DOJ Alleges $8 Million Familiar Fraud at Transit Authority

Would Your Employees Notice Millions in Fraud?

The United States Department of Justice (DOJ) announced indictments against two individuals suspected of familiar fraud schemes that led to $8 million in losses for Massachusetts Bay Transit Authority commuter rail operator Keolis between July 2014 and November 2021. Both the scope and the longevity of these schemes are exceptional, although the methods used to steal the money are very common, raising questions about why the individual charged was able to commit this fraud for so long.

What Happened in the Keolis Familiar Fraud Case?

John P. Pigsley of Beverly, Massachusetts, a former Assistant Chief Engineer of Facilities for Keolis Commuter Services, has been accused of running two schemes that netted $8 million. In the first scheme, Pigsley is accused of conspiring with John Rafferty of Hale’s Location, New Hampshire, the former General Manager of LJ Electric, to create fraudulent invoices for vehicles and equipment, leading to more than $4 million in losses.

In the second scheme, Pigsley is accused of ordering copper wire for Keolis projects, picking it up himself or delivering it to his home address, then selling it to scrap yards. Over the course of several years, Pigsley is alleged to have made more than $4.5 million from the scheme. The actual value of the stolen material was not disclosed.

In a statement, Keolis Commuter Services said, “In late 2021, our enhanced financial controls and project management oversight identified project anomalies linked with the practices of an employee.” According to the DOJ indictment, this was 7 years after the fraud began.

Employees Must Be Empowered to Recognize Risks

Cyber threats are not the only challenges that businesses face. Familiar fraud, committed by an employee, family member or trusted business partner, can be more devastating and more difficult to detect. As with cyber security, employee training is essential to prevent losses. Employees must know how to recognize fraud and trust their instincts. They must also feel empowered to call out anything suspicious.

In the DOJ indictment against Pigsley, three common familiar fraud techniques that should have been caught stand out:

  1. Phony invoices: This is one of the most common types of familiar fraud. An employee with purchasing authority may conspire with a third party to create fake invoices and split the proceeds, or set up shell companies to invoice for goods and services that do not exist. This type of fraud can be difficult to detect in large, complex organizations, such as a railway operations company, or in businesses that frequently order large volumes of material from multiple vendors. Strong vendor approval and verification processes must be in place to detect this type of fraud; all new vendors should be verified by someone other than the person placing the orders. Shipments should be tracked and matched against invoices for at least the first 90 days of any new relationship. Any changes in volume or frequency in orders with a particular vendor should be flagged for follow up.
  2. Home deliveries. There are very few circumstances where an employee should receive materials shipments at home. Home addresses for all employees with purchasing authority should be kept on file by accounting staff. Any deliveries that match against a home address should be flagged for review. Any changes in regular delivery addresses, even if they only account for a portion of a shipment, should also be flagged for review.
  3. Personal pickup. Some employees may pick up and deliver materials as a regular part of their job. In an ideal world, purchasing and pickup are separate, so that no single employee has the ability to order and collect goods. When this is not practical, regular audits must be conducted of employees who can both order and deliver supplies, services and materials. Employees should be able to provide invoices for what was ordered, receipts for what was received and documentation for what was delivered.

Familiar fraud is one of the most difficult challenges that businesses face, because it comes not from external actors, but from trusted co-workers, friends and family. Proper business controls can prevent it, but only if employees understand what to look for and how to respond. Protect Now’s CSI Protection Certification training focuses on cyber crime but enables employees to spot any kind of suspicious behavior by teaching them to trust and act on their instincts. To learn more about our training programs, contact us online or call us at 1-800-658-8311.

Understanding Familiar Fraud

Have you heard the saying “familiar fraud?” If not, you should. This is a crime that is as old as they come; essentially, it’s a crime where someone is taken advantage of by someone they know. For instance, a woman named Axton Betz-Hamilton had her entire savings account drained and the person responsible was unknown…that is until Axton’s mother passed away, and it was discovered that it was her, Axton’s own mother, who had drained the account.

credit fraudIt’s believed that familiar fraud is not often reported, likely because victims of these crimes think that police won’t take them seriously, or that it will negatively affect their relationship with their family. There is also the fact that, in many cases, these crimes go undetected because people just can’t believe a member of their family would do something like this.

As you might imagine, the fallout of familiar fraud can run deep. Think, for a minute, how it would feel to find out that your best friend of 30 years has stolen your identity. Something similar happened to a man named Thomas Nitzsche. He hired his cousin to remodel his bathroom, and he gave his cousin his credit card. What did Thomas’ cousin do? He took the card, bought a bunch of merchandise, and then he sold the merch on the streets.

Even when this happens, it’s common for people who learn that they are a victim of familiar fraud to want to naturally protect their loved ones. This might be due to protecting relationships or to avoid backlash from others. There is also the fact that your family might not believe you when you tell them your sister or your father has been stealing from you.

What Should You Do?

 If you think that you are the victim of familiar fraud, you should do the following:

  • Do your best to keep your emotions out of it.
  • Keep an eye on your credit report. You should also place a fraud alert or better, get a credit freeze on your credit file.
  • Think about resolving things without police intervention if it is pretty minor.
  • If not, you might want to contact the cops, but think about the pros and cons of this.
  • If you do report this, expect some turmoil within the family, but also realize that you are protecting your credit.

If you file a police report, you will also be able to get an extended fraud statement, which can last for seven years. This may or may not mean you won’t be responsible for any charges. Lenders sometimes look at familiar fraud as an approved purchase and will not negotiate forgiveness.

Other Safety Measures 

  • Each month review your credit card statements.
  • If you see changes, even small ones, you should report it immediately
  • Don’t give out your debit or credit card to your friends or relatives. If you want to give them money, give them cash.
  • Set up push notifications or push alerts so you are aware of charges in real time.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

The First Step to Secure Your Data

Your personal information and data are literally everywhere for criminals to target, and there isn’t much you can do to keep it from spreading. You use your email credentials on countless websites, you use your credit card number with countless vendors, and, believe it or not, your Social Security number is shared rapidly immediately after you’re born.

It’s almost impossible to give out your personal information nowadays. However, criminals know this, and they lurk around the same places that your information is used. You need to take action to secure your information so you are less of a target. Let me show you one simple step you can take today that will create one layer of security and improve your defenses.

There is one specific action you can take to secure your information, and after you do it, you’ll be much less likely to be targeted because criminals tend to take the path of least resistance. That said, if you DON’T do this action today, you ARE the path of least resistance.

All you have to do is set up a credit freeze. There are four major credit bureaus in the United States, and you need to get a credit freeze with them. Just use your preferred search engine and look for Experian credit freeze, Equifax credit freeze, TransUnion credit freeze, and Innovis credit freeze. You should freeze your credit with all four, but you should still review your annual credit reports. More importantly, you should dispute discrepancies with the appropriate bureau AND the lender. Getting a credit freeze won’t gum up your credit score or make it so you can’t use credit. You are able to “thaw” the frozen credit as needed and then freeze it again. You can literally do this in a single day. Then you’ll want to put more layers of defense in place to become an even harder target than the other guy.

A credit freeze will secure your information, but setting up multiple layers of defenses is really what will make you a hard target. Criminals are constantly probing defenses, and even while technology advances, crimes against your data are usually ahead of the curve. You don’t need to know everything about security, but you do need to take on the responsibility of protecting yourself. I’ve created a free guide that will make you a pseudo expert on your own security, and if you follow it’s simple steps, you will have more layers of defense than the average person. If you want to create even more layers of defenses, bring this guide to my next webinar, and I will walk you through each step so you can rest assured that you are creating a smart, secure, safer “me.”

Shred your Boarding Pass

Apparently there are people who take pictures of their airplane boarding pass…and post it online. I’m dead serious. I’ve heard of toddlers getting excited over scraps of paper, but full-grown adults posting images of their boarding pass online? Don’t get me started.

2DLet’s just only say that this is incredulously absurd. Like, who cares about your bleepity bleep boarding pass, right? OK, you got bumped up to First class. SAVE IT. Well wait a minute. Fraudsters care.

Fraudsters also care about the boarding pass that’s left intact in a rubbish can or lying on a seat somewhere.

Few travelers know that the bar code on the boarding pass MAY contain that individual’s home address, e-mail address, name and contact number. All a crook needs is this basic information (revealed via bar code reader off his cell phone!) to get the fraud ball rolling.

  • Keep your boarding pass out of everyone’s sight except the airport employee who requests it.
  • After you no longer need it, tear it up and flush it down a toilet.
  • When you arrive to your hotel, don’t bring it with you to your hotel room and leave it sitting out in full view. Shred and destroy it prior.  Putting it in the hotel room trash isn’t enough. Realize that when you’re not in the room, maids and other hotel employees can gain access—and I can’t say it enough: You just never know who has a bar code reader app.
  • And for Heaven’s sake, don’t post images of it online, if for no other reason, this makes you come across as less interesting than a doorknob. In fact, don’t even think of taking a picture minus the bar code. You just never know with today’s technology what a crook could get off an image online.

Man, if you still don’t believe me about any of this, check out these two very short but alarming videos. You’ll be flabbergasted at how much information about you a techy thief could get off of your boarding pass! “If a hacker can find it, he can find YOU!”

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Teen pleads to SWATTING

Just what kind of punishment should a 17-year-old get for making fraudulent 911 calls (a crime known as swatting)?

11DThis happens more than you think. What’s outright astounding is how these teens could think they won’t be discovered. Have they been living in a cave all their lives, using a torch for light?

A 17-year-old boy in Ottawa, Canada, has made several fake 911 calls, including several in the U.S.

  • Told dispatcher his mother was lying in a pool of blood; pretended to follow the CPR instructions.
  • Pretended to be holding people hostage, demanding $100,000.
  • Threatened to blow up a school.
  • Arrested in May 2014, he faces 34 charges.
  • Evidence includes recordings of the phony calls found on the boy’s computer, plus Skype and Twitter logs.
  • So based on the evidence, it’s clear that this boy knows something about modern technology. Wow, he must be as dense as a box of bricks to think he couldn’t be traced.

Maybe if kids, perhaps starting in adolescence, were taught in school how easy it is for authorities to track down a swatter, there’d be a lot fewer swatters. Certainly there would be; it’s not a “maybe.”

It’s the parents’ job to raise good kids, but we know this happens only some of the time. The kid may still be a rotten apple (thanks to a dysfunctional home life), but at least if he’s educated in how simple it is for detectives to trace fraudulent 911 calls, there at least wouldn’t be all of these fake 911 calls that tie up staff while other people really need their help.

And while we’re on the topic of swatting, is there a name for the authentic 911 calls—but that deal with absurd complaints? People will call 911 to report lightning—simply in the sky. Other examples:

  • Caller couldn’t figure out how to exit a locked car.
  • Caller complained her husband was viewing porn.
  • Complaints about inadequate restaurant service.
  • Caller complained her boyfriend wouldn’t warm her cold feet.
  • Caller (drunk) complained a bouncer wouldn’t let him into a night club.

I say no jail time for these morons. Instead, make ‘em stand all day at a busy intersection wearing a sign that says, “I’m a stupo. Called 911 because (fill in the blank).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Is It Fraud or are You just Crazy?

What would you rather have happen to you? A Russian ring of hackers has infiltrated your computer and smartphone and is hell-bent on taking control of your finances, social media life, even the smart gadgets in your house…OR…you’ve just been diagnosed with paranoid psychosis, and in fact, nobody’s out to harm you at all.

12DIn a day and age where it’s become increasingly easy for hackers to hijack your credit card and bank accounts, spy on your baby by hacking into the baby-cam and spy on you via your laptop’s camera … the line between paranoia and real-life spying has become very muddled.

Unfortunately, there isn’t a day that goes by that someone contacts me completely convinced they are being spied on. Maybe they are, most likely they are not. Especially when they begin to explain how every device they own and seems to know everything about them and so on. The likelihood of a hacker having control over their TV is pretty small.

For example, 30 years ago if someone said, “Someone is watching me through my computer,” we’d just assume that person was delusional and needed some medication. Nowadays, we’re apt to immediately think, “Put tape on your laptop’s camera hole!”

So how can we weed out the crazies from the true victims? Just because your laptop has a camera hole doesn’t mean you can’t be imagining that your ex-spouse is spying on you through it.

Many claims of fraud or victimization are real, and many are deliberately made up for financial gain (e.g., faking back pain after a fender bender) or are the result of mental illness.

Sometimes, it’s obvious when the claim is fraudulent or the result of being “crazy.” In fact, the tip-offs that it’s mental illness at play are more obvious than when it’s fraud, since the con artist can be quite skilled.

A general rule of thumb is to look at the simplicity—or lack thereof—of the case. Is the claimed cause simple or convoluted?

For example, you hear a crash, race into the living room and see that your favorite vase—which is located near the bottom of the staircase—has been broken to smithereens. Near the vase is a basketball. At the top of the staircase are your two young sons with scared looks on their faces.

They cough up an explanation: “We were in the living room reading. The basketball was on the floor. A gust of wind blew through the window so hard that it tossed the basketball into the vase. We thought you’d blame us so we ran up the stairs.”

Common sense must be used in determining the most probable cause of an event. This holds for parents, claims adjustors, detectives and juries at a trial. The best judge views things through the lens of simplicity.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Dude hacked Lottery Computers

Who needs psychics to reveal future lottery numbers when you can hack into the state lottery association and tamper with it? That apparently was the reasoning of Eddie Raymond Tipton, 51.

9DProsecutors believe Tipton inserted a thumb drive into a computer—the one that spits out random numbers for the lottery, says an article in the Des Moines Register, according to a report at arstechnica.com.

At the time of this purported crime, Tipton was head of security for the Multi-State Lottery Association. Surveillance caught him buying a ticket that was worth $14.3 million (not smart enough to wear a disguise, eh?).

Coincidence? Not according to the prosecutors, who say he programmed computers that generate the numbers. This shouldn’t even be possible.

Supposedly on November 20 of 2010, Tipton went into the “draw room” where he altered the time on the computers. The settings of the room’s camera were changed, so that Tipton’s activity inside the room would not be recorded.

Prosecutors say that of the five people who are capable of changing the camera’s settings, four said they did not change them. Of course, the fifth person is Tipton. What a sly duck: resetting the camera so that it recorded only one second out of every minute, to miss detecting him inserting the thumb drive.

But he pled not guilty, even though he was identified as the man in the surveillance purchasing the golden ticket. Even if there’d been no tampering, Tipton would be barred from receiving the prize because employees of the association are banned from claiming lottery prizes.

For about a year, this particular ticket went unclaimed. But through a New York attorney, a company in Belize tried to claim the ticket at the last minute.

Somehow, authorities smelled a rat and focused on Tipton. Prosecutors also say that he had a fascination with root kits, which is in line with quickly installing the thumb drive. A root kit can be installed fast, carry out its orders, then self-destruct without leaving a trace.

The scales of justice are not tipped in Tipton’s favor especially because a witness plans on testifying that shortly before December 2010, Tipton told him he had a rootkit—a self-destructing one.

The trial is set for July 13.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Tips to destroy and shred

You can’t be too neurotic about shredding sensitive documents to smithereens. For example, some people make a career out of “dumpster diving,” digging through trash in search of bank account information, credit card preapprovals, medical bills, mortgage statements, etc., and then they commit fraud, including creating new accounts with the found information—accounts in the victim’s name.

2PAnd by the way, anything with your signature can be a gem to the dumpster diver, as your signature can be forged.

Diving for Dollars

  • Dumpster diving is legal if the trash can is in a public spot including the big trash bin at your apartment complex.
  • Dumpster divers aren’t necessarily homeless men dressed in rags looking for discarded food. They may be professional identity thieves, and if they’re extra smart, they’ll dress like a vagrant to fool people into thinking they’re looking for food scraps.
  • Your trash can is a goldmine for an identity thief; think of what’s on all the paperwork you toss out, week after week—all sorts of tidbits about your life, from your favorite stores to your kids’ names.
  • A lot of personal details about you come simply from empty envelopes with their return addresses.

Shredding

  • Buy a shredder. There are different kinds that shred at differing dimensions as well as various strengths (some shredders will slice and dice CDs).
  • Don’t buy a “strip-cut” type, as the shreds could be reconstructed. The “micro-cut” shreds at the smallest dimensions.
  • Believe it or not, there are crooks who will take the time to put back together a shredded document, including with the help of Unshredder, a computer program.

Burning

  • Keep a cardboard box handy that you continually fill up with shreddables.
  • Just toss documents that are on deck for burning into this box as you go throughout the day. Then incinerate the box.
  • A large stack of documents will not completely burn, so don’t place these in a motley arrangement so they aren’t “thick”.

Miscellaneous

  • Don’t leave boxes that contained expensive merchandise in plain view at your curb; this is almost the equivalent of sticking a sign there with bright red letters stating: “I just purchased a giant flat screen TV; come on in and steal it.” Destroy/shred

Ask yourself this question: If someone “stole” your trash, would that be a problem? If you say yes, then you toss too much data. For me, I don’t care, nothing I toss is of any value to anyone.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Fear of Fraud trumps Terrorism

Okay, what’s more likely? Getting bombed … or some punk racking up charges on your credit card?

11DThe yearly Crime Poll says that two-thirds of the respondents were edgy about data breaches involving their credit cards, as well as their computer and smartphones getting hacked—far more so than being robbed or taken hostage.

It’s easier to thwart a mugger or burglar than it is to thwart cybercrime. Just because you never click links inside e-mail messages doesn’t mean a cybercriminal won’t still figure out a way to nab you.

Interestingly, many people who’ve been digitally victimized don’t even bother filing a police report, says the survey. But a much higher percentage of burglary and mugging victims will.

Maybe that’s because 1) They know it will be easier to catch the thug, and 2) It’s way more personal when a masked man jumps you on the street and hits you with a brick, versus some phantom from cyberspace whose body you never see, voice you never hear, hands you never feel—even though they drain your bank account dry.

But which would you rather have? An ER visit with a concussion and broken nose from the mugger, or a hacked credit card? The Fair Credit Billing Act allows you to dispute unauthorized charges on your card statement and get other things straightened out. And until you pay the whopping bill, your account isn’t robbed.But if someone hacks into your debit card, they can wipe out your checking account in a flash.

The good news is that often, cyberthieves test the waters of the stolen data by making initially small purchases…kind of like a would-be mugger feeling out a potential victim by initially asking her for the time or “accidentally” bumping into her.

A credit card can have varying levels of alerts that can notify the holder of suspicious activity. An example is a charge over $1,000 nets a text message to the holder about this. However, if you set a much lower threshold, you’ll know sooner that the data or card was stolen. Don’t wait till the thief makes a huge charge to be alerted. The lower that threshold, the sooner the card company will contact you and then initiate mitigation.

You know how to prepare for a mugger (pepper spray, self-defense lessons, etc.), but how do you protect your credit and debit cards?

  • Check your credit card statements thoroughly.
  • Don’t put off contacting the company over a suspicious charge.
  • All of your devices should require a password to log on.
  • Use encryption for all of your devices.
  • Always use your bank’s ATM, never a public kiosk.
  • Never let an employee take your card out of your sight.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.