Beware of new deceptive strains of payroll phishing

Standard

hacker dollar

This blog has recommended KnowBe4 previously as an impressive source of news on cybersecurity. I have subscribed to the newsletter and receive weekly, timely and scary cybercrime updates in my inbox. I recommend to all lawyers that they spend the time and funds necessary to remain safe and vigilant in the arena of cybersecurity. Nothing is more important to us than the safety of our clients’ funds. In this case, however, it is our operating funds and our employees’ funds that are at risk. Those funds are important, too!

The July 10 newsletter was particularly interesting in that it reports a new strain of payroll phishing that has surfaced recently. The bad actors pose as employees and request a specific pay stub from a payroll administrator or corporate executive. KnowBe4 reports that it has seen hundreds of these phishing attempts, all almost identically worded and possibly coming from one set of fraudsters. All of the emails came from an “oddball Comcast.net email address” with nonsense usernames of similar length.

Please read this newsletter carefully and pay attention to the emails and supporting documents. In this particular case, the bad actors opened a bank account, ordered checks for that account and used one of those checks to support the phishing attempt.

Unfortunately, many of the targeted payroll employees, always willing to help employees with their payroll concerns, have responded to the requests. The emails are simple, direct and dispense with any attempt to construct believable backstories or pretexts.  According to KnowBe4, the emails invite an unthinking, reflexive response from targeted users.

Share this information with your staff members and encourage them to avoid those unthinking, reflexive responses!

Advertisements

Feds extend timeframe of FinCEN order

Standard

Will this obligation eventually extend to South Carolina?

Secretly purchasing expensive real estate continues to be a popular method for criminals to launder dirty money. Setting up shell entities allows these criminals to hide their identities. When the real estate is later sold, the money has been miraculously cleaned.

In early 2016, The Financial Crimes Enforcement Network (FinCEN) of the United States Department of the Treasurer issued an order that required the four largest title insurance companies to identify the natural persons or “beneficial owners” behind the legal entities that purchase some expensive residential properties.

shutterstock_1074483872

At that time, the reach of the project extended to the Borough of Manhattan in New York City, and Dade County, Florida, where Miami is located. In those two locations, the designated title insurance companies were required to disclose to the government the names of buyers who paid cash for properties over $1 million in Miami and over $3 million in Manhattan. The natural persons behind the legal entities had to be reported for any ownership of at least 25 percent in an affected property.

By order effective August 28, 2016, all title insurance underwriters, in addition to their affiliates and agents, were required to be involved in the reporting process, and the footprint of the project was extended.

The targeted areas and their price thresholds as of August 28, 2016 were:

  • Borough of Manhattan, New York; $3 million;
  • Boroughs of Brooklyn, Queens and Bronx, New York; $1.5 million;
  • Borough of Staten Island, New York; $1.5 million;
  • Miami-Dade, Broward and Palm Beach Counties, Florida; $1 million;
  • Los Angeles, San Francisco, San Mateo, Santa Clara and San Diego Counties, California; $2 million; and
  • Bexar County (San Antonio), Texas; $500,000.

By order effective September 22, 2017, wire transfers were included, and the footprint of the project will include transactions over $3 million in the city and county of Honolulu, Hawaii.

The Geographic Targeting Orders were updated again beginning March 21, 2018, and extended to September 16, 2018

Although the initial project was termed temporary and exploratory, FinCEN has indicated that the project is helping law enforcement identify possible illicit activity and is also informing future regulatory approaches.

We have no way of knowing whether or when this program may be expanded to South Carolina, but it is entirely likely that expensive properties along our coast are being used in money laundering schemes. We will keep a close watch on this program for possible expansion!

New Cybersecurity law in SC affects insurance companies and agents

Standard

The effective date is January 1, 2019

South Carolina’s legislature passed a cybersecurity bill on April 18, and Governor Henry McMaster signed it into law on May 3. The new law, which requires that insurers and producers (agents) must establish “strong and aggressive” programs to protect companies and consumers from data breaches, goes into effect at the beginning of next year. The law is called South Carolina Data Security Act, and it will be found at §38-99-10 et seq. of the South Carolina Code.

Insurers and agents must develop, implement and maintain a comprehensive written information security program based on internal risk assessments which contain administrative, technical and physical safeguards for the protection of nonpublic information.

New rules were created that include overseeing third party providers, investigating data breaches and notifying regulators, including the South Carolina Department of Insurance, of cybersecurity events.

security unlocked data breach

Notification is required to the DOI within 72 hours after determining a cybersecurity event has occurred. Each incident must also be investigated to determine the scope of the breach, the nonpublic information compromised, and the measures to restore the security of the information.

Safe guarding individual insurance policy holders’ personal information is a high priority in the wake of several major insurance companies’ data breaches. Insurers and agents are required to mitigate the potential damage caused by date breaches.

South Carolina was the first state to pass this measure based on the model law developed by the National Association of Insurance Commissioners Cybersecurity Working Group. South Carolina Insurance Director Raymond Farmer chaired the group.

How will this new law be applied to real estate lawyers who are also title insurance agents?  My guess is that the title insurance companies, which probably already have complying programs in place, will provide guidance to their agents between now and the end of the year. Stay tuned!

Phishing scam of the week

Standard

I have subscribed to “CyberheistNews” at knowbe4.com and highly recommend this brief newsletter as an excellent source for current information on the latest scams that may hit your office and personal computers.

The news this morning was striking because it involves current events. Social engineering follows seasonal patterns, as we know. We have noticed in our business, that long weekends lead to attacks because of the extra day that we may not be sitting at our desks to keep computer systems and our wires safe. The newsletter cites holiday-themed phishing attacks between Thanksgiving and New Year’s Day.

email fish hook

The news today involves implementation of the European data privacy regulation going into effect on May 25. It’s called General Data Protection Regulation (GDPR) and the scam email looks as if it is from Apple and claims that if you do not take action, your account will be “restricted”. But in fact, as usual, the scammers will attempt to steal your identity and credit card information.

In addition to looking legitimate, according to CyberheistNews, the bogus website is more sophisticated than most phishing sites because the fraudsters correctly set the web directory permissions and encrypted the spoofed site using Advanced Encryption Standard (AES) in order to successfully bypass some anti-phishing tools used in antivirus solutions.

The victim is asked to “update payment details” in order to see their accounts return to normal. Taking this action sends the victim’s payment information to the scammers.

According to the newsletter, companies worldwide are, in fact, working on becoming GDPR compliant and trying to make sure the people whose data they have collected have consented to give them information. Criminals are aware of this and are using this turn of events to their advantage.

And, then, there is the royal wedding. CyberheistNews’ advice about that is that the wedding is a scammer’s dream, and computer users should be advised to seek news about it only from trusted websites.

Don’t click links in emails or social media links related to the royal wedding or open suspicious attachments that claim any kind of problem with GDPR. Delete these emails or forward them to you IT experts.

And subscribe to this newsletter!

Real estate agent rental scam exposed

Standard

Two agents, one in Texas, and one in NY, allegedly involved

Most successful dirt lawyers have excellent working relationships with the real estate agents who assist their clients in buying, selling and leasing real estate. And most effective real estate agents prove themselves to be trustworthy in their business practices. Recently, two almost identical scams in remote states involved alleged real estate agents, according to a May 4 article in Housing Wire titled, “Two real estate agents caught behaving badly”, by Jacob Gaffney.

house sale fingers crossed

The first story is set in Missouri City, Texas, and was originally reported by the television station, KHOU 11 News. According to this story, police are investigating a woman purporting to be a real estate agent who approached John and Pamela Hall offering to sell their dream home located at the corner of Montego Bay and Palm Harbour. The Halls had already vacated the home, and the alleged real estate agent promised to sell the home quickly. Both homeowners signed the paperwork allowing the culprit to list their home.

Several days later, the Halls were called by someone interesting in renting their attractive waterfront home from a listing they saw on Craigslist. When the Halls investigated the Craigslist entry, they discovered that the alleged real estate agent had actually created fraudulent documents, including a power of attorney and a deed, to take title to their home in the name of an LLC. When the Halls drove by their property, they saw someone moving in! The new “tenant” reported that he had paid $5,000 up front to lease the home.

The television station attempted to find the real estate agent’s name in the records of The Texas Real Estate Commission, but no such agent was found. The culprit used different names in dealing with the Halls and the tenant, and, so far, has been successful in stealing $5,000. The scam has no doubt caused a great deal of inconvenience to the Halls, not to mention the potential expenditure of funds in the form of attorney’s fees necessary to straighten out the public records.

The second story took place in Hampton Bays, New York. Southhampton Town Police said they received two complaints in February involving an alleged real estate agent taking deposits for a rental home. The prospective tenants were told the home was not yet available when the respective move-in dates approached, and the home owners had no relationship with the real estate agent and never received rent. Additional victims came forward, and police arrested Melanie Williams, 54, in April, on three counts of fourth degree grand larceny and three counts of first degree scheme to defraud. Detectives say they believe there may be additional victims in this scheme.

The Russian proverb quoted by President Ronald Reagan seems to be good advice in any situation concerning a real estate agent, or any professional for that matter, who is not known personally. Tell your clients to trust but verify!

Two new fraud scams

Standard

The fraudsters keep updating their repertoires!

Fraudsters are creative! It seems as soon as we learn and educate our staff members about new fraud schemes, the swindlers change their schemes to keep us on our toes. I wanted to pass along two new schemes that recently came to my attention.

The first was reported in our company publication, Fraud Insights, and it involved a residential sale in Las Vegas. An astute title insurance company employee, Larissa Conrad, was able to frustrate the fraudster’s plans. Here’s how the scheme unfolded. On March 7, Larissa sent an estimated closing statement to the listing agent. The closing involved the payoff of a Wells Fargo mortgage. The listing agent purportedly sent back to Larissa, by email, an “updated” payoff statement. Larissa compared the two payoff statements carefully. The wiring instructions were particularly troubling:

Larissa called the payoff lender and confirmed her suspicion that the second payoff was from a fraudster. She then called the listing agent, using a trusted telephone number, and reported that someone was posing as him in the transaction and sending emails from an account that looked like his. She wired the correct payoff amount using the correct wiring instructions, saving $153,300.37.

The second scam, involving texting, was reported by CyberheistNews. The victim receives a text asking whether a password reset for a Gmail account has been requested. If not, the text advises, please reply with the word “STOP”. If the victim replies with “STOP”, the next text urges the victim to send a six-digit numerical code in order to prevent the password from being changed. By sending the code back to the attacker, the victim is enables the bad guy to complete the password change and to have access to the account and all its email.

Remember that Google and other companies will not ask whether you don’t want to do something with your account. A reply to a text like this often notifies the fraudster that a valid telephone number has been reached.

two factor authentication

A two-factor authentication process is highly recommended because it provides an additional layer of security and makes it harder for attackers to gain access. The victim’s password alone is not enough to pass a two-factor authentication process. Typically, the first authentication factor would be based on knowledge (a password) and the second factor would be based on possession (of an ID card, a token or a smartphone, for example). Ask your IT professionals for assistance is keeping your accounts safe by using this process.

And, as always, the best advice may be to keep schooling yourself about the various scams as they are reported. I’ll do my best to help!

Scary telephone identity compromise story from one of our own

Standard

Our company distributes a great publication, Fraud Insights, which tells scary fraud stories every month. Lisa Tyler, National Escrow Administrator, edits this publication and does a great job keeping us informed about new scams. A Fraud Insights story in March came from one of our company employees who told her personal identity compromise story to prevent it happening to the rest of us. I’m going to translate the story to South Carolina terms and call the victim Pam Paralegal.

Pam Paralegal was working on a messy residential purchase file in her office in Charleston and was not focusing on the telephone call on her cell phone that she received purportedly from her personal bank. The caller ID was indeed Pam’s bank’s name. When Pam answered, the caller identified herself as Jill Jones and said she was with the fraud department of the bank. Ms. Jones said she was going to text a code to Pam to confirm Pam’s identity.

scammer calling

Pam received the text code and read it back to Ms. Jones.  Ms. Jones then asked if Pam had authorized a $1,000 transfer from her account that morning. Pam said that she had not made that transfer. Pam told Ms. Jones that she would log into her online account to determine whether that transfer was showing up, but Ms. Jones told Pam the bank had already shut down her ability to access her account via the Internet. Ms. Jones told Pam that she needed her to read off an additional text code to authorize the shutdown. When Pam read the second text code back, the phone line went dead.

Pam immediately started receiving emails from her real bank. The first email confirmed a change in Pam’s password. The second email confirmed Pam had authorized a $1,000 withdrawal via electronic funds transfer. Pam called her bank to report the incident and later received a call back from the real fraud department. Pam was informed that the thieves had stolen $1,000 by using her Social Security number, and that they really had shut down her account.

Pam purchased a credit monitoring service, filed a police report, and contacted all three credit bureaus to make them aware of the incident. And she is still missing $1,000.

Here are seven tips from the Better Business Bureau ® (BBB) offers to protect against telephone scams:

  1. Do not trust caller ID: Victims fall for telephone scams because they assume the number on their caller ID is the correct person. Scammers can easily spoof numbers to make it look like a certain person is calling you, when in reality they are not. Some scammers will use your own telephone number for the caller ID. Others will use your prefix with a different last four digits to make you assume you’re being contacted by a neighbor.
  2. Do not give out personal information: Any legitimate person or business who reaches out to you will already have your information on hand. If they do not, or if you receive a call out of the blue asking for personal information, just hang up.
  3. Scammers usually pose as a trusted source: Like the story from Pam who was called from someone posing as an employee in the fraud department of her bank, scammers will pose as a trusted source to attempt to obtain information from you. Hang up immediately.
  4. Do not press buttons: Many “robocallers” will prompt you to “press 9” to be taken off their call list. Pressing 9 will only do the opposite and flood your phone with even more calls. Pressing a number on the keypad alerts the scammers that they have reached an active telephone number.
  5. Beware of big name companies calling: Scammers impersonate big name companies, charities and legitimate businesses, hoping that you will be more inclined to give personal information to them. If you receive such a call, hang up immediately, find the appropriate number and call the business to verify.
  6. Sign up for the Do Not Call Registry: To cut down on the amount of calls you receive, you can register your phone number for free through the Federal Trade Commission (FTC) Do Not Call Registry. This registry prohibits calls, informational calls, telephone survey calls and calls from companies you have recently done business with.
  7. Do not answer: If you receive a call from a number you don’t recognize, let it go to voicemail. Any legitimate person or business will leave a message. If a scammer decides to leave voicemail, you will have time to think about what is being asked by them, instead of being pressured on the spot to give up your personal information.

That last tactic is the one used in our household and with my business cellphone. If I don’t recognize the number, I don’t answer the call. It makes more sense to return the call of a legitimate caller than to become involved with a scammer or telemarketer. That’s my plan and I’m sticking to it!