Saturday, December 30, 2017

Is your financial adviser protecting your data?

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Small financial planning and investment advisory firms are cyberattack targets.  Many have been a data breach victim and do not know it.  Some know that they have been a victim and did not report it as required by law.  They did not tell you either. 

All of your financial and personal data – investments, tax returns, loved ones, business interests – may already be in the hands of a cyber-thief.  You may not find out until your assets have been compromised. 

Ask your financial planner, insurance agent and investment advisor a few basic questions;

  • How often do they conduct a cybersecurity audit?
  • Who conducts that audit?
  • The name of their cybersecurity third-party consultant.
  • Request a copy of the most recent audit.
  • Request a copy of their data breach response plan.
  • Where is your data stored?  Is the data stored in the U.S.?
  •  Is it encrypted?
  • The name of the software

Be prepared for a request for time to respond.  You may need a plan “B” 

Tuesday, September 5, 2017

Has the Indiana Dept of Education neglected our children’s safety?

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Last year USA TODAY graded Indiana an “F” on teacher background checks. 

The DOE has had an opportunity to improve that grade; but, appears to have done llittle or nothing since that article was published. 

While the Indiana DOE is responsible for verifying teacher’s degrees and licensing them, they do not check their background for felony convictions, sex crimes, inappropriate contact with students, etc.   

The DOE maintains that background checks are the responsibility of the school districts.  Not their responsibility!  No sir.  School district responsibility.  Thank you very much.

I asked a large school district if the DOE is helpful providing guidance, a “best practices” model, suggested background verification vendors, etc.

What does the DOE do to help your school district avoid hiring pedophiles or felons? She said:

Nothing!

An Indiana DOE staff attorney said her main responsibility is to work on teacher license, suspensions, and revocations.  Since 2013, the DOE revoked 48 teacher’s licenses for sexual misconduct with a minor and child molestation. 

I asked if any of the 48 had a prior criminal history.  The DOE did not know.

I asked if the 48 had undergone a background check before being hired.  The DOE did not know.

Did the DOE analyze these teachers -  these child sex offenders – to find out about their background?  That information could be helpful in knowing if the current background checking process and teacher licensing process might need to be adjusted.  Apparently, the DOE has no interest in learning how to keep child sex offenders out of our classrooms. 

I was quickly diverted to their media relations department.  They do not want to discuss this issue.  It is the school district problem.  Not the DOE’s problem.

Meanwhile, we continue to read about cases involving teachers and school coaches:
  • A basketball coach from private school pled guilty to coercing a 15-year old into exchanging sexually explicit messages.
  • Last summer a high school teacher faced charges of felony child seduction involving two female students.
  • A few months ago police arrested a High School teacher on two counts of child seduction.
·       Meanwhile, our state legislature has drafted a series of bills to – hopefully – lock this barn door.  However, each suggested change keeps the responsibility at the school district level.  The Indiana DOE is off the hook.  However, are Indiana's school districts equipped to conduct a background investigation of teachers, coaches, and volunteers?  Probably not.

It is easy to mess up a background check.  For example, a few years ago an Ohio State University employee killed a co-worker and shot two others.  Ohio State had conducted a background check on Mr. Nathaniel Brown that did not reveal that he had been in prison and had been charged with assaulting his girlfriend’s child. 

According to prison and court documents, Mr. Brown’s birthday was June 5, 1959.  However, Ohio State’s records listed it as June 4, 1959 – Only one single day difference!  The Ohio State background check showed Mr. Brown had a clean record.  One day made a big difference.  One person died and two were wounded.

School Districts do little to verify full legal name, maiden name, date of birth, etc.  They simply do not know how.  Most checks of parents and volunteer coaches are done over the internet.  The school volunteer can use any sort of name combination and date of birth to shield his or her past conviction of criminal assault, felony child seduction or rape.

How does your school district check out teachers, coaches, and volunteers?  Is the Indiana DOE doing its job to protect your kid?  How safe is your child while at school? 

-30-

Sunday, July 30, 2017

CPA Data Breach


By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 


The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:











CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.

-30-

Wednesday, July 5, 2017

You’ve Been Hacked Red Flags

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Sometimes it takes years – yes years – to realize that you have been hacked and your identity is being used without your permission.  This is especially true with the most insidious form of ID theft: “synthetic identity theft.”  One-third of Social Security numbers are being used by more than one person. 

As you read this, your Social Security number may be used illegally by another person and you do not realize it. 

 Here is a short list of ID theft red flags:


  •  No mail in your mail box for two or more regular delivery days
  • ·       You are having problems with a spouse or member of your household
  • ·        You are a victim of domestic violence, stalking or cyber bullying
  • ·        You receive notice that you have changed your address
  • ·        Someone close to you had their ID stolen
  • ·        Errors on your medical “explanation of benefits” (EOBs)
  • ·        A vendor you do business with has a data breach
  • ·        Suspicious mail arrives for your minor child
  • ·        Bogus charges on your credit card or bank statement
  • ·        Errors in your credit file
  • ·        You’ve been traveling – especially in another country
  • ·        Collection notices arrive
  • ·        Credit cards arrive that you did not order
  • ·        Strange credit card statement arrives in the mail

The weakest link in your identity security is your smart phone.  Also, most businesses provide more security for their toilet paper than your personal identifiable information. 


If your group needs someone to speak about these issues and how to reduce the risk of identity theft, contact me.  

-30-

Thursday, June 22, 2017

Elder lawyer in estate misappropriation case receives 8-year sentence

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner

Certified Financial Planner™

Stephen Schuyler Mug Shot
My article about attorney Stephen Schuyler dated March 2, 2016 concerned the estate of Sarah Wilding.  Today, following his guilty plea, former elder law attorney Schuyler was sentenced to eight years in prison in connection with the misappropriation of funds from Ms. Wilding’s and five other estates totaling more than $700,000.

Below is a reprint of my 2016 article:

Sarah Wilding trusted her attorney to give the remainder of her estate to her church’s building fund.  Elder attorney, Stephen W. Schuyler had other uses for the money.  Only recently, it finally came to light that Schuyler had over-charged and diverted as much as $500,000 from some of the 130 estate cases he was administering.

East Lynn Christian Church is a small Anderson Indiana church.  Following Sarah Wilding’s death on April 20, 2012, Schuyler paid her final expenses and distributed funds and assets to her named beneficiaries.  That was the plan.  The remainder, $145,003, was to go to the church building fund toward paying off the 2005 sanctuary expansion. 

The church was aware that Sarah had made a final gift to them, and they sought payment from Schuyler.  He stalled and requested the court approve yet another payment for additional attorney fees.  Undeterred, the church pressed him to close the estate and pay them.  Schuyler’s check bounced.

Finally, the police and prosecutor investigated.  They ascertained that, in addition to Wilding, other estates had been looted.  They identified four other estates specifically, and 130 unsettled estates that were eventually assigned to other attorneys.

The East Lynn Christian Church filed a civil complaint against Schuyler and his girlfriend, Kem Golden, for conversion of $164,101 from the Wilding estate. In addition to the civil complaints,

Charges have been made that involve the estate of Frances Clem from 2010 to 2014 of $156,790. Other victims may include other churches, and the local Humane Society. 

Unsurprisingly, Schuyler’s law license was suspended indefinitely, and he is facing 13 felony counts. 

Since supervision may be lax or even non-existent, there are probably similar cases in other communities that have simply not been reported.  The deceased had counted on a trusted attorney to carry out their final requests and not to loot the estate.  But, the lawyer treated the estate assets like his personal piggy bank.

Inheritance hijacking is not that rare.  Thieves who target the elderly and the dead are cunning and patient.  The vulnerable elderly within us are perfect targets – 20 percent are victims.

Strongly consider not waive the requirements that executors be bonded, as many attorneys suggest.  Consider not giving your attorney authority to be your executor.

Thursday, June 15, 2017

Identity theft of deceased loved one

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

If your mother died, and her identity was stolen after she died and before she was in the ground, it could cause serious problems.  If you are the executor and responsible for fixing this mess, your brother and sister may blame you and hold you responsible.

Not only is identity theft an increasing problem for the living, but, recently, there have been numerous reports about criminals who specialize stealing the identities of the recently deceased. 

Crooks are not only cleaning out the homes of the deceased while loved ones are at the funeral, now they are stealing their financial assets as well.

The dearly departed are vulnerable to identity theft because the family is in mourning and not paying attention to the deceased person’s finances.   

Few financial planners, funeral directors or estate attorneys are familiar with the problem.  Few estate executors have sufficient financial experience themselves or seasoned advisors to help them avoid this problem.

Identity theft is probably the last thing on your mind when a loved one dies.  Both my wife and I have been the executor of our mother’s estates and understood these issues.  There are a few simple things you can do to discourage identity thieves and to minimize the chances that a recently deceased relative's estate will be victimized.

When a person dies, it can take several months for all three credit reporting agencies to be notified.  Between the date of death and the notification, fraudsters have an opportunity to steal.  Once you have a death certificate, do not assume that the credit agencies know.  You should notify them yourself - ASAP.

Also, send official copies of the death certificate — not photocopies — to all entities where your loved one had a financial relationship. I suggest that you contact each creditor, each insurance company, each bank, brokerage house, the Social Security Administration and any pension issuer.

Look for suspicious activities in the months that follow.  Pull a credit report of the deceased and purchase a credit monitoring service for a year following death. 

If you are faced with this unfortunate and untimely situation, contact me for further help.  

Monday, June 5, 2017

Protecting your investment and insurance accounts

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Identity fraudsters look for the big score. 

Using your credit card to buy high-end stuff is okay and can support a drug habit or improve a standard of living.  However, they are looking for the big score. 

 Their objective is to steal your “serious” money -- your retirement accounts and insurance cash values. 

 How secure are those assets?

As you probably know, your personally identifiable information (PII) is easily obtainable and can be purchased in bulk on the internet.  It is often stolen as a result of a data breach, or used by a dishonest employee at a company where you conduct business.  

Fraudsters can use this information to make credit card purchases.  Most of us have had someone make unauthorized purchases using our credit card.  By comparison, these are pretty benign and usually easy to reverse.   More difficult to fix is when new credit accounts are established and statements are mailed to the fraudster’s mail drop. 

Still, these types of identity theft are survivable if they are caught in time.  It might take as long as three years to clear them up and you will forever be explaining to employers, insurers, banks, etc. that you were a victim of identity theft.   

But, if the crook is using a form of “synthetic identity theft” and goes on for a long time, it will change your life as you know it.  It will not be pretty.

I give free seminars to help individuals and small businesses avoid these problems.

Fraudsters look for the big score.  So, once a fraudster has your PII’s (your's is out there already), how do you protect your serious money?  You should ask some tough questions about your investment and insurance company that is keeping and investing your serious money.  Be direct and do not accept evasion to your direct questions.  Here are a few areas of concern:

Security questions and answers
Answers to your security questions often are found on your Facebook and other social media pages. Don’t celebrate your birthday on social media.  Knowing your date of birth is a key step in stealing your ID.  If they want your mother’s maiden name, invent one.  This security is so lame; I would suggest that you consider doing business elsewhere. 
Username and password requirements
If your username is your email address, your password can easily be cracked.  Software is available to crack passwords.  Cheap! Google search the topic yourself.
Secure email
How secure is the investment or insurance firm’s email?
Customer verification
How do they verify your ID? 
Address change
Who has the authority to change your address?  What is the process?  By the way, if you fail to receive US mail for more than two days, contact the Postal Inspector to find out why.  Forwarding your mail is often the first step in identity fraud. 
Your agent or stockbroker
Does he/she have authority to change your address, make distributions, etc?  Did you check his/her background?  Attend one of my “Is your investment advisor a crook” seminars and find out.
Systems surveillance
Are they “really” on the lookout for suspicious irregularities across all their accounts every day, all day. Will they promptly alert you promptly if they spot a problem that could affect you?  How long did Yahoo wait to notify customers of their data breach?  Wasn’t that over a year?
Fraud detection
Will they monitor your accounts for suspicious transactions and unusual behavior to ensure that they are authentic and legitimate?
Security at our branches and offices
How secure is your agent or stockbroker's records?  Who has access to your stuff?  Could your identity be stolen if someone had a copy of an insurance or investment account application?
Restricted access to data
Does the insurance or investment company limit access to systems containing customer data to only those employees who need it to conduct business? We continually monitor access and only grant it to new people on a case-by-case basis. How was it possible for a Fishers, Indiana insurance agent to steal the identity of 3,000 of his employer’s customers?
-30-

Friday, May 19, 2017

Fake News & Yellow Journalism

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

“Fake News” was responsible for the Spanish-American War when American journalists fabricated atrocities which justified the US invasion of Cuba.  Historians agree that war was caused by what was then called “Yellow Journalism.”  At the heart of the era's newspapers’ propaganda were publishers Joseph Pulitzer (yes, that Pulitzer) and William Randolph Hearst.

Yellow journalism has been defined as journalism that features scandal-mongering, sensationalism, or other unethical or unprofessional practices by news media and individual journalists.   Today it is simply called Fake News. 

In 1901 separate newspaper articles, months apart suggested the assassination of President William McKinley. When McKinley was shot on September 6, 1901, critics accused journalists of driving assassin Leon Czolgosz  to kill the President of the United States.  The public made such an outcry that fake news and other offenses had to be addressed.   Joseph Pulitzer was haunted by his “yellow journalism” sins to the extent that it is believed that it led to his founding of the Pulitzer awards.

Perhaps as another response to “yellow journalism,” a few years later, students at DePauw University, a Methodist Church institution, founded Sigma Delta Chi journalistic fraternity.  This organization was based on the support of an honest and honorable press and was the forerunner of the Society of Professional Journalists (SPJ). 

Today, journalists find themselves – again -- accused of Yellow Journalism.  This is unfortunate for all of us. 

According to Gallup, Harvard, and others, in the minds of Americans, journalism has sunk to new lows not seen within living memory – perhaps since the 1880s’ Yellow Journalism. 

Only eight percent of Americans have a “great deal” of confidence in newspaper and television news according to Gallup.  Further, a May 18, 2017, Harvard University study illustrated that the tone of the press is decidedly “negative.”  Read the Harvard article and Gallup report for more details about press bias.

Several days ago, I became disgusted with a “news” article authored by a local reporter and published in a local news outlet.   Moreover, I was motivated to voice my complaint in the form of a formal written ethics complaint.  Yes, the Society of Professional Journalism has a “Code of Ethics.”  However, after I looked and looked for an internet link or address so that I could file an ethics complaint, I could not find one.  Nope. 

Both of my professional organizations have Codes of Ethics and will process and judge a complaint about one of its members.  If that member is found to have violated that code, he/she could have their membership suspended, or terminated.  Accountants, lawyers, engineers, and even meteorologists allow the public to submit ethics complaints.  Organizations protect their reputations by expelling those that violate their rules. 

An investigative journalist friend and a member of the SPJ Board of Directors (maybe she will de-friend me after she reads this article) said that there was no mechanism that would allow me to file a code of conduct complaint with the SPJ.  I said that this was like having a gun; but, no bullets.  It was like having speed limits; and, no traffic cops.  She did not disagree.

Next, I went to the head person and contacted the Society of Professional
Journalists’ Executive Director, Mr. Joe Skeel.  After a few days, he responded, “You are right that our Code of Ethics isn’t enforceable.”  Further, he said that “The reason we can’t enforce our Code is because (sic) doing so would violate Free Speech protections under the First Amendment.”  What??

Are we to believe that the U.S. Constitution prohibits journalists from enforcing their own Code of Ethics?  What deceptive nonsense.  Shame on the Joe Skeel and shame on the SPJ. 

The SPJ clearly does not have a Code of Ethics.  The Society of Professional Journalists has a list of unenforceable suggestions.  Are they hiding behind the First Amendment?  Is this partly the cause of the small percentage of Americans that trust the press? 

-30-

Monday, May 15, 2017

Ex-lover & ID theft

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

There is a thin line between love and hate. 

Scientists have an explanation.  Brain scans of people shown images of individuals they hated were similar to brain activity activated by individuals they love.  Love and hate appear to be controlled by the same section of the brain.  Therefore, when you no longer love a person, it is psychologically easy to shift into “hate” mode.  

Perhaps that has led to the popularity of “revenge” books and internet sites.

The mother of all revenge sources may have first been sold by the Paladin Press.  Named after that old TV Emmy-nominated show “Have Gun, Will Travel.”  Perhaps their long-time, best selling famous book was “Get Even – the complete book of 200 dirty tricks.”  First published in 1980.  The publisher’s current popular book is the “Revenge Encyclopedia.”

However, with the use of the internet, it may be easier to carry out revenge strategies today than in 1980.  Paladin’s dirty tricks have been amplified by the internet.  Today, it is even easier to get even and even remain anonymous.  Just Google “revenge”  to find out.  Maybe visit the dark net for even dirtier tricks.

Revenge porn.  The term "revenge porn" refers to the uploading to the internet sexually explicit material to humiliate an individual, who has broken off the relationship.  Illegal in most jurisdictions. The explicit images may be accompanied by the identity of the pictured individual, home address, and can even include links to their social media site, and employer.  The images can expose victims to professional ridicule.     

In addition to intimate details, former spouses and love interests may have had access to personal and financial information.  Often, lots of information.  Business and personal identifiable information (PII).  Tax information. Enough information to easily allow the misuse your identity.  It’s bad enough to post pornographic pictures of a former lover or spouse.  Some actors are more focused on revenge than avoiding breaking the law.

If you were in a relationship that went bad, take inventory.  Did he/she have access to your tax and business records? 

Take defensive action.

Google your name and picture.  Find out if someone else is using your Social Security number.  Has he/she arranged "synthetic ID theft" of your Social Security number?  Monitor social media using your name and business name. Check your credit for suspicious activities. 

If things don’t seem “right” or if the relationship was especially messy, contact an ID theft prevention and victim advisor. 

-30-