped recruit the Indianapolis Colts.  Watching Payton Manning throw to Marvin Harrison was amazing.  We were seated in the 6th row, and I sat in at an end-of-row seat.  We watched some great football.  That was then.

Things changed when Tony Dungy, and Payton Manning left.  The drunks the row behind us bothered me even more.  Management was absolutely no help correcting that problem.  Maybe it was the NFL’s steady shift to political correctness.  Can you believe that some players will not honor our flag and the NFL calls that their right of “self-expression”?

However, for me, I think, it is what one national fraud consultant called his BMT theory.  Yeah.  Big Monkey at the Top theory. 

You may have heard about the tone at the top of an organization.  This is a term used to define management's leadership and commitment to openness, honesty, integrity, and ethical behavior.  BMT is the opposite.  When the corner office is occupied by a monkey absent most of those attributes, bad things happen to an organization.  Dungy’s values and influence have retired.


Probably the primary reason I voted to give up our Colts season tickets was the BMT.  Let me know if I’m missing very much.    

Thursday, August 18, 2016

Veros Partners Reach Agreement With SEC

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Earlier this week, the SEC reached an agreement with Veros Partners' executives Matthew D. Haab and Jeffery B. Risinger.  Defendant Tobin Senefeld is scheduled for trial later this year. 

On April 22, 2015, the Securities and Exchange Commission filed charges[i] against Veros Partners, an Indianapolis investment adviser, its president, Matthew Haab, two associates, attorney Jeffery Risinger and former stock-broker Tobin J. Senefeld, and several affiliated companies for engaging in fraudulent farm loan offerings, in which they made Ponzi scheme payments to investors in other offerings and paid themselves hundreds of thousands of dollars in undisclosed fees.

According to the SEC's complaint, they fraudulently raised at least $15 million from at least 80 investors, most of whom were Veros Advisory clients. According to industry sources, many of these clients were Indiana dentists. 

The investors were informed – according to court documents -- that their funds would be used to make short-term operating loans to farmers, but instead, significant portions of the loans were to cover the farmers' unpaid debt on loans from prior offerings.  According to the SEC, “Haab, Risinger and Senefeld used money from the two offerings to pay millions of dollars to investors in prior farm loan offerings and to pay themselves over $800,000 in undisclosed "success" and "interest rate spread" fees.”  The SEC also charged Tobin Senefeld’s registered broker-dealer (Pincap LLC) Pin Financial LLC.

On August 16th, according to SEC filings, Matthew Haas agreed and signed a Final Judgment agreeing to pay $183,640.[ii]  Haab also agreed in a separate SEC proceeding, to be instituted shortly, “barring him from association with any broker, dealer, investment adviser, municipal securities dealer, municipal advisor, transfer agent or nationally-recognized statistical rating organization.”
Similarily, Jeffery Risinger agreed to pay $100,000.  Likewise, Risinger agreed to similar stipulations that he be barred from any future association with any broker, dealer, investment advisor, etc.

Tobin Senfeld currently does not hold a securities license (FINRA CRD #2120820).  Further, his broker-dealer, PIN Financial LLC (CRD #132876) was expelled from the securities industry in June 2016. 

I understand that the court-appointed receiver, William Wendling, has recovered 20% of investors’ funds.

 Veros Partners first came to my attention a year ago when I received a tip that Mr. Haab was not a Certified Financial Planner and at least one of Veros Partners' CPAs were not licensed CPAs.  The facts at the time were that -- indeed -- Mr. Haab was not a Certified Financial Planner.  

This, in part, led me to construct a short instruction course that I deliver to Senior groups: "Is your financial advisor a crook?"  I teach Seniors how to use public sources and verify the professional credentials and complaints that may have been filed against one or more of their financial advisors.