Tag Archives: Identity theft

Immediate Vault Immediate Access

Combating Fraudulent COVID Unemployment Claims

Posted on by

As federal and state officials scramble to send unemployment and stimulus funds to help people hit hard by COVID-19 business shutdowns, it has become a perfect storm for cyber fraud.

The payments are an easy target for cybercriminals as hackers and cyber gangs around the world have started to file unemployment claims use stolen identities. Some criminals claim benefits in the names of dead or incarcerated people, while others set up shell companies, “hiring and firing” fictitious employees to collect payments.

For example, cyber gangs in Nigeria have stolen millions in benefits from multiple states using hacked names, Social Security numbers and other information sold for as little as two dollars each on the dark web. In New York, a man was charged with filing more than $1.4 million in false COVID-19 unemployment claims, using the stolen identities of over 250 unknowing victims. According to U.S. attorneys, he was caught in part because he used the same IP address and security question and answer—the name of his family dog, Benji—to submit the applications.

The U.S. Department of Labor estimates fraudsters may already have stolen at least $63 billion through phony jobless claims, while other reports say the losses could be as high as $200 billion. In addition, unsuspecting victims are at risk of receiving surprise tax bills because cybercriminals stole their identities and filed fraudulent claims for COVID-19 unemployment payments.

Watch Closely for Signs of Fraud

The Federal Trade Commission warns that unemployment fraud puts workers at additional risk of identity theft crimes including tax fraud. What can you do to help protect your employees?

Unemployment fraud is often uncovered when employers are notified by state officials that employees have applied for benefits. If they are still working, they may be the victim of identity theft.

buy clomiphene online cphia2023.com/wp-content/uploads/2023/08/jpg/clomiphene.html no prescription pharmacy

Be alert to the signs of cybercrimes and unemployment fraud. Contact your human resources department or tax administrator and ask them to look carefully at any notices or requests they receive from state unemployment officials. If you get a report about unemployment benefits that an employee did not request or receive, contact the employment division of your state labor department. Unemployment fraud is so widespread that most states have set up special procedures to deal with these situations.

buy biaxin online cphia2023.com/wp-content/uploads/2023/08/jpg/biaxin.html no prescription pharmacy

Warn Your Employees

Let employees know that unemployment scams are a serious problem. Identity theft can also lead to tax fraud, credit card theft and loans taken out in their names.

buy cipro online cphia2023.com/wp-content/uploads/2023/08/jpg/cipro.html no prescription pharmacy

Notify a working employee immediately if the state informs you they have filed for unemployment benefits. They may be the victim of identity theft and should file a police report. Officials say workers scammed by cybercriminals do not have to pay unemployment taxes, but they must report the crime to the state labor department. And they should file their federal and state taxes on time for the correct amount of their income. The U.S. Labor Department has created a special website for victims of unemployment fraud.

Review Your Cybersecurity

Much of the personally identifiable information used by cyber thieves comes from data breaches, phishing schemes and other cyberattacks. Remind employees, particularly in human resources and tax departments, to be alert for suspicious emails, telephone calls and text messages about payroll information or W-2 forms.

The threat will continue beyond the pandemic. Business email compromise, in which employees are tricked into paying company funds into fraudulent accounts, is at an all-time high, so make sure employees have regular cybersecurity training. If you haven’t conducted a data inventory, do so now. Once you know what data you keep, you can determine what controls you require to protect that data. Store employee records securely and dispose of personally identifiable information carefully. It is also advisable to use a secure email gateway, which protects from spam, viruses, malware and denial-of-service attacks, and make sure employees working remotely are using secure company devices. Install patches and software updates, setting up automatic software updates whenever possible.

Unemployment or tax fraud targeting multiple employees may indicate a data breach. If you have a theft or cyberattack, contact your insurance carrier and, if necessary, seek expert help to identify the source, the extent of the problem and how best to respond.

Using Adaptive Behavioral Analytics to Detect Fraud

Posted on by

While fraud threats are nothing new for payments processors and financial institutions, the degree and magnitude of such incidents have escalated in recent years. A February 2018 Javelin study found that nearly 16.7 million consumers were victims of identity fraud in 2017—up 8% from the previous year.

Fraud prevention solutions must be flexible and sophisticated enough to not only counteract increasingly-savvy fraudsters, but also distinguish true fraud from false positives, which occur when genuine activity is mistakenly treated as fraud. According to CreditCards.com, four out of five blocked transactions are actually genuine, and these misunderstandings often result in customers being locked out of their accounts. In many ways, the aftermath of false positives can prove more damaging and costly than an actual instance of fraud, as institutions miss revenue generation opportunities while simultaneously hindering customer loyalty and trust.

As consumer payment technologies evolve, so too will the complexities of fraud detection and mitigation. Therefore, it is vital that risk management teams end their reliance on rigid, manually-programmed rule sets or static machine learning models and instead capitalize on the advanced capabilities offered by today’s more versatile tools. By modernizing their fraud strategies with adaptive behavioral analytics, payments processors and financial institutions can better mitigate risk and increase revenue.

How Does it Work?

Unlike the static machine learning of the past, adaptive behavioral analytics are extremely proficient at differentiating between actual fraud and activities that appear suspicious but are ultimately genuine. As a result, friction in financial services and e-commerce is significantly reduced and customers can maintain confidence in their preferred transaction method.

Adaptive behavioral analytics empowers machine learning through a set of sophisticated, automated, self-learning algorithms that review account activities and notify security teams of anomalies.

buy clomiphene online greendalept.com/wp-content/uploads/2023/10/clomiphene.html no prescription pharmacy

These algorithms construct baseline behavioral profiles to reflect a customer’s activity type and frequency. In every interaction—regardless of if a payment occurs—information is gathered and evaluated on the type of device that is used, how it’s used, its location and the amount of the purchase. Combined, these behaviors create a customer portrait that becomes increasingly more accurate over time. Every subsequent interaction then can be measured against the behavioral portrait, within milliseconds, to determine if their activities are fraudulent or genuine.

For example, if a user logs into his or her account at an abnormal rate or suddenly begins adding priority shipping to high-priced orders, the system will detect the irregularity and block future activity. However, if a user simply purchases an expensive holiday gift or books travel arrangements—behaviors that coincide with seasonal activity—the system will recognize and differentiate the fraudulent from the legitimate accordingly.

Adaptive behavioral analytics also optimizes the speed and convenience of fraud detection by processing volumes of data and delivering critical intelligence accurately and immediately. Through this more comprehensive investigation, the software enhances the customer profile to better understand and recognize behavioral trends—a welcome sight for security teams that previously spent hours sifting through reports to locate red flags.

Where Can Adaptive Behavioral Analytics Help Most?

The ubiquity of mobile technology has created a consumer audience who prefers to conduct business through a smartphone, tablet or another device that eliminates a trip to a physical store or bank branch. In turn, these consumers demand leading-edge mobile technologies that are intuitive, convenient and offer a full range of services.

The combination of the U.S. adoption of the EMV standard in 2015 and the rise in e-commerce has escalated the volume and prominence of Card Not Present (CNP) fraud. Whether through online purchase portals or apps that access mobile wallets, the digital entry of account information raises the likelihood of a person’s information becoming compromised.

buy prelone online greendalept.com/wp-content/uploads/2023/10/prelone.html no prescription pharmacy

With more transactions taking place, the volume of both true fraud activity and regular behaviors that appear suspicious will increase. However, adaptive behavioral analytics enables a more refined detection between the actual fraud and genuine activity.

buy albenza online greendalept.com/wp-content/uploads/2023/10/albenza.html no prescription pharmacy

It is the best of both worlds: a much-needed, innovative line of defense that combats payments fraud and clears a path for more revenue-generating transactions.

Curb Phishing Damage with a New, Human Approach to Bad Habits

Posted on by

phishing
In the first quarter of 2016 alone, more than 40 organizations, including Snapchat, Moneytree and Sprouts Farmers Market, acknowledged they were victims of phishing attacks. The attacks came via emails seemingly sent from CEOs to their own human resources and accounting departments. In reality, these emails were sent by cybercriminals attempting to steal vital personal and financial information from companies and their employees.

The FBI estimates that phishing attacks have cost companies more than $2.3 billion in losses over the past three years, and since January 2015 alone, the agency saw a 270 percent increase in identified victims and exposed losses from CEO scams.

Recipients who “take the bait” by responding to a phishing email often provide scammers with all the necessary information to perpetrate identity theft, including filing a tax return in someone else’s name. Clicking a link or opening an attachment may also launch malware-intrusive software and seriously compromise the system by initiating malicious background programs.

The stakes are high and regardless of your organization’s size, you are always at risk for an attack. In fact, the Anti-Phishing Workgroup discovers more than 40,000 unique phishing sites targeting about 500 brands per month, while the Department of Defense and Pentagon report receiving up to 10 million phishing attacks each day.

The success of attacks varies, with 30% to 60% of incidents resulting in victimization, according to a 2013 Verizon Data Breach Report. A phishing attempt’s success or failure, however, rests beyond a scammer’s ability to infiltrate the cybersecurity infrastructure of an enterprise.

Your organization’s susceptibility really comes down to your people. Even with training, vulnerabilities depend on a combination of employees’ awareness levels and enduring personal habits, according to research by University at Buffalo (UB).

Companies can implement more effective cyber preparedness measures only when they better understand the ways that their employees think and behave. As phishing attacks continue to evolve and become more sophisticated, the most successful employee cyber defense strategies should involve two critical components: 1) a combination of cutting edge training and testing and 2) support programs to alter the unconscious human behaviors that compromise cybersecurity.

Currently, most businesses train employees to recognize phishing attempts by identifying key elements in an email message, such as finding the sender’s address, noticing hyperlinks and recognizing clues like typos or awkward language. But research has shown that those efforts fail to sustain positive results because organizational training focuses on situational reactions while ignoring employees’ existing habits, which are difficult to break.

For example, an employee may successfully identify suspicious emails when prompted in a training session. When it comes to an average Monday morning, however, opening every email to clear their inbox may be a strong habit that training simply does not offset. Phishing is largely successful for this precise reason. Perpetrators take advantage of individuals who are habitual in the way they respond, despite any awareness they may have developed or gained in training, according to UB findings.

Many employers complement this basic training with follow-up penetration testing to evaluate whether employees recognize the warning signs of a cybersecurity threat in practice. Organizations may send a mock email with red flags that indicate a potential phishing attack, such as a compelling subject line like “Your computer is at risk.” Once opened, the recipient sees that the message is from the employer with a warning about how similar future messages could pose risks.

Penetration testing, however, doesn’t work in the long run because it also fails to acknowledge habitual actions and attempts to change a person’s behavior by simply encouraging them to do more of the same behavior.

Organizations can actually address the bad habits by identifying employees who are most susceptible to phishing and exposing them to higher levels of education with an emphasis on creating better tailored interventions that address the underlying “why” that drives people to fall prey to phishing time and again.

Continuously testing employees can be helpful; however, a company’s security training program must also attempt to adjust the daily unconscious behavior of employees that puts networks at risk. Companies need to provide their employees with a relatable (non-security/IT) team member/colleague to demonstrate what responsible cyber behavior looks like day in and day out.

One way to accomplish this is to create an internal cyber ambassador program that identifies employees who have proven themselves to have especially strong cyber awareness.

buy imodium online www.nicaweb.com/images/layout1/gif/imodium.html no prescription pharmacy

These employees should be selected from teams such as accounting, sales, HR and administrative support, that are typically vulnerable to phishing attacks.

Cyber ambassadors are responsible for promoting cyber best practices within their own teams. This type of program creates a platooning effect, where employees subconsciously emulate the behavior of their ambassador/team member, resulting in a safer cyber environment.

While employees can be your greatest weakness, they can also be your strongest asset in thwarting phishing attacks. Training employees to identify a phishing attempt—either before or after falling victim to an attack—is only half the battle.

buy cipro online www.nicaweb.com/images/layout1/gif/cipro.html no prescription pharmacy

By better understanding the mechanisms behind employee susceptibility, companies can anticipate individuals most at risk, create dynamic security and training policies that promote safe cyber behavior patterns, and alter employees’ habits through colleague support programs.

buy lasix online www.nicaweb.com/images/layout1/gif/lasix.html no prescription pharmacy

Ill. Court: Non-Injured Plaintiffs Cannot Sue for Violations of Consumer and Workplace-Related Laws

Posted on by

In Maglio v. Advocate Health and Hosps. Corp., (Ill. App. Ct. June 2, 2015), the Illinois Appellate Court was asked to decide whether individuals have standing to bring suit for violations of consumer data protection laws where their personal data, while compromised, has not been used to harm the individuals. The Illinois Appellate Court, in holding that such individuals do not have standing, established that, at least in Illinois, plaintiffs who suffer no concrete harm, but instead allege only technical statutory violations, cannot sue for violations of consumer and, presumably, workplace-related laws.

The decision of the Illinois Appellate Court could have implications beyond Illinois. As we previously reported, the U.S. Supreme Court recently granted certiorari in Spokeo, Inc. v. Robins (U.S. Apr. 27, 2015). In the Spokeo matter, the U.S. Supreme Court will confront a nearly identical issue: Do individuals have standing to sue for violations of the Fair Credit Reporting Act (FCRA) even when they have not suffered any harm or injury? If the U.S. Supreme Court reasons in the same way that the Illinois Appellate Court did and answers this question “no,” the decision would likely discourage the current wave of consumer, workplace, and other class actions seeking millions in statutory damages.

Case Background

Advocate is a network of hospitals and doctors. On July 15, 2013, burglars stole four computers from Advocate’s administrative building that contained the personal information of about four million of Advocate’s patients. Advocate notified these patients of the theft on August 23, 2013.

Two sets of plaintiffs filed class actions against Advocate, claiming that Advocate violated two state consumer data protection laws by failing to maintain adequate procedures to protect the personal information of plaintiffs and putative class members and by failing to notify the plaintiffs and putative class about the breach in a timely matter. The plaintiffs also sued Advocate on theories of negligence and invasion of privacy.

Advocate moved to dismiss both class actions, arguing that the plaintiffs lacked standing because they had not suffered any injury as a result of their data being stolen. Both trial courts dismissed the class actions. The trial courts found that “[t]he increased risk that plaintiffs will be identity theft victims at some indeterminate point in the future . . . . did not constitute an injury sufficient to confer standing,” and that the plaintiffs’ “allegations concerning anxiety and emotional distress . . . . were insufficient to establish standing, where they were not based on an imminent threat.” The plaintiffs appealed.

Appellate Court’s Decision

The Appellate Court pointed out that, under Illinois law, a plaintiff only has standing if he or she has suffered “some injury in fact to a legally cognizable interest. [T]he claimed injury may be actual or threatened and it must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.”

The Appellate Court then considered whether the plaintiffs had suffered a “distinct and palpable” injury under Illinois law. It found, in light of Chicago Teachers Union, Local 1 v. Bd. of Educ., – a case in which the Illinois Supreme Court held that physical education teachers did not have standing to challenge a statute allowing school districts to waive mandatory physical education requirements because the teachers were not “in immediate danger of sustaining a direct injury as a result of enforcement of the challenged statute that is distinct and palpable” – that the plaintiffs’ allegations of injury were speculative and the plaintiffs thus did not have standing to bring suit.

The Appellate Court reasoned that this result was supported by federal case law on standing. It observed that, “[i]n federal courts, to show standing under Article III of the Constitution, a plaintiff must establish the existence of an injury that is: (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the challenged action; and (3) redressable by a favorable ruling.”  To meet the first requirement, “an ‘allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” (quoting Susan B. Anthony List v. Driehaus, 2014). “Allegations of possible future injury are not sufficient,” nor is an “objectively-reasonable-likelihood” that the future injury will occur.

The Appellate Court went on to find that an increased risk of harm is not sufficient to confer standing. While agreeing that the Seventh Circuit appears to have held that an increased risk of harm can confer standing in Posciotta v. Old Nat’l Bank Corp., it found that the later-decided Clapper case compelled rejection of this position. (Citing Strautins v. Trustwave Holdings, Inc., (N.D. Ill. 2014).

Finally, the Appellate Court found that alleged “appreciable emotional injury” did not confer standing on the plaintiffs. Specifically, the Appellate Court found that, because the purported emotional injury did not flow from an “imminent, certainly impending, or substantial risk of harm,” it could not, on its own, confer standing.

Implications for Employers

This case is welcome news for Illinois employers, who can use this case to defeat consumer and workplace class actions based on technical violations of state laws without any resulting harm to consumers or employees. Outside of Illinois, if the U.S. Supreme Court interprets federal standing requirements as the Illinois Appellate Court did, employers could be handed a significant win in the Spokeomatter. If Spokeo is decided as Maglio, employers nationally should have a powerful tool to achieve dismissal of class action lawsuits based on technical violations of both federal and state consumer and worker protection laws. Stay tuned.

This column previously appeared on the Seyfarth Shaw LLP website.