Businesses often make fraud training boring! And that’s bad for their bottom line, because no one ends up remembering anything about the subject.

Too often, fraud and social engineering workshops cover just the concepts that define fraud rather than the feelings that signal it’s happening. The key to training your executives, employees and even customers on fraud is to let them experience what it feels like to be conned. In other words, they need to actually be socially engineered (manipulated into giving away their own private information) several times throughout the training so that they begin to reflexively sense fraud as it is happening. Like learning to throw a ball, there is no substitute for doing it for yourself. Fraud detection is similar; it takes actually doing it (or having it done to you) to fully understand the warning signs. Anything less will leave your audience yawning and uneducated.

This social engineering video was recorded at a fraud training I did recently for the Department of Defense, and it demonstrates how fun it can be to train someone on detecting fraud, and how profitable. As silly as it might seem, the skills necessary to detect fraud can be taught in very entertaining and engaging ways. After watching the video, take a minute to understand the basic skills your employees and executives will need to Stop Fraud:

Fraud Training Step 1: The Trigger

The trigger, or what causes you to be on high alert, is actually very simple—it is the appearance of private information in any form (your identity, customer information, employee records, intellectual capital, etc.). Anytime someone requests or has access to any of the names, numbers or attributes that make up identity, or to the paper, plastic, digital or human data where identity lives (whether it is yours or your organization’s), the trigger should trip and sound an alarm in your head.

There are hundreds of examples of fraud triggers in the workplace. Here are a few of the more common:

• When someone is requesting information about you on Facebook, LinkedIn, etc.
• When someone requests information about your company, computer login or co-workers in person or by phone
• When you are clicking on a link in an email
• When you are entering data into a website

When your identity is being requested in any way, slow down and ask yourself: Is the risk of giving this piece of identity away in this specific situation worth the benefit?

Fraud Training Step 2: Hogwash!

Your team should be trained such that anytime their reflex is triggered, a phrase or picture automatically pops into their head, whether they actively think about it or not. If the word (also called a trigger) is a bit out-of-the-ordinary and the picture is humorous, you almost can’t help but noticing when it appears. The trigger that I use when I train is the word HOGWASH! Here is my definition of Hogwash:

Hog’wash |hôg’wô sh | n. 1. A gut reaction that someone is manipulating you for their own gain, or feeding you a line of bull in order to deceive you (e.g., I’ll just borrow your password for a short time); 2. Healthy skepticism that persists until the person requesting information from you proves they are worthy of your trust.

When the word Hogwash pops into your head, picture a pig feeding at a trough. Better yet, picture the person (who is requesting your information) feeding at a trough (the image is what makes it fun and memorable – don’t be afraid of the silliness – it works). As they provide legitimate reasons for needing the information and adequate reassurance that your data will be handled securely, they begin to rise from the trough. But don’t let them off the hook yet, because social engineers are masters at using your natural biases against you.

Fraud Training Step 3: Vigilance

When an outsider has access to your identity or critical business data, your trigger should automatically activate without thinking about it (Hogwash!). Your first response should be to heighten your level of observation, to become more vigilant. View the situation as a child would—with curious eyes. You can even borrow what we teach our children to be more aware in dangerous situations—Stop, Look and Listen:

Listen to your instincts. Ask yourself if your identity is safe. Is there a change in the environment that makes you uneasy or uncertain? What is your gut saying? Would a spy give away this information? Is the benefit you are receiving worth the data you are sharing? Be a healthy skeptic (i.e., not paranoid, but vigilant) of anyone who is requesting sensitive information. The final and most important step is to follow up with the right questions, or interrogate the enemy.

Don’t make privacy a policy, make it part of your culture. Start by engaging your troops, not putting them to sleep.

If you are interested in having John Sileo conduct fraud training and social engineering workshops for your organization, contact him directly on 1.800.258.8076. His satisfied clients include the Department of Defense, the FDIC, Pfizer and the Federal Reserve Bank.

Related posts:

1. Fraud Training: Interrogate the Enemy
2. Social Engineering Training
3. Practice the Privacy Reflex

In addition to denying Governor Palin access to her own account, the hacker had full control to:

• Read every saved and current email in her account (hopefully she never sent her Social Security Number, passwords or account numbers via email, not to mention correspondence pertaining to her role as candidate for Vice President of the U.S.)

• Steal the email addresses and any other sensitive information stored in her contacts (John McCain might want to change his email address)

• Send out emails as if the hacker were Sarah Palin, or worse yet, send out official emails as Alaskan Governor, Sarah Palin

The potential for abuse is mind boggling. Sarah Palin should take immediate steps to protect her stolen identity and to secure her future privacy.  Here are a sampling of the steps I would recommend:

1. Before closing down the compromised account, she should review all of the emails and contacts to which the hacker had access. Any account numbers, passwords, pin numbers or other personally identifying information that she sent via email should be handled on a case-by-case basis. For example, if she emailed her credit card number, that account should immediately be closed. This is a perfect example of why you shouldn’t send any information by email that you don’t want published on the front page of a newspaper.
2. Subscribe to an identity surveillance service so that she can monitor the illegal use of her identity beyond standard credit report tracking. Remember, less than 20% of identity theft touches your credit report, so it is important to monitor other sources of risk, including non-credit loan reports, cyber-trafficking of your personal data, and court, criminal or government documents posted online, etc. The service I use to monitor these identity items (and to insure me and help me recover in case my identity is used illegally) is CSIDentity.com. The compromised data may not be used for years, so it is important to keep a watchful eye over time and not resort to a one-time credit check.
3. Monitor her credit reports for free. This is important because it will allow her to establish a baseline credit file. In other words, she will know what the credit portion of her identity looks like before the thief has a chance to take advantage of it. That way, when her credit file changes (and she is alerted to the change by the surveillance service in step 2), she will immediately recognize the change.
4. At the very minimum, place a fraud alert on her credit file with Experian, Equifax and TransUnion. I recommend going one step further and actually placing a complete credit freeze on her social security number. This will keep any identity thieves from setting up new credit accounts in her name by assigning a password to her credit file. It is slightly inconvenient and can cost a few dollars, but it is the best step for someone whose identity has been knowingly stolen. Make sure to sign up for the identity surveillance (step 2) before freezing credit, as this makes the monitoring process more difficult.
5. Change her habits. The longer-term solution to this problem is for Governor Palin to stop revealing so much personal information (to corporations, on the internet, etc.). Identity thieves collect personal information about you in small pieces (a birthday from Wikipedia, your address from Google, your home value from mypublicinfo.com, private details from your blog or website, etc.). This is not an easy task, especially when you are a public figure. But a bit more discretion on her part will go a long way.

Unfortunately, Sarah Palin isn’t alone in needing to take these steps. You should too, before your email correspondence ends up as the top story on CNN.

John Sileo is America’s Top Identity Theft Speaker and the award-winning author of Stolen Lives: Identity Theft Prevention Made Simple. To learn more about having John motivate your audience to proactively protect sensitive information, please visit www.ThinkLikeASpy.com or call 800-258-8076. For further identity theft prevention tips, visit the Sileo Privacy Project at www.Sileo.com.

Related posts:

1. Is Online Banking Safe from Identity Theft?
2. Are Your Kids Safe Online?
3. 5 Steps to Stop Identity Theft of a Deceased Family Member

Are you an expert at something?

In the world of professional speaking, you are expected to be an expert in your topic (to be taken seriously and to make a living). So speakers begin calling themselves experts, sometimes before they deserve the title. It’s like giving yourself a nickname – it feels a bit self-congratulatory.

I’m no exception. After becoming a two-time victim of identity theft, writing a book on identity theft prevention, and delivering approximately 50 identity theft speeches, I suddenly became an identity theft expert. One day at a speech, someone introduced me as John Sileo, identity theft expert. A local TV station was there filming, so that night on TV I became a local ID theft expert. And that eventually led to some modest national recognition. The name stuck – because it was good for marketing and because, compared to the people in my audience, it was usually true. But compared to a criminal investigator who’d studied financial crime for 20 years, it was untrue. My expertise was really about DELIVERY – distilling and delivering the most important prevention information in a way that inspired people to take action. Which is great… but does it make me an identity theft expert?

Here’s the kicker. Had I not been branded an identity theft expert before it was probably true (if, in fact, it is true even now), I would have never been given the opportunities to BECOME an expert. Once I was branded “the expert” (and it’s later incarnation, “America’s Top Identity Theft Speaker“), I was invited to speak for Fortune 500 companies, participate on boards, contribute to panels and conferences and articles and to meet other experts on the topic. That exposure increased my expertise. But the chicken/egg sensation still troubles me – which came first, the title or the expertise? All too often, I think the title is first. Is that necessarily a bad thing?

Which brings me to my point. How do we become genuine experts in our field? I think that this is the single most important professional question we face as a nation as professional jobs increasingly go to people with greater expertise (sometime in other countries). If my friend Patrick (a pilot for Continental) were to call himself an expert as early in his career as I did, we would all be taking our vacations by car this summer. Ditto for a doctor, teacher or Army general. Expertise obviously varies by what we are applying the term to. But I would like to find the common denominators among these fields (expert pilot, speaker, guitar player, coach, mom, golfer, chess player, etc.). Out of this conversation, I’d like to collect an understanding of some of the common qualities that experts share (if such a list exists). With that knowledge, maybe it will be easier to become an expert. I’ll share my thoughts and learnings once I’ve heard yours.

My fascination with this topic has lead me to read academic papers on the topic. Drawing from those, let me set a common foundation by defining a couple of terms:

1. Expert: “One who is very skillful and well-informed in some special field” or “someone widely recognized as a reliable source of knowledge, technique, or skill whose judgement is accorded authority and status by the public or his or her peers” (Webster’s New World Dictionary, 1968, p. 168).
2. Expertise: “the characteristics, skills, and knowledge that distinguish experts from novices and less experienced people” (The Cambridge Handbook of Expertise and Expert Performance, 2006, p. 3).
3. Expert Performance: the ability to consistently reproduce superior performances – to land the airplane safely in a monsoon every time, to win half of the golf tournaments you enter in a year, to play the guitar like Tommy Emmanuel:

Click here to view the embedded video.

So this is the question: How do we become experts? What, exactly, makes you the expert you are?

Is it knowledge? Experience? Coaching? A certain type of practice? Is it in our genes to become an expert? Is it a personality trait? Hard work? Focus? What made Bobby Fischer a better chess player after 9 years than his opponents, some of whom had played competitively for 30 years? They had more knowledge (knew more combinations of moves), more experience (games played), higher IQs, better coaches (according to some), etc. But comparatively, he was the greater expert at age 16. Why? I don’t want to oversimplify, but to find common ground. To explore some universal truths about expertise.

I’m sending this blog post to people that I truly consider experts in their field. I’d love to hear their thoughts on the topic, and yours.

John Sileo
Identity Theft Expert

Related posts:

1. Child Identity Theft Expert – Part II
2. Identity Theft Expert at Pentagon
3. Identity Theft Expert Endorsed by Larry Winget