Posts

Cyber theft ring scoffs at fraud prevention in $45 million heist

Airtight fraud prevention is not possible but just how vulnerable are we if thieves can heist $45 million in a matter of hours?

We recently got a taste of the possible consequences of unchecked hacker prowess following an ATM scam of catastrophic proportions. An international group of thieves managed to walk away with money from the prepaid debit cards of innocent users in countries all over the world.

U.S. Attorney Loretta Lynch announced charges against eight defendants on Thursday. Thieves hacked into banks’ systems in the United Arab Emirates and Oman to increase the amount available on pre-paid MasterCard debit cards. Then they used those cards to withdraw money from ATMs. This heist shows that cyber security in the global financial system is only as strong as the weakest link, and the weakest link in this an other breaches is usually a human being.
While the hackers were sophisticated in gathering and manipulating information within the banks, common criminals made the ATM withdrawals. Lynch described the group as a “virtual criminal flash mob.” Money.CNN.com states that during the first attack in December 2012, the New York group allegedly withdrew $400,000 in 750 separate ATM transactions in more than 140 different NY locations in less than three hours.

Though eight of the members involved have been caught and police throughout the world are working to put this right, the sheer technical scope of the attack shows how sophisticated hackers have become.

We simply don’t have adequate human fraud prevention measures in place to stop incidents like thisInstead, we are preoccupied with the technology element and overlook the default settings that made the breach a breeze in the first place.

The first law of cyber security is that you must train the humans on basic fraud prevention. Otherwise, you are expecting a dangerous car to drive itself.

John Sileo is fraud prevention expert and in-demand speaker on identity theft, mobile security and online privacy. His clients include the Department of Defense, Pfizer, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Fraud Training (Not Technology) is the Achilles Heel of Cyber Security

,

Ignoring fraud training as the foundation of your cyber security strategy is like counting on Google to educate your kids. Technology is a critical tool in the fight, but without well educated users, guided by knowledgeable teachers, the tools are a waste of your money.   

Thanks to President Obama’s state-of-the-union plug for increased cyber security, the Chinese hacking of the New York Times and Wall Street Journal, and the hacking of a prominent celebrities, America is waking up to the tangible value of virtual data. Awareness is definitely the first step, but it is only the tip of the privacy iceberg. Just as in the age before the internet, the only thing keeping employees from selling secrets or participating in fraudulent activity are the human controls that discourage the practice. But it’s all the more hair-raising to think of the amount of digital secrets an employee has access to at any given time. The new tale of a Reuters journalist gone cyber-rogue adds a chilling wrinkle to the perils of protecting the data that keeps corporate profits ticking.  

Last Thursday, Matthew Keys, a Reuters social media editor, was indicted on charges of conspiracy, among others. Keys had previously worked for a TV station owned by the Tribune company, and according to the allegations, he leaked server login information of his former employer to a hacker group known as Anonymous. Apparently Keys began exploring Anonymous chatrooms as “just a reporter”, but eventually progressed to exposing sensitive passwords and promoting the idea of targeting the Tribune. Using this information, the hackers were able to enter Reuters’ otherwise secure systems and alter the existing text of a Los Angeles Times story from 2010, inserting out-of place colloquialisms and hacker-speak. Now, Mr. Keys is looking at the potential of over a decade in prison and up to three-quarters of a million dollars in fines. So what does this have to do with fraud training? We’re getting there…

Here’s the rub: the illegal access all happened after Keys had been FIRED by Reuters.  In other words, a former employee who was never very high on the corporate food chain in the first place and was actually fired (not laid off), retained access that, in the right hands, allowed criminals to change the course of the news. Although this particular case doesn’t appear to have involved any financial transactions, don’t think for a second that there aren’t buyers out there willing to pay good money for a chance to break into your supposed “stronghold.”

Cyber Security is Less About Technology, More about Employee Fraud Training

No matter how tight your cyber security, the weakest link is always the human beings responsible for implementation. The lapse here wasn’t in the technology – Reuters used user-level logins and passwords to protect their network. The mistake here was the employee who failed to shut down Keys access the minute he was fired (or in the moments before), or the executive who failed to prepare for this common scenario. The lesson here is this: when employees leave your company under any terms, someone must be responsible and held accountable for disabling their computer access from all devices.  This is a basic principle of successful fraud training that makes all of your investments worthwhile.

A large-scale enterprise can institute all the security barriers it wants, but without trust, responsibility, and knowledge, the corporation is only as strong as its Achilles heel. How are you addressing this type of exposure?

John Sileo is CEO of The Sileo Group and a fraud training expert. His recent clients include the Department of Defense, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Thieves could now be targeting your medical records

Businesses may already be rushing to protect their financial information, but other kinds of personal data are at risk, too. Case in point: medical records.

Big companies with huge profit margins might seem like the most attractive targets for identity theft and fraud. After all, what more direct way to get at your money? But there are other ways an outsider could infiltrate your personal data. Right now, security around healthcare information is a big concern, and fraudsters are lying in wait to pounce on gaps in the system.

Recently, the Montgomery Advertiser reported the story of National Guardsman Zane Purdy, who fell victim to a particularly nasty bit of fraud that cost him his high-paying job. Now he's a waiter making fewer than eight dollars an hour, barely enough to support his wife and two kids. Purdy's story is heartbreaking, and he's only one of the more than 800 people taken advantage of by the same criminal.

That criminal would be a woman named Angeline Austin, who stole information from the files of an Alabama medical center and sold them to another source. Austin has been tried and sentenced to nearly five-and-a​-half years in prison, but that still leaves a huge mess for people like Purdy to clean up.

This particular flavor of scam is becoming more common than you probably think. So far, almost 50 percent of the identity theft incidents reported to the Identity Theft Resource Center for 2013 concern medical organizations. Unless we increase our medical fraud prevention skills, the number could get even higher. 

For a digital hijacker, nothing is off-limits. Those who process medical records should take it upon themselves to incorporate proper fraud detection into their practices as soon as possible. Otherwise, we may be facing a nation of Zane Purdys who did nothing wrong but trust their health info to the unprepared. 

John Sileo is a medical security expert and keynote speaker on privacy, identity and fraud protection. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Tax Fraud Can Happen With Anyone's Data…Even Yours

Fraud prevention isn't just about building a wall: It's about making sure you have the right bricks.

During tax season, anyone who sees your pay stubs or tax forms could put them to nefarious use, and could do so without you being aware. As former clients and relatives of one California tax preparer were shocked to find out recently, the stability of their "brick walls" against fraud were filled with weak spots.

Imelda Sanchez of California confessed to using the names and personal data of other people to file fraudulent tax returns. She also used other falsified tax documents to apply for a loan worth more than $1.5 million. Her sentencing is scheduled for May, when she could be slapped with a prison sentence upwards of 30 years or more. As a tax preparer, she was in a unique position to set this plan in motion. Sanchez could also be given a fine around $1.25 million – just a touch under the amount of money she tried to steal. 

In this case, the criminal ended up in cuffs. But tax fraud like this happens all the time, and the bad guys don't always get caught. 

Doing taxes can be a headache for anyone, but as this incident shows, it can also be a time of great risk. There are many different types of identity theft, and while some thieves are content simply to swipe your credit card numbers or bank passwords, others have bigger goals. Someone could use fraud to try and beat the system – with your information.

It's important that you ensure your information and the corporate information you're responsible for is in the hands of someone trustworthy. Anti-fraud training can help a company be prepared to identify the weak points of their security fortresses before it all falls down. 

John Sileo is a fraud prevention expert and keynote speaker on social media privacy, identity theft and fraud. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

Protect yourself and your business from the dangers of malware

, ,

How sure are you that your company’s computers aren’t being used against you for purposes of fraud and identity theft?

Recently, Bloomberg.com reported a case in which Microsoft and the antivirus company Symantec joined forces to take down a massive botnet group. Known as Bamital, this ill-intentioned family of bugs is believed to originate from somewhere in Eastern Europe, and operated by distributing malicious software to unsuspecting computers. Once the targets had been infected, the hackers on the other end could take control of Web browsers and drive them wherever they wanted, re-routing searches and addresses to dubious websites that could infect them further. 

According to the article, at least a quarter of a million computers were hit in this most recent attack. Globally, Bamital’s victims are reckoned to number in the millions.

Microsoft and Symantec were not only successful in rooting out the bots: they also turned the tables by using Bamital’s own methods against them redirecting users to special warning pages. They were given information about the virus and then guided through a clean-up process step-by-step. And Symantec says that they took care not to gain unauthorized access to their clients’ information by doing so. 

Malware and spyware are frustrating foes and they’re among the trickier types of identity theft to fight. Like real-world viruses, they can lie dormant for long periods of time without you knowing you’ve got them until they strike. The nastier specimens could track your keystrokes and record your passwords and PINs, dangerously compromising your online privacy. So what can you do to make sure your information and network are secure?

Fraud prevention can be an intensive process – but sometimes the solutions are right under your nose. Some of the best bets against the internet’s more insidious threats are common sense and fraud awareness training

Not all cyber security systems are created equal, so make sure yours is updated with the latest definitions and prepared to deal with serious problems.  Don’t click on suspicious email links, and be wary of any site that asks for your private information. Most importantly, be sure to scan your entire hard drive and back up your data regularly. 

John Sileo is an online privacy expert and keynote speaker on social media privacy, identity theft and fraud. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

Inside fraud goes 'low and slow,' burns businesses for years

Most inside fraud is committed using the barbecue approach – “low and slow.”

A recent study conducted by Carnegie Mellon University’s CERT Insider Threat Center examined 80 instances of insider fraud. What researchers discovered is that the most damage to companies and their clients was done when criminals pilfered small amounts over extended periods of time. This makes it easier for them to evade detection and cause serious harm.

If you’ve never watched the Food Network, low and slow is the best way to cook barbecue. Really, it’s the only way. You get the juiciest meat and best flavor. When miscreants apply this approach to fraud, they get the same result. There’s no sudden flare-up that catches anyone’s attention and they can usually make off with more of your money than if they tried for one big score. Fraud detection efforts have to account for this if they are to be successful.

The study’s findings showed that it takes an average of nearly 32 months for a company to uncover impropriety on the part of a trusted employee. That’s almost three years of them defrauding both you and your clients. Furthermore, of the cases studied, the bottom half averaged $382,000 in terms of financial losses. The upper half registered an average of $479,000.

“As long as there are institutions that hold money, internal and external adversaries will make every attempt to subvert control mechanisms to illegally profit,” the study said.

The above statement is true, even though no one wants to believe that someone they trust would steal from them or their clients. But, if you close your eyes to the problem, someone is likely to steal the change right out of your pockets while you’re not looking. Fraud prevention has to be on every business’ radar. If it isn’t, imagine the monetary and PR damage that 32 months of illegal and malicious activity from within your own walls can do.

In the culinary world, low and slow makes for great barbecue. In the business world, it’ll just leave you burned.

John Sileo is a fraud detection and prevention expert and will be hosting a FREE Fraud Webinar on Thursday, January 31 at 2 p.m. EST.

Anti-fraud training critical to avoiding betrayal, losing trust of customers

The havoc wrought by insider fraud can have far-reaching consequences for both your company and clientele. Several recent examples have proven how damaging fraud can be in the financial sector. But, in truth, there isn’t a single industry today that can afford to forego implementing safeguards.

According to an article at online news source Bank Info Security, one such incident in Ohio earlier this month lead to the collapse of a credit union and a man being sentenced to 37 months in prison for loan fraud and money laundering. About a week prior, two former employees of Chemung Canal Trust Company Bank pleaded guilty to masterminding a seven-year embezzlement scam that cost the bank roughly $325,000.

Insider fraud, also known as friendly fraud, is a difficult topic for many businesses to tackle because it involves trusted employees betraying the companies they are supposed to be – and often appear to be – loyal to. However, the dangers are far too real to be ignored, and fraud detection must be a top priority.

When an employee commits fraud, there are obvious legal entanglements, not to mention the loss of money they’ve stolen. But, there’s much more to it than that. Not only will clients begin to question your company’s dedication to keeping their information secure and the safeguards you are willing to put in place, but they will also question your ability to assess your employee’s character. And if they cannot trust your judgment in hiring reliable individuals, how can they expect to trust you with their business and their money?

Companies must be proactive and pursue the most effective measures of fraud prevention, or face the uphill task of earning back the trust of their customers. Any business owner who has not strongly considered a fraud workshop to help bolster the company defenses should take a look at recent news stories and give it some more consideration.

John Sileo is a fraud detection and prevention expert and will be hosting a FREE Fraud Webinar on Thursday, January 31 at 2 p.m. EST.

Fraud Training Expert John Sileo in the News

, , , , ,

Fraud Training Expert John Sileo has appeared recently on 60 Minutes, Anderson Cooper, Fox Business, Fox & Friends and in Newsweek and USA Today. He speaks around the world on the dark art of deception (identity theft, social engineering, fraud detection, manipulation defense, data breach, social media privacy) and the powerful use of trust. His satisfied clients include the Pentagon, FDIC, Pfizer, FTC, Blue Cross, among hundreds of others. Learn more about protecting your bottom line by training your organization on proactive fraud detection. Watch John perform a humorous but effective fraud training in front of an audience of thousands.