Posts

DOJ Alleges $8 Million Familiar Fraud at Transit Authority

Would Your Employees Notice Millions in Fraud?

The United States Department of Justice (DOJ) announced indictments against two individuals suspected of familiar fraud schemes that led to $8 million in losses for Massachusetts Bay Transit Authority commuter rail operator Keolis between July 2014 and November 2021. Both the scope and the longevity of these schemes are exceptional, although the methods used to steal the money are very common, raising questions about why the individual charged was able to commit this fraud for so long.

What Happened in the Keolis Familiar Fraud Case?

John P. Pigsley of Beverly, Massachusetts, a former Assistant Chief Engineer of Facilities for Keolis Commuter Services, has been accused of running two schemes that netted $8 million. In the first scheme, Pigsley is accused of conspiring with John Rafferty of Hale’s Location, New Hampshire, the former General Manager of LJ Electric, to create fraudulent invoices for vehicles and equipment, leading to more than $4 million in losses.

In the second scheme, Pigsley is accused of ordering copper wire for Keolis projects, picking it up himself or delivering it to his home address, then selling it to scrap yards. Over the course of several years, Pigsley is alleged to have made more than $4.5 million from the scheme. The actual value of the stolen material was not disclosed.

In a statement, Keolis Commuter Services said, “In late 2021, our enhanced financial controls and project management oversight identified project anomalies linked with the practices of an employee.” According to the DOJ indictment, this was 7 years after the fraud began.

Employees Must Be Empowered to Recognize Risks

Cyber threats are not the only challenges that businesses face. Familiar fraud, committed by an employee, family member or trusted business partner, can be more devastating and more difficult to detect. As with cyber security, employee training is essential to prevent losses. Employees must know how to recognize fraud and trust their instincts. They must also feel empowered to call out anything suspicious.

In the DOJ indictment against Pigsley, three common familiar fraud techniques that should have been caught stand out:

  1. Phony invoices: This is one of the most common types of familiar fraud. An employee with purchasing authority may conspire with a third party to create fake invoices and split the proceeds, or set up shell companies to invoice for goods and services that do not exist. This type of fraud can be difficult to detect in large, complex organizations, such as a railway operations company, or in businesses that frequently order large volumes of material from multiple vendors. Strong vendor approval and verification processes must be in place to detect this type of fraud; all new vendors should be verified by someone other than the person placing the orders. Shipments should be tracked and matched against invoices for at least the first 90 days of any new relationship. Any changes in volume or frequency in orders with a particular vendor should be flagged for follow up.
  2. Home deliveries. There are very few circumstances where an employee should receive materials shipments at home. Home addresses for all employees with purchasing authority should be kept on file by accounting staff. Any deliveries that match against a home address should be flagged for review. Any changes in regular delivery addresses, even if they only account for a portion of a shipment, should also be flagged for review.
  3. Personal pickup. Some employees may pick up and deliver materials as a regular part of their job. In an ideal world, purchasing and pickup are separate, so that no single employee has the ability to order and collect goods. When this is not practical, regular audits must be conducted of employees who can both order and deliver supplies, services and materials. Employees should be able to provide invoices for what was ordered, receipts for what was received and documentation for what was delivered.

Familiar fraud is one of the most difficult challenges that businesses face, because it comes not from external actors, but from trusted co-workers, friends and family. Proper business controls can prevent it, but only if employees understand what to look for and how to respond. Protect Now’s CSI Protection Certification training focuses on cyber crime but enables employees to spot any kind of suspicious behavior by teaching them to trust and act on their instincts. To learn more about our training programs, contact us online or call us at 1-800-658-8311.

Phone Account of FTC Chief Technologist hijacked

An impostor posed as Lorrie Cranor at a mobile phone store (in Ohio, nowhere near Cranor’s home) and obtained her number. She is the Federal Trade Commission’s chief technologist. Her impostor’s con netted two new iPhones (the priciest models—and the charges went to Cranor) with her number.

11DIn a blog post, Cranor writes: “My phones immediately stopped receiving calls.” She was stiffed with “a large bill and the anxiety and fear of financial injury.”

Cranor was a victim of identity theft. She contacted her mobile carrier after her phone ceased working during use. The company rep said her account had been updated to include the new devices, and that her Android’s SIM cards had been disabled. The company replaced the SIM cards and restored use of her phones.

The company’s fraud department removed the charges but blamed the theft on Cranor.

So how does an impostor pull off this stunt so easily? Stores owned by the mobile carrier are required to ask for a photo ID and last four digits of the customer’s SSN. However, at a third party retailer, this requirement may not be in place. In the Cranor case, the crook used a photo ID of herself but with Cranor’s name—and was not required to reveal the victim’s SSN last four digits.

Cranor’s Actions

  • Changed password of online account
  • Added extra security PIN
  • Reported the theft to identitytheft.gov
  • Placed a fraud alert and got a free credit report
  • Filed a police report

Hijacking a smartphone is becoming more common, with the FTC having received over 2,600 reports just for January this year.

You may not think that this type of fraud ranks as high as other types of fraud, but it all depends on the thief and his—or her—intentions. Though the thief may only want to sell the phones for a little profit, a different kind of crook may want to hijack a phone to commit stalking or espionage. Or  the thief can gain access to the victim’s text messages. If the phone is used for two factor authentication, then a thief would have access to your One Time Passwords (OTP) upon logging into a critical website. There’s all sorts of possibilities.  The most important tip: add an extra security PIN to your account. This way, whether over the phone, web or in person, this “second factor” of authentication will make it harder for a thief to become you.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Credit Card vs. Debit Card Fraud

One difference between a credit card and a debit card is that if there’s an unauthorized charge on your credit card, you just get a little sting. It’s a hassle to straighten out. But no money is taken from you.

2CBut if someone gets ahold of your debit card information, the second they use it, depending on the nature of the transaction, your bank account will be drained. And in some cases, you can kiss that money goodbye; you got scorched. More than ever, crooks are using others’ debit card data and sucking dry their bank accounts via ATMs—in an instant.

An article on blogs.wsj.com outlines the differences between a credit card and a debit card:

  • Federal law protects you from unauthorized charges made with your credit card number rather than with the actual card.
  • In the event the credit card is in a thief’s hands, you’ll be liable, but only for a maximum of $50, provided you report the problem to the credit card company. However, in many cases a “zero liability” policy may kick in.
  • Debit cards fall under a different federal law than credit cards. Regulation E, the Electronic Fund Transfer Act, says after two days, you could be liable for up to $50. After 2 days liability jumps to 500.00. Beyond 60 days, you could be liable for all unauthorized transactions. Otherwise, federal rules are on the bank’s side.
  • Beyond 60 days, there’s likelihood you’ll never see your money again.

How does the thief get one’s card information in the first place?

  • The thief places a “skimmer” in the swiping device of an ATM or other location such as a gas pump or even the swiping device at a checkout counter. The skimmer snatches card data when the card is swiped.
  • The thief returns at some point and retrieves the skimmer, then makes a fake card.
  • Thieves may capture PINs with hidden cameras focused on the ATMs keys. So when entering PINs, conceal the activity with your free hand.
  • A business employee, to whom you give your card to purchase something, may be the thief. He disappears from your sight with your card to swipe it at some unseen location. While away from you, he skims the data.
  • The thief sends out mass e-mails designed to look like they’re from the recipient’s bank, the IRS or retailers. The message lures the recipient into clicking a link inside the e-mail.
  • The link takes them to a site set up by the thief, further luring the victim into typing in their card’s information.
  • The thief calls the victim, pretending to be the IRS or some big outfit, and lures the recipient into giving out card information.

It’s obvious, then, there are many things that can go wrong. Your best solution is to pay close attention to your statements, online or via a mobile app, frequently.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Beware of Vacation Rental Scams this Summer

Talk about getting taken to the cleaners: Imagine you spot a great summer rental property advertised online. Looks wonderful. The deal sounds too good to be true, but the owner tells you (via e-mail or even phone) that the fee is correct. You apply for the rent and send in the required upfront payment.

9DThen you head down there for the first time to see an empty lot. It then dawns on you that the owner was really a crook who used some photo he found online and advertised it for rent. And if losing your money isn’t bad enough, the thief now has other private information on you like your Social Security number.

How can you protect yourself if the property is too far away to check out in person? Limit yourself to only local rental properties that you can actually physically check out first? Whether or not you can do that, here are safeguards:

  • Copy and paste the rental description into a search engine. If it shows up elsewhere consider it a scam. However…a smart crook will alter the wording so that this doesn’t happen!
  • Google the listed address and see if it matches up. Google any other information connected with the ad, such as the landlord’s name.
  • If you locate the property on another site that lists it for sale, the rental ad is a scam.
  • Request a copy of the owner’s driver’s license to verify property records at your county assessor’s office.
  • If you can’t physically visit the property, use an online map to get a full view, including aerial, to make sure it actually exists. But this doesn’t rule out scam. The property may exist alright, but the ad you’re interested in was not placed by the owner, who’s either not renting at all or might be selling the place.
  • Conduct all communication by phone.
  • Never wire transfer an upfront payment or pay via prepaid debit card—two red flags for a scam. Pay via credit card.

Honest landlords can be scammed, too. They should search the information of responders to their ads to see what comes up.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Is It Fraud or are You just Crazy?

What would you rather have happen to you? A Russian ring of hackers has infiltrated your computer and smartphone and is hell-bent on taking control of your finances, social media life, even the smart gadgets in your house…OR…you’ve just been diagnosed with paranoid psychosis, and in fact, nobody’s out to harm you at all.

12DIn a day and age where it’s become increasingly easy for hackers to hijack your credit card and bank accounts, spy on your baby by hacking into the baby-cam and spy on you via your laptop’s camera … the line between paranoia and real-life spying has become very muddled.

Unfortunately, there isn’t a day that goes by that someone contacts me completely convinced they are being spied on. Maybe they are, most likely they are not. Especially when they begin to explain how every device they own and seems to know everything about them and so on. The likelihood of a hacker having control over their TV is pretty small.

For example, 30 years ago if someone said, “Someone is watching me through my computer,” we’d just assume that person was delusional and needed some medication. Nowadays, we’re apt to immediately think, “Put tape on your laptop’s camera hole!”

So how can we weed out the crazies from the true victims? Just because your laptop has a camera hole doesn’t mean you can’t be imagining that your ex-spouse is spying on you through it.

Many claims of fraud or victimization are real, and many are deliberately made up for financial gain (e.g., faking back pain after a fender bender) or are the result of mental illness.

Sometimes, it’s obvious when the claim is fraudulent or the result of being “crazy.” In fact, the tip-offs that it’s mental illness at play are more obvious than when it’s fraud, since the con artist can be quite skilled.

A general rule of thumb is to look at the simplicity—or lack thereof—of the case. Is the claimed cause simple or convoluted?

For example, you hear a crash, race into the living room and see that your favorite vase—which is located near the bottom of the staircase—has been broken to smithereens. Near the vase is a basketball. At the top of the staircase are your two young sons with scared looks on their faces.

They cough up an explanation: “We were in the living room reading. The basketball was on the floor. A gust of wind blew through the window so hard that it tossed the basketball into the vase. We thought you’d blame us so we ran up the stairs.”

Common sense must be used in determining the most probable cause of an event. This holds for parents, claims adjustors, detectives and juries at a trial. The best judge views things through the lens of simplicity.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Fear of Fraud trumps Terrorism

Okay, what’s more likely? Getting bombed … or some punk racking up charges on your credit card?

11DThe yearly Crime Poll says that two-thirds of the respondents were edgy about data breaches involving their credit cards, as well as their computer and smartphones getting hacked—far more so than being robbed or taken hostage.

It’s easier to thwart a mugger or burglar than it is to thwart cybercrime. Just because you never click links inside e-mail messages doesn’t mean a cybercriminal won’t still figure out a way to nab you.

Interestingly, many people who’ve been digitally victimized don’t even bother filing a police report, says the survey. But a much higher percentage of burglary and mugging victims will.

Maybe that’s because 1) They know it will be easier to catch the thug, and 2) It’s way more personal when a masked man jumps you on the street and hits you with a brick, versus some phantom from cyberspace whose body you never see, voice you never hear, hands you never feel—even though they drain your bank account dry.

But which would you rather have? An ER visit with a concussion and broken nose from the mugger, or a hacked credit card? The Fair Credit Billing Act allows you to dispute unauthorized charges on your card statement and get other things straightened out. And until you pay the whopping bill, your account isn’t robbed.But if someone hacks into your debit card, they can wipe out your checking account in a flash.

The good news is that often, cyberthieves test the waters of the stolen data by making initially small purchases…kind of like a would-be mugger feeling out a potential victim by initially asking her for the time or “accidentally” bumping into her.

A credit card can have varying levels of alerts that can notify the holder of suspicious activity. An example is a charge over $1,000 nets a text message to the holder about this. However, if you set a much lower threshold, you’ll know sooner that the data or card was stolen. Don’t wait till the thief makes a huge charge to be alerted. The lower that threshold, the sooner the card company will contact you and then initiate mitigation.

You know how to prepare for a mugger (pepper spray, self-defense lessons, etc.), but how do you protect your credit and debit cards?

  • Check your credit card statements thoroughly.
  • Don’t put off contacting the company over a suspicious charge.
  • All of your devices should require a password to log on.
  • Use encryption for all of your devices.
  • Always use your bank’s ATM, never a public kiosk.
  • Never let an employee take your card out of your sight.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Identity thieves bombarding Call Centers

One out of 2,900 seems very small, but when there’s a total of 105 million…then this percentage stacks up in the end. It represents the frequency of calls from fraudsters made to call centers in an attempt to get customer account details so they could steal.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Many times these crooks will succeed by conning phone operators into altering personal details. The thieves will then commit ID theft, gaining access to customer information and even changing customer contact information so that the victims cannot receive alerts.

These clever cons spoofed their phone numbers to avoid detection, and used software to alter their voices, even the gender sound.

Research into the 105 million calls also unveiled that the fraudsters keyed in stolen Social Security numbers in succession until they got a bull’s-eye: a valid entry for an unnamed bank. They then tricked the victim into revealing personal data.

One expert says that if contact phone channels were monitored, this could predict criminal behavior two weeks prior to actual attacks. Many companies also believe that most attacks result from malware rather than social engineering: the tricking of victims into revealing sensitive data. The targets include the staff of the call centers, who are often conned into allowing these smooth-talking worms to get under any door.

When businesses focus on the theory that most of these problems are from malicious software, this opens up a huge door for the fraudsters to swagger their way in.

The crooks’ job is made even easier when companies assign fraud detection to a department that fails to effectively communicate with other departments.

Consumers would be smart to check in with various credit card and bank accounts “posing” as themselves to see just how easy or difficult it might be to gain access with what kind of “easy to guess” or ”easily found on social” information/questions that may be used to authenticate the caller. Then change those “out of wallet” or “knowledge based questions”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Prepaid Cards risk of Fraud

Somewhere out there is a dictionary that when you look up the term wire money, the definition says scam! Even though legitimate money-transfer businesses exist like Western Union, a request to wire money for that new car or vacation package is most probably a rip-off.

2CAnd the crooks behind these rackets are figuring out ways to overcome the increased awareness of consumers to the money-wiring scams. They’ve come up with yet another way to steal your money. Thieves are requesting reloadable prepaid cards.

Would you hand a well-fed-looking masked man on the street your wallet? (Let’s pretend for a moment he’s not pointing a gun at you and is simply asking for your money). Of course you wouldn’t give it to him.

But this is what people essentially do when wiring money or sending in the prepaid cards.

Here’s how it works: The thief makes a request to load your cash onto your card (to pay for whatever), and then send over the card number and PIN. This way, the crook can put your money onto their own cards. They then can go to an ATM and take out cash or spend your money at a store. Meanwhile you never receive the item you thought you were purchasing, like that adorable pedigree puppy you saw online.

But the scams don’t stop at buying puppies, vacation packages, cars or other common items. They can also come in the form of a notice that you won a prize, and that you need to send in a prepaid card to pay a processing fee. Sometimes the scam comes in the form of a utility company payment or even government payment.

Bottom line: Don’t send anyone prepaid cards!

In that same dictionary after the term prepaid cards is scam!

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Stolen Business Debit Cards at Greater Risk

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

A debit card from your business, in the virtual hands of a thief, spells a mountain of trouble. The thief can generate a duplicate of your business debit card, then splurge. A “cloned” card can be swiped in a card reader, appearing legitimate.

2CBanks are not legally required to reimburse a business’s stolen money from the fraudulent debit card purchases. Nevertheless, some institutions do reimburse, but that’s only after the business owner can prove theft.

Banks are reluctant to believe businesses claiming victimship. A business may spend months, even years, using lawyers, trying to convince a bank of the crime.

Tips from creditcardguide.com for preventing business debit card fraud and getting faster reimbursement:

For purchases, use your business credit card. If theft occurs, the card company will immediately remove the fraudulent charges—and then pursue the matter.

Use the business debit card strictly for a withdrawal or a deposit. The card should be sans the MasterCard or Visa logo; it’s for deposits and withdrawals only. If you make a purchase with it on a tampered-with card reader, the thief could use your data to make purchases—that’s instant cash out of your account.

Keep tabs on your account daily; weekly at a minimum, even if your bank promises “anomaly detection” in your purchases.

Set up apps in mobile devices to allow account holders to check activity daily.

Use multi-layered protection. Set up spending limits, set up text/email alerts.

Suspicious events, such as exceeding a specified dollar amount in a purchase, should be alerted via e-mail or text.

Implement limited access by employees to your business’s cards.

Get to know your banker or credit union. Having to convince a bank that your money was stolen will be easier if you have a pre-established relationship with the institution. Does your financial institution know you? Or are you merely one of a million customers? Don’t be just another face in the crowd to your bank or credit union; it might someday save your can.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Merchants: Do you know where you Card Data is?

Card fraud affects merchants, not just shoppers. The Data Security Standard 3.0, released by the Payment Card Industry (PCI), urges companies to create a data flow diagram. This diagram would reveal all the systems, applications and employees who have access to cardholder data.

1D“In the majority of compromises we’ve seen over the past few years, the merchant was trying to do the right thing but was unaware that cardholder data existed in a location that was not being protected,” states Troy Leach, PCI’s Security Standards Council chief technology officer, to StorefrontBacktalk.

Data flow diagrams include all types of data pertaining to users, suppliers and customers, and businesses should do a full analysis of their systems to know what’s what.

Businesses should also learn details about security levels at all stages, and figure out whether different data is covered under PCI jurisdiction or the protocols of foreign entities.

Data must be “overlaid with a diagram of servers on- and off-premise, and all mobile devices, including those owned by employees,” reports PaymentsSource.

Merchants should know where all their cardholder data is; how their organization operates; and “how their customer’s cardholder data moves throughout their environment,” says Leach, so they can formulate decisions that will minimize risks and costs.

PaymentsSource recommends mapping the application of data flows, since businesses today are “super-interconnected” to other networks.

January of 2015 is when PCI’s Security Standard 3.0. will be in full effect. In the meantime, retailers should promptly start creating data flow diagrams.

Oregon-based iovation Inc. has created an exclusive network of global brands across the retail industry and others, with thousands of fraud professionals reporting more than 10,000 fraud and abuse attempts each day.

iovation’s shared database contains more than 1.6 billion unique devices including PCs, laptops, iPhones, iPads, Android, Blackberries—practically every Internet-enabled device that exists.

Many big brand retailers use this device reputation service to detect fraud early by not only customizing their own real-time rules to set off triggers, but by leveraging the experiences of other fraud analysts to know if the device touching them at this moment has been involved in chargebacks, identity theft, bust-outs, and any other kind of online abuse you could imagine.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247