Group items tagged

Online fraud is a $4 billion dollar a year industry. It grows as the unemployment rate increases and the jobless attempt to earn a living through whatever means necessary. Meanwhile, the Internet's footprint on the global economy and culture becomes larger every day. The expansion of fraud and the identification of this risk will create more jobs in the fields of compliance, risk management, and best practices. Who will fill these positions? For many companies looking to take action, the initial move will be to consolidate roles. Individuals in areas such as sales and marketing will absorb fraud identification, reporting, and prevention responsibilities. This will prove to be ineffective for the following reasons: 1. The sales and marketing staffs are not trained to identify fraud and they cannot keep up with the ever-changing tactics. 2. Associates are conflicted when faced with a fraud incident. They are not motivated to report fraud and their compensation structure dissuades them from reporting incidents. 3. Business goals are not aligned appropriately, which naturally moved fraud last on the priority list for the associates assigned the additional responsibilities. 4. While the internal attempt is made, no time is spent on partner due diligence and monitoring. Organizations will benefit in the long term by hiring dedicated staff. This tactic is one component of my company's Best Practice approach to doing business. My dedicated team helped realign business goals and create a culture that now embraces a higher set of standards and expectations. Staffing and training were the largest challenges I have faced in the last year. The positions were new, the skill set was specific, and as a result we received a dichotomous set of resumes. Applicants with online marketing experience had little to no experience with fraud, or they came from companies where more unscrupulous methods were used, and I was not confident those habits would be easily kicked. The app

The largest threat to online advertising is growing as the economy declines. More individuals will turn criminal, purchasing products or generating income through fraudulent means. Billions of dollars are stolen from businesses each year, and in 2009 companies will fight fraud with fewer resources.According to CyberSource, an estimated $4 billion dollars was lost to fraud in 2008 up from $3.7 billion in 2007, and 87% of merchants must fight fraud with the same or less staff in 2009. The increase in eCommerce fraud from 2007 to 2008 (and one can expect, in 2009) follows the advertisers' shift to spend more of their budget online. Much like crime statistics, one has to wonder how much fraud is not being reported because, among many reasons, commission-driven employees are not motivated or your company lacks resources.In early 2008, I was approached by our CEO to start a new division that would address our partners' fraud concerns-both real and perceived. He said, "I'm not going to lie to you. It's a SOB job." I was sold, and the Best Practices Division began.My team establishes best practices (measurable, repeatable events, processes, and procedures) and applies them internally and externally (to our partners' online marketing practices). At its core, best practices (BPs) are a set of standards that provide transparency and clear expectations of behavior and results to everyone involved in the business process. This accountability will drive the long-term performance of the online advertising industry while maintaining profitability without additional federal regulation.The BP approach can be applied to every business model and used to fight fraud-wherever you find it. Industry norm places the onus on the advertiser to successfully qualify inbound leads as well as identify fraudulent traffic. In the past, advertisers had only two options: become an online fraud expert, or hire a vendor.Only a small percentage of companies will be successful with the

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

"A new report from Javelin Strategy and Research suggests that many credit and debit card holders fail to understand the importance of a notice saying that a credit card or debit card has been breached and do not protect themselves from fraud. The company's research found that people notified of a breach of their secure data were four times as likely as the public at large of actually experiencing financial or other fraud within a year of the notification. Further, those who experienced a breach in their secure data and then an incident of fraud very rarely link the fraud to the breach. "Among consumers who received a data breach notification in the past 12 months, 19% suffered fraud, yet only 2% attributed their fraud to a data breach, the firm reported. "It seems as if consumers are not connecting the dots on data breach notifications to fraud events. They are aware, in the abstract, some personal records of theirs have been compromised, but when they become a victim of fraud they do not make the connection to the breach notification.""

Financial fraud last year caused 7.5 percent of all adults in the United States to lose money, largely because of data breaches. That's the finding of a survey conducted by Stamford, Conn. research firm Gartner. The survey polled 5,000 U.S. adults and also found that when compared with average consumers, nearly twice as many people who lost money to fraud changed their shopping, payment, and e-commerce behavior. In particular, victims of electronic checking and/or savings account transfer fraud were nearly five times more likely to change banks because of security concerns. "Fraud victims are also more cautious about which brick-and-mortar stores they shop at and how they pay for goods when they get there, demonstrating more awareness of the risk of data breaches," said Avivah Litan, vice president and distinguished analyst at Gartner, in a news release. High-tech crimes, such as data breaches (which typically involve hacking into enterprise systems) and phishing attacks against consumers, are the most prevalent causes of payment card fraud. Gartner found that financial losses were highest with new-account, credit card and brokerage fraud, with average losses per incident totaling $1,097, $929 and $900, respectively. However, victims of brokerage, credit card and debit/ATM card fraud find it easiest to recover their losses, receiving an average of 100 percent, 86 percent, and 77 percent of the funds stolen, respectively.

"Identity theft can happen to anyone," is the frequent refrain of government and advocacy groups warning consumers about bank fraud. What they don't add: The crime is far more likely when that "anyone" is a woman. A study released Monday by the fraud-tracking firm Javelin Research showed that women are 26% more likely than men to be the victims of identity theft. While 3.8% of men had their banking details stolen and used for fraud in the last year, 4.8% of women were victimized. And women took far longer on average to discover their financial identities had been compromised, leading to far greater risk of repeat fraud: Women took 83 days to detect they'd been targeted, compared with 45 days for men. The growing reason behind this disparity, argues Javelin President James Van Dyke, is an often-misunderstood trend: Digital commerce is making identity theft harder, rather than easier. Because men are statistically more likely than women to adopt newer technologies such as online banking and shopping, they more often have the benefit of high-tech safeguards, Van Dyke says. Women, because of their lesser use of Web banking and sales, suffer from more old-fashioned fraud caused by stolen credit cards or retail employees, he says. Fifty-eight percent of women, for instance, have never banked online, compared with 55% of men, according to Javelin's study. That means women are less likely to sign up for fraud protection programs like text message or e-mail alerts that warn of abnormal transactions. Twenty-three percent of men use e-mail alerts, compared with 15% of women; 8% of men receive text message warnings, compared with just 3% of women.

The first sign that something was wrong seemed harmless: A new Dell credit card arrived in my mail one afternoon. More landed in the mailbox the next day. Macy's. Bloomingdale's. Crate and Barrel. Radio Shack. Then later: Visa Sony, Toys R Us and Lowe's cards turned up. I didn't request any of these cards. My first call to Dell revealed what I suspected. Someone had applied for a credit card using my name. I felt violated and vulnerable. Then, it hit me: I've become a statistic, a victim of identity theft. A thief had taken my name, my credit and my identity and managed to spend more than $8,000 (money that, I'm grateful, I didn't have to pay). I still don't know who the culprit was or how it happened. All I know is that if this happened to me - a Sun Sentinel consumer affairs and watchdog reporter - it can happen to anybody. Thieves move quickly Identity theft is the fastest growing crime in the United States, according to the Federal Trade Commission, which enforces identity theft laws. Experts estimate 10 million Americans become victims of identity fraud each year. Last year, businesses lost $56.6 billion to ID theft, the commission said. I've spent hours on the phone talking to fraud investigators, credit bureaus and bank staff as I've tried to sort out the mess that is now mine to clean up. I was exhausted every time a call ended. Individual investigations, conducted by fraud departments for each of the credit card companies that issued accounts in my name, took months to complete before concluding I was a victim of ID fraud. But there is a bright side to this story. I thought I knew how to protect myself. But what I've learned through this experience has taught me that you can never be too careful. I also learned some hard lessons along the way about how best to safeguard my personal information in the future - and respond, if my identity is targeted again.

Cash-squeezed privately held companies are facing another threat in this struggling economy: rising employee fraud. Employee fraud -- from check-forgery schemes to petty-cash theft -- tends to rise during tough economic times, when workers are feeling financial pressure in their personal lives, experts say. And small companies are especially vulnerable because they often lack stringent internal controls to prevent fraud. Sometimes, managers at affected companies attribute lost funds to lower sales -- never even suspecting foul play.

In a decision that has privacy advocates and others scratching their heads, a federal judge has ruled that LifeLock has been breaking California law for years by placing fraud alerts on its customer's credit profiles. The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services - a standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly. Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling "dramatic and unexpected." "It causes a real shift in the industry," he told Threat Level. The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation's three credit reporting bureaus. Experian claimed LifeLock is trying to "game the system" of fraud alerts to make a profit.

A recent data breach study commissioned by the state of Maine sheds light on the losses banks experienced as a result of the data breaches at TJX and Hannaford Brother's supermarkets. The state's banks said they incurred $2.1 million in expenses related to data breaches since January 1, 2007. The Hannaford breach had the largest impact, affecting 71 financial institutions and incurring $1.6 million in expenses according to the Maine Data Breach Study. Hannaford is based in Scarborough, Maine. The TJX breach accounted for $485,000 in expenses. The report was issued by the Main Bureau of Financial Institutions in November 2008. It studied the impact of data security breaches on Maine banks and credit unions. Fifty credit unions and 25 banks headquartered in Maine responded to the survey. Financial institutions reported more than 18 million records breached last year, according to the Identity Theft Research Center. The San Diego-based nonprofit found that data breach reports across five industry sectors jumped to 656 last year, up 47% from 2007. About 12% of the reports came from financial-services firms, up from 7% in 2007. In Maine, the Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by 22 financial institutions. More than 700 accounts were used to buy items fraudulently, although five of the 22 institutions that suffered a fraud loss did not report the number of accounts, according to the report. The Hannaford breach cost some banks as much as $58,000 to reissue credit cards to customers. Investigation expenses cost nearly $30,000 for some banks. Communication to customers cost nearly $28,000, some banks and credit unions reported. Fraud losses of nearly $45,000 were tied to the TJX data breach. The losses were reported by six financial institutions. The expenses for reissuing credit cards cost some banks as much as $32,000. Investigation expenses were as high as $21,000 for some banks. Communication to custom

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach. In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

Fraud on the Internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said on Monday. Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released on Monday from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center. Online scams originating from across the globe -- mostly from the United States, Canada, Britain, Nigeria and China -- are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March alone. "2009 is shaping up to be a very busy year in terms of cyber-crime," the report's author, John Kane, told reporters in a telephone briefing. Last year's losses compared with $239.1 million in 2007 and dwarfs the $18 million of losses of 2001.

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today. "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.

"Today, the Federal Trade Commission opened new areas of a "virtual mall" with content that will help kids learn to protect their privacy, spot frauds and scams, and avoid identity theft. The FTC Web site, www.ftc.gov/YouAreHere, introduces key consumer and business concepts and helps youngsters understand their role in the marketplace. The FTC is the nation's consumer protection agency. "YouAreHere presents practical lessons about money and business in a fun and familiar setting," said David Vladeck, Director of the FTC's Bureau of Consumer Protection. "The new content takes kids behind the scenes to raise their awareness of advertising and marketing, pricing and competition, fraud and identity theft. At the FTC's online mall, visitors play games, watch short animated films, and interact with customers and store owners. They can design and print advertisements for a shoe store, investigate suspicious claims in ads and sales pitches, learn to identify the catches behind bogus modeling schemes and vacation offers, and guess the retail prices of various candies based on their supply, demand, and production costs. At the Security Plaza, visitors can build a social networking page and see the unintended consequences of posting personal information. They also get tips on how to keep their computers safe while they're online. In the arcade, visitors can play Info Defender 3 and protect Earthlings from Cyclorian invaders who would steal their identities. The game teaches the importance of protecting personal information, including Social Security numbers. For parents and teachers, the site offers detailed fact sheets with ideas for related activities. Teachers can use the site to complement lessons in consumer economics, government, social studies, language arts, and critical thinking. The National Council for Economic Education has developed a lesson plan that prominently features YouAreHere; it is available on the Parents and Teachers page. "

A Port Washington medical practice was defrauded of nearly $250,000 by a former employee who for four years paid her credit card bills with automatic debits from a doctor's checking account, Nassau police said. Debra Camilo, 42, of 110 Malba Dr., Whitestone, began the transfers in the spring of 2004 and even though she was fired a year later -- for reasons unrelated to the fraud -- she continued until July 2008, police said. All told, the former office manager made more than 80 unauthorized debit transfers to her Visa credit card amounting to $241,341, police said. Crimes against property bureau detectives arrested Camilo Thursday afternoon in Manhasset and charged her with grand larceny, identity theft and fraud. She was scheduled for arraignment Friday in First District Court, Hempstead.

The federal government has a key role to play in researching and organizing a national response to the problem of medical identity theft, authors of a government-funded study have concluded. Patients, providers, payers and other members of the healthcare community also must join in the effort to combat a problem that is serious, although as yet its scope is not fully known, the report stated. Contractor Booz Allen Hamilton released the report last week. It represents the final phase of the $450,000 study funded last year by the Office of the National Coordinator at HHS. The study consisted of three parts, the first being to review existing knowledge about medical identity theft as well as policies and practices to prevent it. Those findings were included in a research paper on the subject released last October. The second phase involved a public meeting Oct. 15, 2008, the same day the paper was released, to "open a dialogue about medical identity theft within the healthcare industry. The final phase, the 26-page report, includes 31 "potential actions," which are recommendations that could form a national policy on medical identity theft. While medical identity theft "may be categorized as healthcare fraud," according to the report, "there are unique and important distinctions of medical identity theft that need to become more commonly understood to address this issue effectively." One difference, the report authors noted, is that the primary motive behind healthcare fraud "is most often monetary gain, such as when fraudulent providers bill for more expensive services than those rendered. However, medical identity theft tends to be focused on the use of someone else's information to gain goods, services and healthcare." IT could hurt, help Therefore, undetected medical identity theft poses medical risks to its victims, since their medical records may contain inaccurate and potentially harmful information that may cause them not to be con

New Jersey lawmakers are considering new legislation that would require Facebook, MySpace and others to police social networking sites for offensive posts or else face potential consumer fraud lawsuits. But some lawyers say that even if the measure is enacted, it's not likely to have much impact on social networking sites because the federal Communications Decency Act immunizes such sites from lawsuits based on material posted by users. The bill is part of state Attorney General Anne Milgram's Internet safety initiative. "The social networking site safety act is intended to deter cyber-bullying and the misuse of social networking Web sites," the Office of Attorney General said in a statement about the measure. "The bill empowers users of social networking sites to take steps to stop harassment or exploitation." Last year, Milgram garnered headlines by launching a fraud investigation of gossip site JuicyCampus.com -- where users frequently posted insults about college students -- but no legal action resulted. (That site folded last month for financial reasons.) Attempts to rein in cyberbullying might be politically popular, but this type of state effort to regulate global Web sites is also likely to prove useless, say cyber lawyers. "We need to recognize that legislating on the Internet can't be done on a state-by-state basis," said Parry Aftab, an expert on Web safety and cyber-abuse. "We can't have a different law in each state."

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research. Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday. Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized. "It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""