Healthcare data breaches can threaten your financial well-being

Like many sectors of the economy, the healthcare industry regularly suffers data breaches. Healthcare analytics company Protenus has found that nearly 32 million patient records were breached between January and June 2019 alone.

Alarmed? You should be. However, there are steps you can take to reduce the risk that thieves will get a hold of your medical records and use them for nefarious purposes.

Why they’re valuable

Unlike other types of personal data, healthcare records command a hefty premium on the black market. That’s at least partly because criminals can potentially use information about an individual’s health to blackmail him or her.

Also, stolen medical records include valuable details about people’s identities. In fact, there’s usually enough information in medical files to facilitate extensive identity theft. These schemes can involve health insurance-related fraud as well as financial account and tax fraud schemes.

What you can do

The following four steps can help you protect your personal medical and other data:

  1. Be careful what you share with providers. Healthcare providers typically ask for a lot of personal information, including your Social Security number. But you aren’t obligated to provide it. If in doubt regarding whether a piece of data is critical to receiving care, ask your provider. If the provider says the information is necessary, learn how it plans to use the data —and protect it from thieves.
  2. Read the small print. Apply the same caution to healthcare apps. Only provide access to data that’s critical for the service. Read the service provider’s terms and conditions and its privacy notice so that you understand how and where your data might be used.
  3. Closely review insurance statements. Sometimes the first sign of identity theft is an insurance company statement detailing medical services you didn’t receive. Go over every insurance document and contact your insurer and the medical provider immediately if you spot any discrepancies.
  4. Don’t assume privacy online. Revealing personal details online (for example, with a large group of “friends” on social media) may provide criminals with enough information to steal your identity. Keep in mind that a dedicated criminal could piece together a detailed profile of you simply by visiting multiple sites where you’re active.

If your data is compromised

If you fear your healthcare information was included in a data breach or has otherwise been compromised, consider contacting the three major credit bureaus to freeze your credit file. This prevents the unauthorized creation of new accounts. Also step up your monitoring of insurance statements to ensure no one is filling prescriptions or making office visits in your name.

© 2019 Covenant CPA

Defrauded? Prioritize evidence preservation

You may suspect that an employee has stolen from your company. But without evidence of a crime, you’ll have a hard time pursuing prosecution. So if you discover a fraud, first call your attorney. Then take immediate steps to preserve the evidence.

Safeguard paper documents

Place any hard documents related to the possible fraud in a safe location that’s accessible only to key people. The fewer who handle it, the better. Don’t make notes on any paper documents and, unless necessary, don’t let them be handled. Instead, make separate notations about when and where they were found and how you preserved them. A court case can be derailed if you don’t preserve the chain of evidence and can’t prove to a judge’s satisfaction that the documents haven’t been tampered with.

Handling paper documents is relatively easy as long as you approach the task with care. You can copy anything you need to continue operations and turn the originals over to a fraud expert or law enforcement for fingerprinting, handwriting analysis or other forensic testing.

Take care with technology

Digital evidence can be another story, especially if your IT staff isn’t trained to react to fraud incidents. Even if these employees are highly skilled at setting up and troubleshooting your computer applications, they’re unlikely to be fully aware of the legal ramifications of having a computer or mobile device used to commit fraud.

IT staffers could inadvertently alter or destroy evidence in the course of restoring a computer to normal operations. To avoid such mishaps, arrange for training so that these employees know how to respond to fraud incidents. They should be instructed to stop any routine data destruction immediately. If your system periodically deletes certain information &mdsh; including emails &mdsh; that process must be discontinued the minute you notify them that something is amiss.

If no one has a background in computer forensics, turn the investigation over to an expert as soon as possible. Forensic experts can identify and restore deleted and altered records, digital forgeries and files that have been intentionally corrupted. They also can access many password-protected files and pinpoint unauthorized system access.

Be prepared

If you’re unsure about how to handle fraud evidence, simply take steps to restrict access to it, then ask your attorney about the next step. Better yet, contact us before you discover fraud. We can help ensure you have the necessary training and procedures in place to preserve evidence if an incident ever occurs.

© 2019 Covenant CPA

Forget cybercrime — “creepers” are an old-school threat to your business

If you devote all your business’s security resources to fending off hackers and other cybercriminals, you may be unlocking the door, literally, to more basic types of theft. “Creepers” are criminals who gain access to offices or other physical facilities via unlocked doors and social engineering tactics. Once in, they steal proprietary information, inventory, computers and personal property, or gather information that makes it easier to hack your network.

Creepers in action

A major energy company’s Houston office was infiltrated by a creeper who’s believed to have stolen sensitive information, possibly to sell to a rival company or foreign government. Surveillance footage released by the FBI shows a man walking through an unlocked door in the middle of the night. He’s wearing office-appropriate clothing and moves confidently, like an employee who has a right to be there.

A Washington D.C. creeper also looked like she belonged where she didn’t. She walked into many supposedly secure government offices by chatting with employees outside the office, then following them through the door. When questioned, she claimed she’d left her badge at her desk.

In other cases, creepers use uniforms and props such as mops, toolboxes and clipboards to suggest they’re cleaners or that they work for building maintenance. They may wear stolen or forged ID badges, assuming that no one will examine them too closely.

Exercising vigilance

To protect your business’s and its employees’ property, keep all doors locked, even during work hours. Issue keycards and photo-ID badges to workers and instruct them to be on the lookout for possible intruders. They shouldn’t automatically assume, for example, that someone wearing coveralls and carrying a ladder is authorized to be there. And they shouldn’t unlock the door for anyone — even if that person seems like an employee — unless they know for certain he or she is.

If workers are uncomfortable approaching a possible intruder, they should immediately report the person to your office manager, HR director or building security. The stranger in question may well be an authorized visitor, but it’s better to be safe than sorry. Also ask employees to report the presence of former employees, who sometimes are recruited to carry out corporate espionage.

Even if you don’t keep high-value inventory or electronics on the premises, install security cameras. And instruct employees to lock up purses and wallets and to password-protect computers whenever they leave their workspaces — even if it’s only for a few minutes.

Virtual vs. physical threats

Obviously, IT security must remain a priority for all organizations. But don’t let virtual threats blind you to the need to protect against physical ones. Contact us for help preventing fraud and other forms of theft.

© 2019 Covenant CPA

With international trade fraud, your ship may never come in

The U.S. economy depends on import and export markets to run as designed. After all, revenue from trade tariffs and duties contribute $30 billion annually to federal government coffers. Unfortunately, fraud regularly throws a wrench in the works of global trade, and individual businesses suffer. Your company might, for example, lose money if a seller ships substandard goods or it could get fleeced if it turns out that a shipment doesn’t exist.

The problem with letters of credit

To facilitate international trade, buyers and sellers often rely on documentary letters of credit (DLCs). For a fee, banks issue DLCs that pay sellers from buyers once the specified terms of the DLC are fulfilled. These documents theoretically shift risk to the bank offering the DLC.

According to the Uniform Customs & Practice for Documentary Credits, banks should work with “documents and not with goods, services or performance to which the documents may relate.” Therefore, sellers can present the documents specified in the DLC and receive payment, yet still defraud buyers.

To this end, a seller might:

Falsify documents about cargo status. Even though the seller receives payment under the DLC, the goods never materialize.

Sell substandard goods. Here, the seller ships goods made with lower-quality materials or less than the quantity ordered by the buyer.

Contract with more than one buyer. In this scenario, the cargo exists, but the seller “sells” it to multiple buyers. It collects payment for more than one shipment, but only one company receives the goods. Similarly, a seller might present duplicate bills of lading for the same cargo.

Solutions for protecting your business

So how can you engage in international trade and avoid crooked players? If you’re buying goods, research the seller’s background. Ask for and check references and contact the consulate general in the country where the seller is located. Third-party experts can also investigate the financial standing and business reputations of prospective international trade partners.

You might also engage an independent inspector to verify a shipment. If you include an inspection clause in your DLC, the bank will only issue payment to the seller after it receives the inspection certificate. Or, insert a clause in the DLC that allows you to inspect the goods yourself before payment is released.

Exporters should also be wary

If you’re exporting goods overseas, many of the same principles apply, including performing thorough research on your trade partner. Also, to prevent costly misunderstandings, make sure your contract includes a detailed list of buyer and seller responsibilities. For more information about exporting goods, visit the federal government’s export.gov site or contact us.

© 2019 Covenant CPA

How you can help stop elder financial abuse

It’s one of the most difficult types of fraud to unearth. But it doesn’t directly affect businesses or the average consumer — in large part because its victims rarely report it. In fact, they’re often prevented from doing so by perpetrators.

What is it? Financial abuse of seniors, or elder fraud. Many thousands of Americans are victimized each year and some observers fear these crimes are becoming more widespread. But you can help put a stop to elder fraud. Learn the signs and, as the saying goes, if you see something, say something.

Vulnerable targets

Older individuals with retirement savings, accumulated home equity and other significant assets make appealing targets for unscrupulous family members, caregivers, financial advisors, fiduciaries and scam artists who insinuate themselves into their victims’ lives. Seniors could be at risk due to isolation, cognitive decline, physical disability or health problems. Even the recent loss of a spouse can make an otherwise discerning individual unusually vulnerable.

Exact statistics on elder financial abuse are hard to come by, largely because victims hesitate to report it out of fear of their abusers or embarrassment. But various studies estimate that the percentage of the elderly who have experienced financial exploitation in the past 12 months is between 2.7% and 6.6%. Although there’s no reliable national estimate of the financial losses suffered by victims, one study concluded that financially abused seniors in New York state alone lose approximately $110 million annually.

Red flags

There are many red flags associated with the financial exploitation of vulnerable seniors. If you notice that an individual seems fearful or submissive toward a guardian or that a caregiver prevents the elder from speaking for him- or herself, start asking questions. For example, has the elder recently authorized a change in financial management, such as who has power of attorney? Or does the senior:

  • Have a new guardian or caregiver who conducts financial transactions, such as cash withdrawals, on his or her behalf?
  • Seem unusually reluctant to discuss financial matters?
  • Appear unable or unwilling to handle basic financial responsibilities such as paying bills or reviewing financial statements?

If you can gain access to the elder’s financial records, look for frequent large withdrawals (particularly daily maximum currency withdrawals from ATMs), insufficient fund notices, uncharacteristic attempts to wire large sums of money, and recently closed accounts. Any of these could suggest financial fraud or abuse.

Do your part

If you have vulnerable elderly relatives, friends or neighbors, do your part to protect them from fraud and exploitation. Report any concerns to law enforcement or your municipality’s senior services division. And if you’re a family member, consider engaging a forensic accounting expert to perform a thorough investigation.

© 2019 Covenant CPA

How to put the brakes on lapping schemes

Lapping is one of the most common ways crooked employees skim money from their employers. In these schemes, a perpetrator uses receipts from one account to cover theft from another. Here’s what lapping looks like and how you can help prevent it.

Starting small

Lapping scams usually start small, with an employee pocketing a payment from ABC company and using a payment from XYZ company to hide the loss. As time goes on, however, the amounts get larger and the employee is forced to maintain detailed records to track the movement of money.

This house of cards usually tumbles when the employee makes an error. One commonly cited example is the man who stole $150,000 by programming an elaborate computer scam based on 29-day cycles. It collapsed because he forgot that February normally has only 28 days.

Warning signs

As with any fraud, there are usually warning signs that can alert you before a minor lapping scheme grows to epic proportions. These include excessive billing errors, accounts receivable writeoffs, decreasing accounts receivable payments and accounts receivable details that don’t agree with the general ledger.

Customer complaints are another red flag and always merit investigation and follow-up. Also look closely if you see delays in posting customer payments.

Protecting accounts

Often, lapping signals that a business has inadequate internal controls. The man who stole $150,000, for example, was his company’s chief programmer and had unlimited access to customer accounts. To ensure lapping doesn’t tempt greedy or desperate employees, take a few simple preventive measures.

Have someone review and compare every check that’s deposited to the receivables ledger. This takes a little time but can offer a big payoff. Better yet, require that two people review the records. To be truly effective, the review should include the actual checks, not just ledgers. Because employees who are lapping may set up their own accounts in the company’s bank, it’s important for reviewers to have a list of valid accounts by bank name and number for authentication.

Another easy protection is to closely monitor aging accounts. If you routinely send overdue notices to customers, pay attention to the responses. When customers say they’ve already paid an invoice, for example, follow up.

Stronger controls

As with most occupational fraud schemes, internal controls are essential to help prevent lapping. If you suspect fraud is occurring in your organization or need to strengthen your controls, contact us.

© 2019 Covenant CPA

Wielding Benford’s Law to find fraud

Benford’s Law is a long-standing statistical precept that remains as relevant and widely accepted in fighting fraud as ever. By wielding it effectively, experts can cut down fraudsters who unknowingly reveal their wrongdoings in dubious digits.

Historical background

The rule is named for Frank Benford, a physicist who noted that, in sets of random data, multidigit numbers beginning with 1, 2 or 3 are more likely to occur than those starting with 4 through 9. Studies have determined that numbers beginning with 1 will occur about 30% of the time, and numbers beginning with 2 will appear about 18% of the time. Those beginning with 9 will occur less than 5% of the time.

Further, these probabilities have been described as both “scale invariant” and “base invariant,” meaning the numbers involved could be based on, for example, the prices of stocks in either dollars or yen. As long as the set includes at least four numbers, the first digit of a number is more likely to be 1 than any other single-digit number.

Striking implications

Benford’s Law carries striking implications for fraud detection. To avoid raising suspicion, fraud perpetrators often use figures they believe will replicate randomness. Typically, they choose a relatively equal distribution of numbers beginning with 1 through 9.

Fraud investigators can take advantage of such errors and test data in financial documents including:

  • Tax returns,
  • Inventory records,
  • Expense reports,
  • Accounts payable or receivable, and
  • General ledgers.

Although complicated software programs based on Benford’s Law exist to examine massive amounts of data, the principle is simple enough to apply using basic spreadsheet programs.

Not infallible

Benford’s Law, however, isn’t infallible. It may not work in cases that involve smaller sets of numbers that don’t follow the rules of randomness or numbers that have been rounded (resulting in different digits). Also, smaller numbers are more likely to occur simply because they’re smaller and the logical place to begin a count.

Assigned numbers, such as those on invoices, are also iffy. On a similar note, uniform distributions — such as lotteries where every number painted on a ball has an equal likelihood of selection — may not suit a Benford’s Law analysis. And prices involving the numbers 95 and 99 (often used because of marketing strategies) may call for a different approach.

Still relevant

Benford’s Law isn’t appropriate in every instance. And, as advanced metrics forge new inroads into fraud detection, it could fall out of favor. But Benford’s Law is expected to remain a foundational approach to fraud detection for many years to come.

© 2019 Covenant CPA

Encourage sales staff to walk an ethical line

When market competition heats up, you might provide extra incentives for your sales staff to perform. But be careful: Some employees may step over the line — to earn bigger bonuses or out of enthusiasm for the challenge — and use unethical sales tactics. Take steps to ensure your salespeople always operate with integrity.

Make a commitment to honesty

Culture starts at the top. If you clearly demonstrate, through both words and behavior, your commitment to honesty, your sales team will get the message. Your customers will too.

Try to anticipate the challenges your sales force may face as they attempt to meet sales goals. The temptation to sell more than your company can deliver, for example — or to recommend a product they know isn’t the best solution for a customer’s problem — may be strong. Those and similar sales strategies may land the account, but they do nothing to build the trust and credibility your business needs to keep that account over the long haul.

It’s also important that your company and salespeople don’t try to slip through loopholes when a situation requires taking responsibility. For example, some insurance companies that wrote coverage on homes and businesses damaged during Hurricane Katrina, Superstorm Sandy, and Hurricane Harvey lost goodwill by quibbling over what damage was covered. Ensuing legal battles and negative publicity have done nothing to raise consumer confidence in the insurance industry.

Promote lasting relationships

When your salespeople make a sale, require them to be clear about what the sale includes and what it doesn’t. Reiterate that their job isn’t simply to make sales, but to build lasting customer relationships. To do that, they must always keep the customers’ best interests in mind. To make sure the message gets heard, consider tying compensation to customer satisfaction and repeat business, in addition to sales revenue quotas.

That may mean acknowledging, for example, that one of your products won’t do everything the customer needs it to do. If a customer asks about a feature your product doesn’t have, your sales reps shouldn’t imply that it does. Instead, they should work with the customer to determine whether the desired feature is necessary and emphasize your product’s other features and benefits. Ultimately, however, they must be honest about any limitations.

Your sales force doesn’t need to steer customers to competitors, but they shouldn’t disparage the competition, either. And incentivizing customers to load up on unneeded products during promotions may boost the bottom line, but it won’t do much to build trust.

Shift priorities

Too often sales staffs are encouraged to focus on short-term goals, which makes them more likely to do “whatever it takes” to get a sale. It’s up to you and your managers to prioritize the kind of ethical behavior that’s crucial to your company’s long-term success.

© 2019 Covenant CPA

Typosquatters profit from common user errors

The Web has opened plenty of new avenues for criminal behavior. For example, you may have heard of cybersquatting. Someone registers a site’s domain name that includes a trademark and then tries to profit by selling that name to the trademark owner.

But are you familiar with typosquatting? You should be — because these schemes can make just about any organization, along with visitors to its website, the victims of fraud.

Fat fingers

Like cybersquatting, typosquatting (also known as URL hijacking) involves the purchase of domain names in bad faith. It takes advantage of an inclination among users known as “fat fingers” — basically, our tendency to hit the wrong keys and enter misspelled trademarks or brands. For example, in a case involving the retailer Lands’ End, a typosquatter registered domains such as landswnd.com and lnadsend.com. Other human errors — for example, typing the wrong URL extension (.com instead of .org) or omitting punctuation marks such as hyphens — can also work to typosquatters’ advantage.

Some fraudsters seek to divert consumers away from competitors or just draw traffic to their own sites (often pornography or dating sites). A recent report from security firm DomainTools LLC says that major media outlets, including USA Today, the New York Times and the Washington Post, are frequently targeted. DomainTools found hundreds of fraudulent domain names related to these publications.

Big money

Other typosquatters go further. For example, the websites they divert to might feature a phishing scheme, whereby a visitor is induced to enter login information or download malware. Such tactics can make big money for fraud perpetrators — particularly if they target the right sites. Earlier this year, an anonymous typosquatter announced that he had stolen 200 bitcoins (then worth an estimated $760,000) from Dark Web sites over the previous four years.

Typosquatting can also be used for corporate espionage. In one case, a law firm sued a programmer who had obtained a domain name similar to its own, except for a minor typo. The law firm alleged that the defendant had used his doppelgänger domain name to create fake email accounts and intercept email sent to the firm.

Best defenses

When it comes to avoiding typosquatting, awareness is probably the best defense. Your company should regularly check various mistyped versions of its URLs and consider purchasing as many similar domain names as possible. Contact us if you’re worried about fraud — both on- and off-line.

© 2019 Covenant CPA

Why affinity fraud is particularly heinous

Affinity fraud — where perpetrators exploit connections of race, religion, age, politics and profession — is one of the cruelest forms of criminal deception. Fraudsters often belong to the groups they target and, in addition to stealing money, weaken the bonds within communities.

Affects individuals and businesses

Affinity fraud targets individuals. But it can also hurt businesses if a big chunk of their workforce is affected. If your company employs a large percentage of immigrants, for example, they may be susceptible to fraud perpetrated by other immigrants and could, as a result, be left penniless. In addition to the effect such emotional trauma can have on company morale, it could make employees more susceptible to stealing in their own efforts to recoup their losses.

Even people who usually are skeptical of common cons are more likely to let down their guard when the pitch comes from someone with a common background. Recently, for example, the Securities and Exchange Commission uncovered a $3 million affinity fraud scheme perpetrated by an investment advisor who targeted his fellow Israeli-Americans living in Los Angeles.

Military veterans are particularly vulnerable to appeals from fake military charities or Department of Veterans Affairs loan schemes. Many of these frauds are committed by individuals posing as ex-service members, but some are perpetrated by actual veterans exploiting their military connections.

Don’t be deceived

No one is immune to affinity fraud. Not only could you be targeted as an individual, but scam artists — potentially including your own employees — could seek contributions as part of your business’s philanthropic activities. Don’t be deceived into believing you can spot such scams. Many affinity frauds are recommended by friends, neighbors and colleagues.

To protect yourself, research any investment opportunity or fundraising organization that approaches you, regardless of who makes the approach. A duped individual may present the opportunity to you in good faith. In fact, that’s why Ponzi schemes are often so successful.

Also, refuse to be pressured into participation before you’re ready, and be skeptical if you’re asked to keep an opportunity confidential or can’t get anything about it in writing. If a suspicious investment offer comes via e-mail, forward it to enforcement@sec.gov for investigation.

Hard, but not impossible, to fight

Affinity fraud can be hard to fight because victims are less likely to report it than other criminal acts. They may prefer to work within their community to try to resolve the problem instead of exposing it to law enforcement and media attention. But if you suspect a wolf is operating in your community’s fold, speak up. And contact us. We can help you confirm the existence of fraud.

© 2019 Covenant CPA