Posts Tagged ‘fraud’

businessman punching and breaking the word RISK

Increased Risk Means We Need to Increase Training

Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.

A cyberattack is a malicious and deliberate attempt by and individual or an organization to breach the information system of another individual or company, seeking benefit from the disruption, ransom, or theft of data.

This electronic threat is increasing in frequency and complexity and has become very expensive to remediate or to recover from.

Here’s the surprise – almost 90 percent of cyberattacks are caused or allowed by human error from the internal staff of the entity attacked.

This includes failure to follow security rules and protocols, sharing passwords, using weak or default settings, and falling victim to social engineering.

Even the large events such as the hacking at Equifax and Target, were caused by failure to follow the rules regarding administrative password settings, human error.

So whether your business is large or small, you need ongoing, strong training and testing to counter the threats.

Recent survey results of a survey of title insurance professionals by the American Land Title Association show a surprisingly small amount of agents are conducting ongoing staff training, and most do it once when they hire an employee.

This is a recipe for eventually becoming a victim of electronic fraud.

There are simple yet effective steps to take to counter the increasing threats by taking a strong defense, and it starts with regular training and testing to remove or reduce the human error element.

Here is what to do to put a training and test plan into action:

  • Ensure new hires are introduced to and educated on information and data security policies and procedures as well as how to protect nonpublic personal information (NPI) and sensitive information. Emphasize to them the “why” so they fully understand the shared responsibility nature. This should be a core part of their orientation and on-boarding.
  • Set and schedule ongoing training for all employees at every level commensurate with the size of the staff and complexity of your business. This should be monthly, quarterly or semiannually.
  • At a minimum, cover controls over access (passwords; pass phrases; multi-factor authentication), network and data distribution (including never using non-secured networks for conducting business such as those in cafes/hotels/airports), phishing and spear-phishing, and never use a general email service like Yahoo or Gmail when sending NPI or sensitive information; social media and social engineering.
  • Require security measures for smart devices (smart phones, and in particular Androids, account for a large percentage of data breaches).
  • Explain the implications of data loss, which includes reputational hits and potential fines and penalties and law suits.
  • Focus on all media forms – hardcopy as well as electronic – and include proper handling and protection from receipt through handling to secured destruction.  
  • Training may be done with internal documents or you may use a third party to conduct the training (i.e. Data Shield; KnowBe4).

  • After the training, use a quiz to gauge how well your employees understood the material.
  • Develop or use a third party to conduct ongoing, regular internal testing such as phishing or spear phishing testing (i.e. KnowBe4 is one vendor who can provide you this tool). Depending on the results, you may then make appropriate changes and re-focus your training to deal with any weak or weaker topics or areas.
  • Provide a single point of contact the employee may turn to with questions or to report any suspected suspicious attempts to obtain information or data (electronic or by phone).
  • Keep records of the training and attendees and testing results. This will be needed to demonstrate good faith, to meet many state requirements – and it’s a best practice.

Last, keep up-to-date on emerging threats and vulnerabilities and provide updated training to employees to be sure they understand new risks or new controls and why they are important; employees must know how to recognize and report threats to stay vigilant.

This will keep your training and testing current and fresh and serve as a continual reminder to your staff. Remember, this is a marathon, not a sprint. Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.

Alliant National People

PropLogix’s Title Industry Insights for 2019 Features Alliant National’s Jeff Stein

Alliant National’s Regional Counsel Jeff Stein was a featured contributor in PropLogix’s Title Industry Insights for 2019.

For the article, title insurance leaders share perspectives on topics that should be top of mind for settlement agents in 2019.

The story explores strategies and practices for title agents, including wire fraud prevention, marketing, e-closings and blockchain.

Download Report
news analysis gray

IRS Warns of Tax Transcript Email Scam

ALTA TitleNews Online Archive
November 29, 2018

The Internal Revenue Service and Security Summit partners recently issued a warning about the surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.

The scam is especially problematic for businesses whose employees might open the malware because the software can spread throughout the network and potentially take months to successfully remove.

Known as Emotet, this malware generally poses as specific banks and financial institutions in its effort to trick people into opening infected documents.

In the past few weeks, the scam masqueraded as the IRS, pretending to be from “IRS Online.” The scam email carries an attachment labeled “Tax Account Transcript” or something similar, and the subject line uses some variation of the phrase “tax transcript.”

These clues can change with each version of the malware. Scores of these malicious Emotet emails were forwarded to phishing@irs.gov.
recently.

The IRS reminds taxpayers it does not send unsolicited emails to the public, nor would it email a sensitive document such as a tax transcript, which is a summary of a tax return. The IRS urges taxpayers not to open the email or the attachment.

If using a personal computer, delete or forward the scam email to phishing@irs.gov.

If you see these using an employer’s computer, notify the company’s technology professionals.

Reprinted with permission from the American Land Title Association.

tax scams

Watch Out for These 3 Tax Scams

According to the IRS, thousands of people have lost millions of dollars and their personal information to tax scams.

These days, when we consider fraud schemes targeting title agents, we usually think about email scams where criminals attempt to interject themselves into specific transactions for the purpose of diverting a wire.

Such scams can be devastating for agents and consumers, and we must guard against this type of email fraud.

However, scams involving real estate transactions are just one small piece of the larger fraud puzzle; and with tax season upon us, it’s important to remember that our industry is not immune to the types of email and other schemes that are common to other businesses.

According to the IRS, thousands of people have lost millions of dollars and their personal information to tax scams.

Scammers use the regular mail, telephone, or email to set up individuals, businesses, payroll and tax professionals.

The agency recently released a flurry of alerts warning of various schemes. You can find a full summary on the IRS webpage, but here are just a few highlights.

W-2 scam

The IRS warned that fraudsters are increasingly targeting payroll and human resource departments in an attempt to obtain their Forms W-2, which the criminals then use to file fraudulent tax returns.

To work the scam, the fraudster writes emails that look like they’re from an organization executive. The emails are directed to an internal employee with access to wage and tax information, and they often begin with an innocent greeting, such as: “hi, are you working today.”

Soon, the fraudster asks for all Form W-2 information.

The W-2 phishing scam has victimized hundreds of organizations and thousands of employees in recent years, the IRS said. Employers of all sizes have been affected including public schools, universities, hospitals, tribal governments and charities.

The IRS has established a process allowing businesses and payroll service providers to quickly report any data losses related to the W-2 scam.

Learn more about the process here.

Phone scam

In a recent blog post,”Think Email Fraud is the Only Hack Tactic? Think Again.” , we noted that scammers are increasingly using phone calls to attempt to trick title agents into wiring money to fraudulent accounts.

Some simple technologies even allow fraudsters to spoof phone numbers. So, a criminal could call you, but make it look like the call was coming from someone legitimately involved in the transaction.

As it turns out, tax fraudsters are using this same technology.

The IRS warned that criminals claiming to be IRS employees — using fake names and bogus IRS identification badge numbers — are trying to bully victims into sending them money.

Sometimes the fraudsters claim that the victim has a tax refund coming, and the money can be deposited if the victim provides his or her banking information.

The tax phone scam seems to be targeted toward individuals as opposed to businesses, but it underscores at least two important points: 1.) treat threats and high pressure language as a red flag; and 2.) the telephone isn’t always a “safe” method of communication.

Malware

Malware scams certainly aren’t new. Basically, the fraudster sends an email that looks like it’s from a trusted source, such as a business contact, a reputable company or a government agency.

The email directs the receiver to click a hyperlink or open an attachment.

When clicked, malicious software loads onto the victim’s computer, and the scammer uses that software to gain access to sensitive systems and information.

Fraudsters often attempt to trick title agents and others involved in real estate transactions into clicking malicious links by sending emails purporting to contain “important closing documents.”

By now many agents have seen the “closing documents” scheme, and they know how to avoid it. However, companies need to remain vigilant for other types of malware emails.

In recent weeks, the IRS has seen a surge in malware emails targeting the employees of all types of businesses. The emails, which appear to come from the IRS, carry malicious attachments labeled “Tax Account Transcript” or something similar. The words “tax transcript” often appear in the subject line.

The IRS reminded taxpayers that it does not send unsolicited emails to the public and would never email a sensitive document such as a tax transcript, which is a summary of a tax return.

If using a personal computer, such emails should be deleted or forwarded to phishing@irs.gov, the agency said. Those who receive such emails at work should notify their company’s technology team.

scam alert

Think Email Fraud is the Only Hack Tactic? Think Again.

Remember when wire fraud was just about bogus emails?

Criminals today have broadened their tools and tactics in their quest to divert escrow funds by tricking us and others in the real estate transaction into accepting falsified wiring instructions.

Email is no longer their only weapon. We’re hearing about two non-email tactics fraudsters are using.

Let’s Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for the Independent Agent®