Bruce Dubinsky, CFE, MsT, CPA, CVA
Managing Director, Duff & Phelps, LLC
It’s no surprise that companies have fraud on their mind these days. As of May, a Verizon report revealed that 6 million data breaches in businesses worldwide had already occurred in 2016. In response, steps have been taken by organizations to protect themselves from outside hacker threats — but this might not be enough. Unbeknownst to many, the bigger danger to these companies and their customers’ data arises from those who are trusted the most: 50 percent of all security incidents are caused by people inside an organization. According to the 2016 ACFE Report to the Nations on Occupational Fraud and Abuse, a typical organization loses an estimated 5 percent of revenue a year as a result of fraud.
The onset of International Fraud Awareness Week, November 13-19, provides a compelling opportunity to discuss the dangers and prevention methods of insider fraud.
We can start with the understanding that learning that your company’s confidential data was stolen, not by a hacker, but by an employee, is a catastrophic scenario that no organization wants to face. Although sometimes these data breaches are unintentional — perpetrated by careless employees — in most circumstances, they are the result of malicious intent. Oftentimes, personally identifiable information (PII) is stolen to be sold on the black market or used to receive social security benefits, open new credit card accounts or to apply for insurance benefits.
The ACFE report finds that a perpetrators’ level of authority is directly related to the magnitude of the fraud, as the losses incurred from the scheme by an owner or executive (about $703,000) are more than four times the median loss by managers (about $173,000) and nearly 11 times as much as the loss caused by rank-and-file employees (about $65,000).
Companies can combat insider fraud by developing safety measures that emphasize a team approach, through which all areas of the organization or agency work together to identify threats and prevent them from escalating into significant losses. The Report to the Nations found that when organizations adopt and encourage an “if you see something, say something” approach, they can mitigate losses by up to 54 percent. In addition, insider fraud can be detected up to 50 percent faster.
Consistent with this approach, the most common detection method in the ACFE study was from employee tips (39.1 percent of cases). Organizations that had reporting hotlines were also much more likely to detect fraud through these tips than organizations without a reporting outlet (47.3 percent compared to 28.2 percent, respectively). Additionally, when fraud was uncovered through methods such as surveillance and monitoring or account reconciliation, the loss duration of schemes was lower than when the schemes were detected through passive methods, such as notification by police or by accidental discovery. Many agencies also had success with professionally-manned hotlines for whistleblowers.
There are valuable resources available to help your company take the necessary steps to prevent insider fraud. The LexisNexis® Fraud Defense Network, of which I am a board member, provides resources such as the Identity Fraud Protection Playbook and technology for cross-industry fraud prevention. Take the quiz to see how your fraud prevention efforts measure up to the competition and collect valuable insights on preparing for this significant threat.
You can find more free resources to spread fraud awareness, like social media badges, infographics and videos, at FraudWeek.com.
Robert K. Minniti, CFE, CPA, CVA, CFF
On July 7, King5.com reported that King County officials entered two charges of felony identity theft against Gary Wayne Bogle. According to Washington man charged with felony ID theft, by Danielle Leigh, Bogle used his brother's identity to obtain free health care and attempted to avoid a criminal record in his own name. His brother ended up with false convictions and a destroyed credit because of unpaid hospital bills fraudulently entered under his name.
Financial identity theft occurs when someone misappropriates your personal information to open new accounts, or uses your existing bank or credit accounts to make purchases. The above case shows a newer type of identity theft — criminal identity theft — that's spreading across the country and can be even more damaging than having a criminal destroy your credit rating.
Historically, criminal identity theft meant a criminal would obtain a driver's license or state identification card using the victim's information, including their photo. The criminal would provide this identification to police officers when they were pulled over for a traffic stop or while being arrested for a crime. They'd sign for the ticket and then miss the court hearing. Or they'd be arraigned and released pending trial and then miss the trial. Because no one appeared in court, the judge would issue a bench warrant for the arrest of the victim, whose stolen personal information was used by the actual criminal.
Often the victims of this type of identity theft find out about the crime when they're arrested or terminated from their job because of an outstanding warrant. They also might struggle to find employment because some companies conduct pre-employment background checks on job applicants. Take, for example, aCalifornia woman who was detained six times by law enforcement, arrested four times, spent 20 days in jail on no-bail warrants and even had her children removed from her care by child protective services — all because she was a victim of criminal identity theft.
Read the full article, and find out tips for protecting yourself from criminal identity theft, at Fraud-Magazine.com.
ACFE Communications Coordinator
It’s almost All Hallows’ Eve. Your pumpkins have been carved, decorations displayed and candy has been purchased for neighborhood trick-or-treaters. Whether you’re passing out candy, dressing up or people-watching at a local pub, you will be sure to encounter a few authentic costumes. You could almost do a scavenger hunt of sorts: find a vampire, ghost and zombie. Not only do these characters have Halloween in common, they also can be categorized as the living dead.
Much like a vampire, ghost or zombie in a movie, fraud can be rampant and unforgiving. Fraud preys on anyone, even the dead. According to the Identity Theft Resource Center (ITRC), identity thieves can obtain information about deceased individuals in various ways such as obituaries, death certificates and websites that offer the Social Security Death Index. This abuse of a deceased individual’s identity is referred to as “ghosting.” The University of Texas’ Center for Identity estimates that “approximately 2.5 million identities are stolen each year from deceased victims.”
Ghosting occurs partly because accounts in a deceased individual’s name will remain active until the financial institution is made aware that the customer has passed. According to the ITRC this is because it takes time for the Social Security Administration to transmit the Death Master File to the financial industry. Also, the Death Master File is not always accurate since it is based on information provided by consumers and governmental agencies.
With identity thieves lurking, here are some steps to protect your deceased loved one’s identity so that its “ghost” does not haunt your family:
- The IRS recommends that families “avoid putting too much information in an obituary, such as birth date, address, mother’s maiden name or other personally identifying information that could be useful to thieves.” Be aware that identity thieves do scan obituaries in newspapers. Leave out any information that could relate to applying for a credit card or opening a bank account.
- If there is a surviving spouse or other joint account holders, the ITRC notes for them to “immediately notify relevant credit card companies, banks, stock brokers, loan/lien holders and mortgage companies of the death.
- The ITRC also recommends contacting all credit reporting agencies, credit issuers, collection agencies and other financial institutions that need to know of the death. There might be different mandatory procedures for each agency. Here is information that the ITRC says to include in all letters to these agencies:
- Name and SSN of the deceased
- Last known address and last five years of addresses
- Date of birth
- Date of death
Send all mail as certified mail and request the return receipt. Also keep any correspondences, noting the date sent and any responses you receive. Request a credit report as well. This report will tell you of any accounts with which you need to follow through. Once you receive the credit report, ask that it is flagged as “Deceased.”
Whether this information is helpful now or in the future, make sure that your family is protected from criminals whose only intent is to resurrect your loved one’s identity for their profit.
Zach Capers, CFE
ACFE Research Specialist
Recently, I attended the ID360 conference in Austin, which was presented by the University of Texas at Austin’s Center for Identity. The theme of the conference was “The Identity Economy” with speakers focusing on such topics as personal identity management, social media and online security. The discussions of these interrelated topics made me consider the ways I leverage my own identity in the emerging identity economy, and — more concerning — how my identity is used by others.
Identity is now a form of currency, and the consequences of this development are unfolding in interesting and often unpredictable ways. As a music lover living in Austin, I have noticed during the past few years how the identity economy is developing in the realm of live music and event ticketing. For example, during the recent South by Southwest (SXSW) festival, I found myself shamelessly tweeting about the Mazda car company for a chance to win passes to an event I wanted to attend. Despite how obnoxious my shilling must have seemed to others on my Twitter feed, I felt it was worth it, particularly because I ended up winning the passes.
The identity economy was apparent in other aspects of SXSW as well. This year, an increasing number of events required that prospective attendees register through their Facebook accounts. This meant that attendees had to open their Facebook pages to applications that often collect and share personal information for marketing and other purposes. I found this too much to bear, so I avoided events that required compromising my Facebook account; however, countless other festival-goers likely did so without questioning the practice of providing access to their personal information in exchange for access to an event.
Another facet of the identity economy is the phenomenon of developing a user reputation to enhance standing within a particular user base. For example, the ticketing firm 1iota provides free tickets to television shows and concerts based largely on reputation. If you sign up for an event, win tickets and subsequently follow through with attending the event, your chances of winning tickets to the next show increase. Conversely, if you win tickets and fail to attend the show, your chances of receiving tickets in the future plummet. The idea is that those who build a strong reputation on the site tend to be more enthusiastic and dependable fans whom organizers prefer to have at their events. Reputation systems have been in use for many years with websites such as eBay and LinkedIn, and they will only increase in number and variety going forward.
At last month’s Coachella music festival in Indio, California, the identity economy was also in full swing. All ticket buyers were required to wear a wristband containing a registered radio-frequency identification (RFID) chip, and all wristbands had to be activated with the individual’s personal information, with the option to connect the wristband to a Facebook or Spotify account. No doubt much of this information was collected for demographic research and subsequent marketing efforts. However, the RFID technology was also used to streamline entry, reduce fraud in the secondary market and track the movement of individuals inside the festival grounds to maximize logistical efficiency. Another result is that individuals can no longer attend America’s most popular and profitable music festival anonymously.
While many of these uses of identity might seem relatively innocuous, we must always question how much of our identity we are willing to trade for convenience. Our evolving — or devolving — concepts of privacy and identity are fundamentally changing not only commerce, but also the strategies through which companies and criminals exploit our personal information for profit. At the ID360 conference, the University of Texas announced a Master of Science in Identity Management and Security degree program; the first of its kind in the nation. Perhaps a new generation of identity experts will help guide us through the burgeoning convergence of our identities and the economy.