222 posts categorized "Scams & Threats" Feed

White Hat Hacker: Social Media Is a 'Goldmine For Details' For Cyberattacks Targeting Companies

Many employees are their own worst enemy when they start a new job. In this Fast Company article, a white hat hacker explains the security fails by employees which compromise their employer's data security.

Stephanie “Snow” Carruthers, the chief people hacker within a group at IBM Inc., explained that hackers troll:

"... social media for photos, videos, and other clues that can help them better target your company in an attack. I know this because I’m one of them... I’m part of an elite team of hackers within IBM known as X-Force Red. Companies hire us to find gaps in their security – before the real bad guys do... Social media posts are a goldmine for details that aid in our “attacks.” What you find in the background of photos is particularly revealing... The first thing you may be surprised to know is that 75% of the time, the information I’m finding is coming from interns or new hires. Younger generations entering the workforce today have grown up on social media, and internships or new jobs are exciting updates to share. Add in the fact that companies often delay security training for new hires until weeks or months after they’ve started, and you’ve got a recipe for disaster..."

The obvious security fails include selfie photos by interns or new hires wearing their security badges, selfies showing log-in credentials on computer screens, and selfies showing passwords written on post-it notes attached to computer monitors. Less obvious security fails include group photos by interns or new hires with their work team. Group photos can help hackers identify team members to craft personalized and more effective phishing e-mails and text messages using co-workers' names, to trick recipients into opening attachments containing malware.

This highlights one business practice interns and new hires should understand. Your immediate boss or supervisor won't scour your social media accounts looking for security fails. Your employer will outsource the job to another company, which will.

If you just started a new job, don't be that clueless employee posting security fails to your social media accounts. Read and understand your employer's social media policy. If you are a manager, schedule security training for your interns and new hires ASAP.


Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.

[Editor's note: today's guest post, by reporters at ProPublica, discusses security and fraud issues within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Ever since her 14-year marriage imploded in financial chaos and a protective order, Amy Lankford had kept a wary eye on her ex, David Williams. Williams, then 51, with the beefy body of a former wrestler gone slightly to seed, was always working the angles, looking for shortcuts to success and mostly stumbling. During their marriage, Lankford had been forced to work overtime as a physical therapist when his personal training business couldn’t pay his share of the bills.

So, when Williams gave their three kids iPad Minis for Christmas in 2013, she was immediately suspicious. Where did he get that kind of money? Then one day on her son’s iPad, she noticed numbers next to the green iMessage icon indicating that new text messages were waiting. She clicked.

What she saw next made her heart pound. Somehow the iPad had become linked to her ex-husband’s personal Apple device and the messages were for him.

Most of the texts were from people setting up workouts through his personal training business, Get Fit With Dave, which he ran out of his home in Mansfield, Texas, a suburb of Fort Worth. But, oddly, they were also providing their birth dates and the group number of their health insurance plans. The people had health benefits administered by industry giants, including Aetna, Cigna and UnitedHealthcare. They were pleased to hear their health plans would now pay for their fitness workouts.

Lankford’s mind raced as she scrolled through the messages. It appeared her ex-husband was getting insurance companies to pay for his personal training services. But how could that be possible? Insurance companies pay for care that’s medically necessary, not sessions of dumbbell curls and lunges.

Insurance companies also only pay for care provided by licensed medical providers, like doctors or nurses. Williams called himself “Dr. Dave” because he had a Ph.D. in kinesiology. But he didn’t have a medical license. He wasn’t qualified to bill insurance companies. But, Lankford could see, he was doing it anyway.

As Lankford would learn, “Dr. Dave” had wrongfully obtained, with breathtaking ease, federal identification numbers that allowed him to fraudulently bill insurers as a physician for services to about 1,000 people. Then he battered the system with the bluntest of ploys: submit a deluge of out-of-network claims, confident that insurers would blindly approve a healthy percentage of them. Then, if the insurers did object, he gambled that they had scant appetite for a fight.

By the time the authorities stopped Williams, three years had passed since Lankford had discovered the text messages. In total, records show, he ran the scheme for more than four years, fraudulently billing several of the nation’s top insurance companies — United, Aetna and Cigna — for $25 million and reaping about $4 million in cash.

In response to inquiries, Williams sent a brief handwritten letter. He didn’t deny billing the insurers and defended his work, calling it an “unprecedented and beneficial opportunity to help many people.”

“My objective was to create a system of preventative medicine,” he wrote. Because of his work, “hundreds of patients” got off their prescription medication and avoided surgery.

There are a host of reasons health care costs are out-of-control and routinely top American’s list of financial worries, from unnecessary treatment and high prices to waste and fraud. Most people assume their insurance companies are tightly controlling their health care dollars. Insurers themselves boast of this on their websites.

In 2017, private insurance spending hit $1.2 trillion, according to the federal government, yet no one tracks how much is lost to fraud. Some investigators and health care experts estimate that fraud eats up 10% of all health care spending, and they know schemes abound.

Williams’ case highlights an unsettling reality about the nation’s health insurance system: It is surprisingly easy for fraudsters to gain entry, and it is shockingly difficult to convince insurance companies to stop them.

Williams’ spree also lays bare the financial incentives that drive the system: Rising health care costs boost insurers’ profits. Policing criminals eats away at them. Ultimately, losses are passed on to their clients through higher premiums and out-of-pocket fees or reduced coverage.

Insurance companies “are more focused on their bottom line than ferreting out bad actors,” said Michael Elliott, former lead attorney for the Medicare Fraud Strike Force in North Texas.

As Lankford looked at the iPad that day, she knew something else that made Williams’ romp through the health care system all the more surprising. The personal trainer had already done jail time for a similar crime, and Lankford’s father had uncovered the scheme.

Scanning her ex-husband’s texts, Lankford, then 47, knew just who to call. During the rocky end of her marriage, her dad had become the family watchdog. Jim Pratte has an MBA in finance and retired after a career selling computer hardware, but even the mention of Williams flushed his face red and ratcheted up his Texas twang. His former-son-in law is the reason he underwent firearms training.

Lankford lived a few minutes away from her parents in Mansfield. She brought her dad the iPad and they pored over message after message in which Williams assured clients that their insurance would cover their workouts at no cost to them.

Lankford and Pratte, then 68, were stunned at Williams’ audacity. They were sure the companies would quickly crackdown on what appeared to be a fraudulent scheme.

Especially because Williams had a criminal record.

In early 2006, while Williams and Lankford were going through their divorce, the family computer started freezing up. Lankford asked her dad to help her recover a document. Scrolling through the hard drive, Pratte came upon a folder named “Invoices,” and he suspected it had something to do with Williams.

His soon to be ex-son-in-law had had a promising start. He’d wrestled and earned bachelor’s and master’s degrees at Boise State University, and a Ph.D. at Texas A&M University, before landing a well-paying job as a community college professor in Arlington. But the glow faded when the school suddenly fired him for reasons hidden by a confidential settlement and by Williams himself, who refused to reveal them even to his wife.

Out of a job, Williams had hustled investments from their friends to convert an old Winn-Dixie grocery store into a health club called “Doc’s Gym.” The deal fell apart and everyone lost their money. The failure was written up in the local newspaper under the headline: “What’s up with Doc’s?”

Inside the “Invoices” folder, Pratte found about a dozen bills that appeared to be from a Fort Worth nonprofit organization where his daughter and Williams took their son Jake for autism treatment. As Pratte suspected, the invoices turned out to be fake. Williams had pretended to take Jake for therapy, then created the false bills so he could pocket a cash “reimbursement” from a county agency.

In November 2008, Williams pleaded guilty in Tarrant County District Court to felony theft. He was sentenced to 18 months in jail and was released on bail while he appealed.

Things took an even darker turn about two years later when Williams and Lankford’s 11-year-old son showed up to school with bruising on his face. Investigators determined that Williams had hit the boy in the face about 20 times. Williams pleaded guilty to causing bodily injury to a child, a felony, which, coupled with the bail violation, landed him in jail for about two years.

The time behind bars didn’t go to waste. Williams revised the business plan for Get Fit With Dave, concluding he needed to get access to health insurance.

Williams detailed his plans in letters to Steve Cosio, a tech-savvy friend who ran the Get Fit With Dave website in exchange for personal training sessions. Cosio, whose name later popped up on Lankford’s son’s iPad, kept the letters in their original envelopes and shared them with ProPublica. He said he never suspected Williams was doing anything illegal.

In his letters, Williams said that when he got out, instead of training clients himself, he would recruit clients and other trainers to run the sessions. “It has the potential for increased revenue.”

He asked Cosio to remove the term “personal training” from his website in another letter, adding “95 percent of my clients are paid for by insurance, which does not cover ‘personal training,’ I have to bill it as ‘therapeutic exercise.’ It is the same thing, but I have to play the insurance game … Insurance pays twice as much as cash pay so I have to go after that market.”

Williams downplayed his child abuse conviction — “I can honestly say that I am the only one in here for spanking their child” — and included a dig at his ex-father-in-law, Pratte: “an evil, evil man. He is the reason for my new accommodations.”

Williams told Cosio he needed to raise a quick $30,000 to pay an attorney to get him access to his children. “I will need to get a bunch of clients in a hurry.”

To set his plan in motion, Williams needed what is essentially the key that unlocks access to health care dollars: a National Provider Identifier, or NPI number. The ID number is little known outside the medical community but getting one through the federal government’s Medicare program is a rite of passage for medical professionals and organizations. Without it, they can’t bill insurers for their services.

One would think obtaining an NPI, with its stamp of legitimacy, would entail at least some basic vetting. But Williams discovered and exploited an astonishing loophole: Medicare doesn’t check NPI applications for accuracy — a process that should take mere minutes or, if automated, a millisecond. Instead, as one federal prosecutor later noted in court, Medicare “relies on the honesty of applicants.”

Records show Williams first applied for an NPI under his own name as far back as 2008. But it wasn’t until 2014 that Williams began to ramp up his scheme, even though now he wasn’t just unlicensed, he was a two-time felon. He got a second NPI under the company name, Kinesiology Specialists. The following year, he picked up another under Mansfield Therapy Associates. In 2016, he obtained at least 11 more, often for entities he created in the areas where he found fitness clients: Dallas, Nevada, North Texas and more. By 2017, he had 20 NPIs, each allowing him a new stream of billings.

For every NPI application, Williams also obtained a new employer identification number, which is used for tax purposes. But he never hid who he was, using his real name, address, phone number and email address on the applications. He added the title “Dr.” and listed his credentials as “PhD.” Under medical specialty he often indicated he was a “sports medicine” doctor and provided a license number, even though he wasn’t a physician and didn’t have a medical license.

Medicare officials declined to be interviewed about Williams. But in a statement, they acknowledged that the agency doesn’t verify whether an NPI applicant is a medical provider or has a criminal history. The agency claims it would need “explicit authority” from the Department of Health and Human Services to do so — and currently doesn’t have it. Regulations, and potentially the law, would need to be revised to allow the agency to vet the applications, the statement said.

Medicare does verify the credentials of physicians and other medical providers who want to bill the agency for their Medicare patients.

To those charged with rooting out fraudsters, the current regulations seem like an invitation to plunder. “Medicare has to make sure that the individuals who apply for NPIs are licensed physicians — it’s that simple,” said Elliott, the former prosecutor who ran about 100 health care fraud investigations.

Elliott, who now does white-collar criminal defense, said he knows of two other cases currently under federal investigation in which non-licensed clinic administrators lied to obtain NPI numbers, then used patients’ information to file false claims worth millions.

Medicare warns NPI applicants that submitting false information could lead to a $250,000 fine and five years in prison. But since Medicare started issuing NPIs in 2006, officials said they could not identify anyone who had been sanctioned.

So, for those bent on fraud, the first step is easy; the online approval for an NPI takes just minutes.

Williams got out of jail in November 2012 and launched an aggressive expansion with an irresistible pitch: Time to get those private personal training sessions you thought you couldn’t afford!

“Now accepting most health insurance plans,” his Get Fit With Dave website announced. He added a drop-down menu to his site, allowing potential clients to select their health insurance provider: Aetna. Blue Cross Blue Shield. United.

He began building a team, soliciting trainers from the strength and conditioning department at Texas Christian University. He met with new recruits at local fast food joints or coffee shops to set them up. To the trainers, the business appeared legit: They even signed tax forms. Before long, Williams’ network stretched throughout Texas and into Colorado, Idaho and Nevada.

One Fort Worth trainer recalled meeting Williams through one of his clients, a Southwest Airlines flight attendant. Williams, he said, seemed like a real doctor, and it wasn’t hard to imagine an insurer’s wellness program covering fitness. Plus, it was good money — about $50 an hour and Williams paid him for multiple clients at once if he did boot camps, said the trainer, who asked that his name not be used so he wouldn’t be tarnished by his association with Williams. Williams, he said, even gave him an iPad, with “Kinesiology Specialists” etched on the back, to submit bills and paid him via direct deposit.

Clients came to Williams through his business cards, his website and word-of-mouth. Williams, records show, quickly verified if their insurance companies would cover his fees — although he didn’t tell clients that those fees would be billed as medical services, not personal training. To ensure the clients paid nothing, he waived their annual deductibles — the portion patients pay each year before insurance kicks in. Authorities said Williams banked on being able to file enough claims to quickly blow through their deductibles so he could get paid.

Meredith Glavin, a flight attendant with Southwest, told the authorities she got in touch with Williams after her co-workers said insurance was covering their workouts. After providing her name, address and insurance information on the Get Fit With Dave website, Williams emailed back with the good news: “Everything checks out with your insurance. My services will be covered at no cost to you.”

During a follow-up phone call, Glavin said, they discussed her fitness and weight loss goals and then Williams connected her with a trainer. The workouts were typical fitness exercises, she said, not treatment for a medical condition. But insurance claims show Williams billed the sessions as highly complex $300 examinations to treat “lumbago and sciatica,” a condition in which nerve pain radiates from the lower back into the legs.

He used his favorite billing code — 99215 — to bill Glavin’s insurer, United, the claims show. The code is supposed to be used less often because it requires a comprehensive examination and sophisticated medical decision-making, warranting higher reimbursement. In all, Williams used the code to bill United for more than $20.5 million — without apparently triggering any red flags at the insurer. For that code alone, the insurance giant rewarded him with $2.5 million in payments.

Eventually, Get Fit With Dave expanded to about a dozen trainers and around 1,000 patients, said a source familiar with the case. And, court records show, the checks from insurance companies, some over $100,000, kept rolling in.

Williams bought a couple of pick-up trucks, a new Harley Davidson motorcycle and a fancy house. But greed didn’t seem his only motivation. “I made $50K last week,” he wrote in a December 2014 text to a friend. “Seriously it means nothing. It is not about the money. I have had a lot taken away from me, and maybe I am trying to prove something ... Maybe it is my way of giving the finger to everyone???”

A few miles away, his former father-in-law watched Williams’ illegal business blossom with growing outrage. Pratte kept his grandson’s iPad on his desk, near his computer, and checked it every day. The texts appeared boring, even routine, but Pratte knew they were evidence of ongoing fraud.

“I have another flight attendant friend who is interested in signing up as well,” a new client texted to Williams.

“Tell him to show up with his insurance card,” Williams replied.

To Pratte, the text messages were a “gold mine.” This is the stuff that will really nail his rear end, he recalled thinking as he read the messages. He couldn’t wait to share his findings with the insurers. How often do they get cases wrapped up in a bow?

But when he and Lankford began contacting insurers, they were soon bewildered. When Pratte told Aetna that he wanted to report a case of fraud, he said the customer service representative asked for his member number, then told him non-members couldn’t report criminal activity. Lankford, who happened to be covered by Aetna, made the complaint, but they say they never heard back.

An Aetna spokesman told ProPublica that the insurer could find no record of Pratte’s call but said the company’s fraud hotline takes tips from anyone, even anonymous callers.

Lankford sent an email to Cigna’s special investigations unit in January 2015 “regarding one of your providers that concerns me.” She provided Williams’ company name, address, cellphone number, Social Security number and more, and she described his scheme. “He has no medical license or credentials,” she wrote. “He was in prison for felony theft.”

A supervisory investigator called to ask for the names of personal trainers, which Lankford provided. But, again, there was silence.

Pratte could see many of the clients worked for Southwest and had their benefits administered by United. He jotted down the name, address, phone number, birth date and member identification number of the potential clients on a yellow legal pad — all the information the insurer and Southwest would need to investigate the fraud. This is so easy, Pratte recalled thinking as he wrote down the details, all they have to do is cross-reference this.

Because Southwest self-funds its benefits, the company was on the hook for the bills, which would eventually total about $2.1 million according to a source familiar with the case. It paid United to administer the company’s plan and ensure the claims it covered were legitimate. Pratte said he called the airline in the fall of 2015 and spoke to someone in the human resources department who said they would pass the information to the right people. “That was the last I heard,” he said. Southwest declined to comment for this story. It still pays United to administer its benefits.

Pratte started calling United in the fall of 2014 and spoke to a fraud investigator who took the information with interest, he said. But within a couple of weeks he was told she moved to a different position. Pratte continued calling United over the following two years, making about a dozen calls in total, he said. “He is not a doctor,” Pratte told whoever picked up the phone. “So, I don’t see how he can be filing claims.”

In early 2015, Lankford emailed additional information to the investigator. The investigator wrote back, thanking Lankford and saying she forwarded the details to the people who research licenses. “They will investigate further,” she said in the email.

Meanwhile, the text messages showed Williams continuing to sign up — and bill for — United members.

Frustrated, Pratte made one final call to United in 2016, but he was told the case was closed. United said he’d have to call the Texas Department of Insurance for any additional details. Pratte had already filed a complaint with the regulator but reached out again. The department told him that because he hadn’t personally been defrauded, it would not be able to act on his complaint.

To Pratte, it appeared he had struck out with Aetna, United, Southwest and the Texas Department of Insurance. “I was trying to get as many people as possible to look into it as I could,” Pratte said recently. “I don’t know if that tells me they are incompetent. Or they don’t care. Or they’re too busy.”

A case summary, prepared by the Texas Department of Insurance, shows it first learned of the Williams case in January 2015 but lacked staff to investigate. A spokesman said the regulator later received Pratte’s complaint but didn’t pursue it after learning that United had already investigated and closed its case.

Meanwhile, some Get Fit With Dave clients had begun noticing odd claims on their insurance statements.

Nanette Bishop had heard about Williams when a fellow Southwest flight attendant handed her the trainer’s business card and said, “You’ve got to meet Dr. Dave.” (Bishop said the Southwest legal department advised her not to speak with ProPublica. Details about her interaction with Williams come from court records.)

Bishop said she started strong with the workouts but “fizzled” quickly. Her daughter, who was also on her plan and signed up for workouts, only did a couple sessions. Bishop said she had a hard time staying consistent because she was traveling a lot — for much of October 2014 she was in Germany. Later, she noticed in her insurance records that Williams had been paid for dozens of sessions over many months, even during the time she’d been abroad.

Bishop texted Williams in January 2015 to tell him he needed to refund all the money. “I never worked out four [times] a week and [my daughter] quit the first week of September,” she wrote. Bishop also called United and Southwest Airlines to report the overbilling.

About a month later, Williams received a letter from a subsidiary of United ordering a review Bishop’s medical records.

Another client texted Williams with concerns that her United insurance plan had been billed for 18 workouts in December 2015. That couldn’t be accurate, the woman wrote. “I had to take December off due to my work schedule and family in town,” she wrote. “I understand that people need to be paid but this seems excessive.”

While Pratte, Lankford and some of Williams’ clients repeatedly flagged bogus bills, the mammoth health insurers reacted with sloth-like urgency to the warnings. Their correspondence shows an almost palpable disinterest in taking decisive action — even while acknowledging Williams was fraudulently billing them.

Cigna appears to have been the quickest to intervene. In January 2015, Cigna sent Williams a letter, noting that he wasn’t a licensed medical provider and had misrepresented the services he provided. The insurer said he needed to pay back $175,528 and would not be allowed to continue billing.

“I just got a $175K bill in the mail,” Williams texted to a friend. “Cigna insurance has been overpaying me for the past 18 months and they want it back. I knew that they were reimbursing at too high of a rate so I can’t really complain.”

By then Williams had more than one National Provider Identifier, so he just switched numbers and kept billing Cigna. More than a year later, in May 2016, Cigna sent another letter, saying he now owed $310,309 for inappropriate payments. In total, the company paid him more than $323,000. Williams never gave any of it back. Cigna declined to comment about the Williams case.

Aetna wrote Williams in January 2015 to say it had reviewed his claims and found he wasn’t licensed, resulting in an overpayment of $337,933. The letter said there appeared to be “abusive billing” that gave “rise to a reasonable suspicion of fraud.” But the insurer also gave him a month to provide documentation to dispute the assessment. When Williams hadn’t responded in three months, an Aetna investigator wrote to Williams’ attorney, saying, “We are willing to discuss an amicable resolution of this matter,” and gave him two more weeks to respond.

That August, an Aetna attorney sent Williams’ attorney another letter, noting that Williams had submitted “fraudulent claims” and had continued to submit bills “even after his billing misconduct was identified.”

In January 2016 — a year after Aetna first contacted him — Williams agreed to a settlement that required him to refund the company $240,000 “without admission of fault or liability by either party.”

But that didn’t stop, or even appear to slow, Williams. Not only did he renege on that promise, he picked one of his other NPI numbers and continued to file claims resulting in another $300,000 in payments from Aetna. In total, Aetna paid Williams more than $608,000.

In emails, Ethan Slavin, a company spokesman, didn’t explain why Aetna settled with Williams instead of pursuing criminal prosecution. He blamed the insurer’s slow response on the lengthy settlement process and Williams’ tactic of billing under different organizations and tax identification numbers. Williams did repay some of the money before defaulting, Slavin said.

United, one of the largest companies in the country, paid out the most to Williams. The insurer brought in $226 billion last year and has a subsidiary, Optum, devoted to digging out fraud, even for other insurers. But that prowess is not reflected in its dealings with Williams.

In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor.

Williams responded a month later, noting that he had a Ph.D. in kinesiology and did rehab, so he met the qualifications of a sports medicine doctor.

United responded in November 2015 with the same argument: he wasn’t licensed and thus needed to repay the money, again warning that if he didn’t, United would “initiate repayment by offsetting future payments.”

Williams took United up on its offer. “Please offset future payments until the requested refund amount is met,” he responded.

Then Williams turned to another NPI number, records show, and continued submitting claims to United.

In January 2016, Williams agreed to settle with United and repay $630,000 in monthly installments of $10,000. Inexplicably, the agreement refers to Williams as “a provider of medical services or products licensed as appropriate under the laws of the state of TX” and notes that the settlement doesn’t terminate his continued participation in United’s programs.

In 2016, Williams obtained a new batch of NPI numbers from Medicare. As usual, he used his real name, address and credentials on the applications. The additional numbers allowed him to continue to make claims to United.

In November 2016, United investigators caught Williams again — twice. They sent two letters accusing him of filing 820 claims between May 2016 and August 2016 and demanded repayment. Again, almost inconceivably, the company threatened to cover his debt with “future payments.”

In December 2016, United notified Williams he had only repaid $90,000 of the initial $630,000 he owed and was in default. The following month, United told him he had to pay the remaining $540,000 within 20 days or he could face legal action. Williams replied, saying he wanted to renegotiate the settlement, but the insurer declined. Late that month, United said its inappropriate payments to Williams had ballooned to more than $2.3 million.

A United spokeswoman said it was difficult to stop Williams because he used variations on his name and different organizations to perpetrate the fraud. “He did everything he could not to get caught,” Maria Gordon-Shydlo said.

She acknowledged getting the complaints from Lankford and Pratte, as well as United members, but defended the response of the company, saying it had eventually referred Williams to law enforcement.

The insurer is continuing “to improve our processes and enhance our systems so we can catch these schemes on the front-end,” she said, “before a claim is paid and to recoup dollars that were paid as a result of provider misconduct.”

In all, United paid Williams more than $3.2 million — most of it after the insurer had caught him in the act.

But in reality, the losses weren’t all United’s. Most of the fraud was funded by its client, Southwest.

Many health care experts and fraud investigators said they weren’t surprised to hear that insurers were slow to stop even such an outlandish case of fraud.

“It’s just not worth it to them,” said Dr. Eric Bricker, an internist who spent years running a company that advised employers who self-funded their insurance.

For insurance behemoths pulling in billions, or hundreds of billions, in revenue, fraud that sucks away mere millions is not even a rounding error, he said.

And perhaps counter-intuitively, insurance companies are loath to offend physicians and hospitals in their all-important networks — even those accused of wrongdoing, many experts have said. They attract new clients by providing access to their networks.

This ambivalence toward fraud, Bricker and others said, is no secret. Scammers like Williams are “emblematic of gazillions of people doing variants of the same thing,” Bricker said. Insurers embolden them by using a catch-and-release approach to fraud, in which the insurers identify criminals, then let them go.

Joe Christensen has pursued fraud for both government and commercial insurers, serving as a director in Aetna’s Special Investigations Unit, a team of more than 100 people ferreting out fraud, from 2013 to 2018 and as the director of Utah’s insurance fraud division for 13 years. Fraud in government programs, like Medicare and Medicaid, gets more publicity, he said, and has dedicated arms of agencies pursuing fraudsters. But the losses may be even greater in the commercial market because the dollar levels are higher, he said.

Some commercial insurers take a passive approach, Christensen said, in part because it’s expensive to press a fraud case. At Aetna, he said, investigators would identify cases of apparent fraud, but it was up to the executives and legal team to decide how to handle them. Taking fraudsters to civil or criminal court requires resources, so the company often settled for trying to get repaid through settlements or blocking a suspect provider from billing, he said.

Christensen said while he was at Aetna, investigators almost never sought to partner with law enforcement agencies to pursue criminal cases. Last spring, he became the SIU director for a Southern California-based Medicaid plan called L.A. Care Health Plan, where he was allowed to take a proactive approach. In just about a year, he said, his much smaller team began 37 criminal investigations with law enforcement agencies. The cases are in different stages, but so far there have been seven arrests, four search warrants and one conviction. Christensen recently took a job with an insurer in Utah, where his family lives, so he could be closer to them.

ProPublica asked Aetna how many criminal cases it had pursued in 2017 and 2018. A company official said the question could not be answered because it does not track such cases.

In the spring of 2017, more than four years after Williams first began billing insurers, one of them, United, finally brought him to the attention of the FBI’s heath care fraud squad.

One May day, agents from the FBI and the newly engaged Texas Department of Insurance knocked on the door of Williams’ sprawling six-bedroom home — a spread he’d boasted to one trainer that he’d purchased with cash. Williams didn’t invite them in. He refused to answer questions, claiming his attorney had dealt with the questionable billings.

Undaunted, just days later, Williams used a freshly minted NPI number to send another bill to United. The last known claim he submitted was on June 3, 2017, according to a source familiar with the investigation.

That October, Williams’ long run came to an end when he was arrested by the FBI.

The following May, Williams’ trial began in the United States District Court for the Northern District of Texas. The prosecution didn’t have to make a complex argument. Williams had billed for non-medically necessary services and wasn’t a medical provider — a “slam dunk case” said the agent on the case.

But the testimony served as a cheat sheet for how to defraud the health insurance industry and mostly get away with it.

Without irony, the prosecutor, P.J. Meitl, argued that Williams had preyed on a health insurance system that relies “on trust, relies on honesty” when it pays claims.

He called fraud investigators from Aetna, Cigna and United, who testified that their companies auto-pay millions of claims a year. It’s not cost effective to check them, they said. “Aetna relies on the honesty of the person submitting the claim verifying that it’s true,” testified Kathy Richer, a supervisor in Aetna’s Special Investigations Unit.

In a similar manner, Medicare trusts that people who apply for NPI numbers are actually medical providers, Meitl told the jury. Medicare “does not investigate or verify whether an individual is actually a health care provider before issuing an NPI number.”

Williams’ attorney, Wes Ball, argued that the case was the sign of a “broken” health care system and blamed insurers for making a financial decision not to review Williams’ claims before paying them. United failed to protect Southwest’s money, Ball said, and “might be a vendor you might not want to hire.”

As for the NPI numbers, anyone could have checked Williams’ credentials, he said.

The jury wasn’t convinced, convicting Williams of four counts of health care fraud.

The judge sentenced him to a little more than nine years in federal prison and ordered him to pay $3.9 million in restitution to United, Aetna and Cigna.

Insurers promote themselves as guardians of health care dollars. United says on its website it wants to “help employers manage” medical expenses, resulting in “lower costs.” Aetna promises employers “affordability.” Cigna promises “increased savings.”

But private health insurers allow so much fraud that prosecutors use an idiom to describe the rare person who gets caught: “Pigs get fat, hogs get slaughtered.”

“Pigs” can steal millions, if they bill just enough to avoid notice. But if they get greedy and bill too many millions, they “become a data outlier,” said Elliott, the former fraud task force prosecutor. “You get slaughtered.”

Williams took years to reach hog status.

Part of the problem, experts say, is that health care fraud is often misunderstood as shafting greedy insurers — not the folks paying for health insurance. Ultimately, insurers don’t bear the cost. For their self-funded clients, like Southwest, they merely process the claims. For their traditionally insured clients, they can recover any losses by increasing deductibles and premiums and decreasing coverage.

Williams appears to have duped more than insurers. His twin brother, Dan Williams, recently retired as the assistant special agent in charge of the Dallas field office for criminal investigation for the Internal Revenue Service. He spent 27 years ferreting out fraud, and he gets the irony. “You’re not the first person to point that out,” he said.

Dan Williams said his brother’s sudden riches from the training business piqued his investigative instincts, but he “trusted” his brother when “he told me he was authorized to bill insurance companies.”

In his letter to ProPublica, Williams did not address the issues in the case or even acknowledge that any of his activities were wrong. Instead, he blamed his former wife. “It grieves me that the consequences of a bitter and hurtful divorce have resulted in the ending of this unprecedented and beneficial opportunity to help many people,” he wrote.

Lankford and Pratte are proud of their part in ending his scheme, if still baffled that they had to play such a central role in uncovering it.

If it hadn’t been for the iPad messages, “I have to believe he would still be billing insurance companies from a Caribbean island,” Pratte said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Learn To Spot Employment Scams So You Don't Get Tricked And Lose Money

Many consumers like work-at-home jobs. Fast broadband speeds have made work-at-home jobs attractive for consumers. Scammers and fraudsters find them attractive, too. Work-at-home scams are very profitable for online criminals. CBS News explained how one person lost $35,000 to an employment scam:

"Brad Helding wanted some extra work so he posted his resume on some job sites and soon got an email from a company calling itself Delta Express Couriers. The job? An offer to work from home as a "purchase clerk," buying electronics in large quantities, then shipping them to the company's clients, mostly overseas. The company told him since Montana has no sales tax, they'd save money running the purchases through him. The job paid over $72,000 per year... Helding said he did his research, checking the company's website... The company then sent him $2,000 so he bought iPhones at a Best Buy and shipped them off as instructed. He says for the next batch of purchases, the company told him to temporarily use his own credit card..."

Ultimately, Helding bought and shipped $35,000 worth of equipment. The $2,000 check from the company bounced. A credit card the company later provided was stolen and never valid. Now, Helding owes the $35,000 bill. Plenty of other consumers have been tricked by employment scams:

"He's one of thousands of Americans who fall for employment scams. Employment fraud tops the list of the riskiest scams targeting consumers in 2018, according to a new report by the Better Business Bureau (BBB)..."

Experts advise work-at-home candidates to know the warning signs of job scams, and to thoroughly research the company beyond its web site. Use reputable sources, like the BBB's Search Tool, online company directories (e.g., Dun & Bradstreet, Hoovers, Library of Congress). Visit the websites for the Attorney General (AG), or the Secretary of State (SOS), in the state where you live to further research the company.  In many states, the SOS is responsible for maintaining lists of licensed/registered persons and businesses.

If you don't have internet access, visit your local public library for more business directories. Demand a face-to-face meeting with the hiring manager. Visit the company's office location, if possible. Don't complete any application forms with sensitive personal information (e.g., name, address, Social Security number, tax ID numbers, bank account numbers, etc.) until after you've verified the company is legitimate.

The bounced check Helding experienced reminded me of the check scam, which is popular among criminals. Online criminals are crafty and persistent. Work-at-home candidates need to be crafty and persistent, too.


'Software Pirates' Stole Apple Tech To Distribute Hacked Mobile Apps To Consumers

Prior news reports highlighted the abuse of Apple's corporate digital certificates. Now, we learn that this abuse is more widespread than first thought. CNet reported:

"Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps... The altered versions of Spotify, Angry Birds, Pokemon Go and Minecraft make paid features available for free and remove in-app ads... The pirates appear to have figured out how to use digital certs to get around Apple's carefully policed App Store by saying the apps will be used only by their employees, when they're actually being distributed to everyone."

So, bad actors abuse technology intended for a company's employees to distribute apps directly to consumers. Software pirates, indeed.

To avoid paying for hacked apps, consumers need to shop wisely from trusted sites. A fix is underway. According to CNet:

"Apple will reportedly take steps to fight back by requiring all app makers to use its two-factor authentication protocol from the end of February, so logging into an Apple ID will require a password and code sent to a trusted Apple device."

Let's hope that fix is sufficient.


Welcome To The New, Terrifying World Of Fake Porn. Plenty Of Consequences And Implications

First, I'd  like to thank all of my readers -- existing and new ones. Some have shared insightful comments on blog posts. Second, the last post of 2018 features a topic we will probably hear plenty about during 2019: artificial intelligence (AI) technologies.

To learn more about AI and related issues, watch or read the AI episodes within the CXO Talk site. And, MediaPost discussed the deployment of of AI by retail stores:

"... retailers seem much more bullish on artificial intelligence, with 7% already using some form of AI in digital assistants or chatbots, and most (64%) planning to have implemented AI within the next three years, 21% of those within the next 12 months. The top reason for using AI in retail is personalization (42%), followed by pricing and promotions (31%), landing page optimization (15%) and fraud detection (21%)."

Like any other online (or offline) technology, AI can be used for good and for bad. The good guys and bad actors both have access to AI technologies. MotherBoard reported:

"There’s a video of Gal Gadot having sex with her stepbrother on the internet. But it’s not really Gadot’s body, and it’s barely her own face. It’s an approximation... The video was created with a machine learning algorithm, using easily accessible materials and open-source code that anyone with a working knowledge of deep learning algorithms could put together."

You may remember Gadot from the 2017 film, "Wonder Woman." Other actors have been victims, too. Where do bad actors get tools to make AI-assisted fake porn? The fake porn with Gadot was:

"... allegedly the work of one person—a Redditor who goes by the name 'deepfakes'—not a big special effects studio... deepfakes uses open-source machine learning tools like TensorFlow, which Google makes freely available to researchers, graduate students, and anyone with an interest in machine learning. Like the Adobe tool that can make people say anything, and the Face2Face algorithm that can swap a recorded video with real-time face tracking, this new type of fake porn shows that we're on the verge of living in a world where it's trivially easy to fabricate believable videos of people doing and saying things they never did... the software is based on multiple open-source libraries, like Keras with TensorFlow backend. To compile the celebrities’ faces, deepfakes said he used Google image search, stock photos, and YouTube videos..."

There is also an AI App for fake porn. Yikes! As bad as this seems, it is worse. According to The Washington Post:

"... an anonymous online community of creators has in recent months removed many of the hurdles for interested beginners, crafting how-to guides, offering tips and troubleshooting advice — and fulfilling fake-porn requests on their own. To simplify the task, deepfake creators often compile vast bundles of facial images, called “facesets,” and sex-scene videos of women they call “donor bodies.” Some creators use software to automatically extract a woman’s face from her videos and social-media posts. Others have experimented with voice-cloning software to generate potentially convincing audio..."

This is beyond bad. It is terrifying.

The implications: many. Video, including speeches can easily be faked. Fake porn can be used as a weapon to harass women and/or to discredit accusers of sexual abuse and/or battery. Today's fake porn could be tomorrow's fake videos and fake news to discredit others: politicians, business executives, government officials (e.g., judges, military officers, etc.), individuals in minority groups, or activists. This places a premium upon mainstream news outlets to provide reliable, trustworthy news. This places a premium upon fact-checking sites.

The consequences: several. Social media users must first understand that they have made themselves vulnerable to the threats. Parents have made both themselves and their children vulnerable, too. How? The photographs and videos you've already uploaded to Facebook, Instagram, dating apps, and other social sites are source content for bad actors. So, parents must not only teach teenagers how to read terms-of-condition and privacy polices, but also how to fact-check content to avoid being tricked by fake videos.

This means all online users must become skilled consumers of information and news = read several news sources, verify, and fact check items. Otherwise, you are likely to be fooled... duped into joining or contributing to a bogus cause... tricked into voting for someone you wouldn't. This means social media users must carefully consider your photographs before you post online; and whether the social app or service truly provides effective privacy.

It also means that all social media users should NOT retweet or re-post every sensational item you see in their inboxes without fact-checking it first. Otherwise, you are part of the problem. Be part of the solution.

Video advertisements can easily be faked. So, it is in the interest of consumers, companies, and government agencies to both find solutions and to upgrade online privacy and digital laws -- which seem to constantly lag behind new technologies. There probably needs to be stronger consequences for offenders.

The Brookings Institute advised:

"In order to maximize positive outcomes [from AI], organizations should hire ethicists who work with corporate decision-makers and software developers, have a code of AI ethics that lays out how various issues will be handled, organize an AI review board that regularly addresses corporate ethical questions, have AI audit trails that show how various coding decisions have been made, implement AI training programs so staff operationalizes ethical considerations in their daily work, and provide a means for remediation when AI solutions inflict harm or damages on people or organizations."

These recommendations seems to apply to social media sites, which are high-value targets for bad actors wanting to post fake porn or other fake videos. It raises the question: which social sites have AI ethics policies and/or have hired ethicists and related staff to enforce such policies?

To do nothing seem unwise. Sticking our collective heads in the sane regarding new threats seems unwise, too. What issues concern you about AI-assisted fake porn or fake videos? What solutions do you want?


Dirty Tricks By Some Sellers At Amazon To Eliminate Competitors. Is Its Resolution System The Best Amazon Can Do?

Amazon logo Many consumers like shopping at Amazon.com. What you may not realize are the dirty tricks and scams among some sellers -- the individuals and firms who provide the products you purchase at the site. The Verge reported:

"When you buy something on Amazon, the odds are, you aren’t buying it from Amazon at all... They are largely hidden from customers, but behind any item for sale, there could be dozens of sellers, all competing for your click. This year, Marketplace sales were almost double those of Amazon retail itself, according to Marketplace Pulse, making the seller platform alone the largest e-commerce business in the US... "

Reportedly, there are 6 million sellers in Amazon Marketplace. So, there's plenty of competition. The Verge article described one dirty track where a seller posted posted bogus 5-star reviews on a competitor's page within the site. When the bogus reviews were removed, the targeted seller was accused of falsely manipulating buyers' reviews -- a violation of the site's rules -- and suspended. The Verge described several attacks by scammers. Here's another:

"Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office... Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings... Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry..."

No online shopper wants to buy products from a seller who has fraudulently taken over a valid seller's trademarks.

Punishment is harsh for violators within Amazon Marketplace: suspension, monies frozen, de-listed from the site, and unable to sell products online. If the suspension lasts long enough or if reinstatement doesn't happen fast enough, bankruptcy can result. And all of this happens behind the scenes unbeknownst to customers:

"For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced... Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says... Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying. Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals... They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors."

So, rather than using the established, well-documented public courts and legal system, this happens secretly within a corporation's processes with some unintended consequences:

"... what’s a seller to do when they end up in Amazon court? They can turn to someone like Cynthia Stine, who is part of a growing industry of consultants who help sellers navigate the ruthless world of Marketplace and the byzantine rules by which Amazon governs it. They are like lawyers, only their legal code is the Amazon Terms of Service, their court is a secretive and semi-automated corporate bureaucracy..."

How byzantine? Consider:

"Many sellers can’t even figure out what Amazon is accusing them of. A suspension message will typically list an item along with a broad and tangentially related category of an infraction, like "used sold as new." Understandably, sellers respond by sending invoices that show that the items are, in fact, new. Actually, Stine says, the suspension usually has nothing to do with the item being used, but with something like a peeling label on the box. “The thing Amazon wants you to fix is the buyer perception,” Stine says... JC Hewitt, whose law firm frequently works with Amazon sellers, calls the system’s mandatory guilty pleas, arbitrary verdicts, and obscure language "a Kafkaesque bureaucracy with bad writing." Inscrutable rulings emerge as if from a black box. The Performance team, which handles suspensions, has no phone number; there’s no one to ask for clarification. The only way to interact with them is by filing an appeal, and when it’s rejected, sellers often have no idea why... The secrecy can be so frustrating that sellers have traveled to Seattle or Amazon’s London office to try to find a human, to no avail..."

Huh? What? I'll bet many Amazon customers don't know this. And the system seems to use a poor balance of automation and humans:

"... there were likely humans reading [a seller's] appeal, but they’re part of a highly automated bureaucracy, according to former Amazon employees. An algorithm flags sellers based on a range of metrics — customer complaints, number of returns, certain keywords used in reviews, and other, more mysterious variables — and passes them to Performance workers based in India, Costa Rica, and other locations. These workers choose between several prewritten blurbs to send to sellers. They may see what the actual problem is or the key item missing from an appeal, but they can’t be more specific than the forms allow... The Performance workers’ incentives favor rejection. They must process approximately one claim every four minutes, and reinstating someone who later gets suspended again counts against them..."

Is this the best system possible? Probably not. I hope not. My guess is many Amazon Prime customers would prefer a better system to resolve disputes between sellers. My guess is that most shoppers would want to avoid using sellers who abuse or frame other sellers. And no shoppers want to buy from a seller who has fraudulently taken over another seller's trademarks.

The situation raises several issues:

  • A private court system prevents amazon customers from knowing about and avoiding shopping at sellers who abuse or frame other sellers
  • A private court system prevents external reviews and/or oversight by independent parties
  • An algorithm-based system may save money, but a poor balance of humans and automation causes problems. Is this the best system possible?
  • Amazon determines what's in its customers' best interests (versus disclosure and then feedback from customers)
  • There seem to be few penalties for sellers who frame or setup other sellers. What fix is underway?
  • The current system smells like a bloated monopoly. With some transparency and input, a better system seems possible... preferred.

What are your opinions? What issues do you see? Is a private court system a good thing?


NPR Podcast: 'The Weaponization Of Social Media'

Any technology can be used for good, or for bad. Social media is no exception. A recent data breach study in Australia listed the vulnerabilities of social media. A study in 2016 found, "social media attractive to vulnerable narcissists."

How have social media sites and mobile apps been used as weapons? The podcast below features an interview of P.W. Singer and Emerson Brooking, authors of a new book, "LikeWar: The Weaponization of Social Media." The authors cite real-world examples of how social media sites and mobile apps have been used during conflicts and demonstrations around the globe -- and continue to be used.

A Kirkus book review stated:

"... Singer and Brooking sagely note the intensity of interpersonal squabbling online as a moral equivalent of actual combat, and they also discuss how "humans as a species are uniquely ill-equipped to handle both the instantaneity and the immensity of information that defines the social media age." The United States seems especially ill-suited, since in the Wild West of the internet, our libertarian tendencies have led us to resist what other nations have put in place, including public notices when external disinformation campaigns are uncovered and “legal action to limit the effect of poisonous super-spreaders.” Information literacy, by this account, becomes a “national security imperative,” one in which the U.S. is badly lagging..."

The new book "LikeWar" is available at several online bookstores, including Barnes and Noble, Powell's, and Amazon. Now, watch the podcast:


'Got Another Friend Request From You' Warnings Circulate On Facebook. What's The Deal?

Facebook logo Several people have posted on their Facebook News Feeds messages with warnings, such as:

"Please do not accept any new Friend requests from me"

And:

"Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!"

Maybe, you've seen one of these warnings. Some of my Facebook friends posted these warnings in their News Feed or in private messages via Messenger. What's happening? The fact-checking site Snopes explained:

"This message played on warnings about the phenomenon of Facebook “pirates” engaging in the “cloning” of Facebook accounts, a real (but much over-hyped) process by which scammers target existing Facebook users accounts by setting up new accounts with identical profile pictures and names, then sending out friend requests which appear to originate from those “cloned” users. Once those friend requests are accepted, the scammers can then spread messages which appear to originate from the targeted account, luring that person’s friends into propagating malware, falling for phishing schemes, or disclosing personal information that can be used for identity theft."

Hacked Versus Cloned Accounts

While everyone wants to warn their friends, it is important to do your homework first. Many Facebook users have confused "hacked" versus "cloned" accounts. A hack is when another person has stolen your password and used it to sign into your account to post fraudulent messages -- pretending to be you.

Snopes described above what a "cloned" account is... basically a second, unauthorized account. Sadly, there are plenty of online sources for scammers to obtain stolen photos and information to create cloned accounts. One source is the multitude of massive corporate data breaches: Equifax, Nationwide, Facebook, the RNC, Uber, and others. Another source are Facebook friends with sloppy security settings on their accounts: the "Public" setting is no security. That allows scammers to access your account via your friends' wide-open accounts lacking security.

It is important to know the differences between "hacked" and "cloned" accounts. Snopes advised:

"... there would be no utility to forwarding [the above] warning to any of your Facebook friends unless you had actually received a second friend request from one of them. Moreover, even if this warning were possibly real, the optimal approach would not be for the recipient to forward it willy-nilly to every single contact on their friends list... If you have reason to believe your Facebook account might have been “cloned,” you should try sending separate private messages to a few of your Facebook friends to check whether any of them had indeed recently received a duplicate friend request from you, as well as searching Facebook for accounts with names and profile pictures identical to yours. Should either method turn up a hit, use Facebook’s "report this profile" link to have the unauthorized account deactivated."

Cloned Accounts

If you received a (second) Friend Request from a person who you are already friends with on Facebook, then that suggests a cloned account. (Cloned accounts are not new. It's one of the disadvantages of social media.) Call your friend on the phone or speak with him/her in-person to: a) tell him/her you received a second Friend Request, and b) determine whether or not he/she really sent that second Friend Request. (Yes, online privacy takes some effort.) If he/she didn't send a second Friend Request, then you know what to do: report the unauthorized profile to Facebook, and then delete the second Friend Request. Don't accept it.

If he/she did send a second Friend Request, ask why. (Let's ignore the practice by some teens to set up multiple accounts; one for parents and a second for peers.) I've had friends -- adults -- forget their online passwords, and set up a second Facebook account -- a clumsy, confusing solution. Not everyone has good online skills. Your friend will tell you which account he/she uses and which account he/she wants you to connect to. Then, un-Friend the other account.

Hacked Accounts

All Facebook users should know how to determine if your Facebook account has been hacked. Online privacy takes effort. How to check:

  1. Sign into Facebook
  2. Select "Settings."
  3. Select "Security and Login."
  4. You will see a list of the locations where your account has been accessed. If one or more of the locations weren't you, then it's likely another person has stolen and used your password. Proceed to step #5.
  5. For each location that wasn't you, select "Not You" and then "Secure Account." Follow the online instructions displayed and change your password immediately.

I've performed this check after friends have (erroneously) informed me that my account was hacked. It wasn't.

Facebook Search and Privacy Settings

Those wanting to be proactive can search the Facebook site to find other persons using the same name. Simply, enter your name in the search mechanism. The results page lists other accounts with the same name. If you see another account using your identical profile photo (and/or other identical personal information and photos), then use Facebook's "report this profile" link to report the unauthorized account.

You can go one step further and warn your Facebook friends who have the "Public" security setting on their accounts. They may be unaware of the privacy risks, and once informed may change their security setting to "Friends Only." Hopefully, they will listen.

If they don't listen, you can suggest that he/she at a minimum change other privacy settings. Users control who can see their photos and list of friends on Facebook. To change the privacy setting, navigate to your Friends List page and select the edit icon. Then, select the "Edit Privacy" link. Next, change both privacy settings for, "Who can see your friends?" and "Who can see the people, Pages, and lists you follow?" to "Only Me." As a last resort, you can un-Friend the security neophyte, if he/she refuses to make any changes to their security settings.


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


Money Transfer Scams Target Both Businesses And Consumers

Money transfer scams, also called wire transfer scams, target both businesses and consumers. The affected firms include both small and large businesses.

Businesses

The Federal Bureau of Investigation (FBI) calls theses scams "Business E-mail Compromise" (BEC), since the fraudsters often target executives within a company with phishing e-mails, designed to trick victims into revealing sensitive bank account and sign-in credentials (e.g., usernames, passwords):

"At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented... Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals."

From January, 2015 to February 2017, there was a 1,300 percent increase in financial losses due to these scams, totaling $3 billion. To trick victims, criminals use a variety of online methods including spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. (If these terms are unfamiliar, then you probably don't know enough to protect yourself.) Malware, or computer viruses, are often embedded in documents attached to e-mail messages -- another reason not to open e-mail attachments from strangers.

Forbes Magazine reported in April:

"Fraudsters target the CEO's and CFO's at various companies and hack their computers. They collect enough information to learn the types of billing the company pays, who the payee's are and the average balances paid. They then spoof a customer or, in other words, take their identity, and bill the company with wire transfer instructions to a scam bank account."

Some criminals are particularly crafty, by pretending to be a valid customer, client or vendor; and use a slightly altered sender's e-mail address hoping the victim won't to notice. This technique is successful more often that you might think. Example: a valid sender's e-mail address might be johnson@XYZcompany.com, while the scammer uses johnson@XYZcompamy.com. Did you spot the alteration? If you didn't, then you've just wired money directly to the criminal's offshore account instead of to a valid customer, client, or vendor.

Scammers can obtain executives' e-mail addresses and information from unprotected pages on social networking sites and/or data breaches. So, the data breaches at Under Armour, Equifax, Fresenius, Uber, the Chicago Board of Elections, Yahoo, Nationwide, Verizon, and others could have easily provided criminals with plenty of stolen personal data to do plenty of damage; impersonating coworkers, business associates, and/or coworkers. Much of the stolen information is resold by criminals to other criminals. Trading stolen data is what many cyber criminals do.

There are several things executives can do to protect themselves and their business' money. Learn to recognize money transfer scams and phishing e-mails. Often, bogus e-mails or text messages contain spelling errors (e.g., in the message body) and/or contain a request to wire immediately an unusually large amount of money. Most importantly, the FBI recommends:

"The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone."

That means don't rely upon text messages either.

Consumers

Wiring money is like sending cash. To avoid losing money, it is important for consumers to learn to recognize money transfer scams, too. There are several versions, according to the U.S. Federal Trade Commission (FTC):

"1. You just won a prize but you have to pay fees to get the prize
2. You need to pay for something you just bought online before they send it
3. A friend is in trouble and needs your help
4. You got a check for too much money and you need to send back the extra"

Regular readers of this blog are already familiar with #4 -- also called "check scams." Instead of paper checks, scammers have upgraded to prepaid cards and/or wire transfers. The FTC also advises consumers to pause before doing anything, and then:

  • "If the person claims (via e-mail) to need money for an emergency, call them first. Call another family member. Verify first if something truly happened.
  • If the check received is too much money, call your bank before you deposit the check.  Ask your bank what they think about wiring money back to someone.
  • If the e-mail or phone caller says you received an inheritance or prize, "you do not have to pay for a prize. Ever.  Did they say you have an inheritance? Talk to someone you trust. What does that person think?"

If you have already sent money to a scammer, it's gone and you probably won't get it back. So, file a complaint with the FTC. Chances are the scammer will contact you again, since they (or their associates) were successful already. Don't give them any more money.


FBI Warns Sophisticated Malware Targets Wireless Routers In Homes And Small Businesses

The U.S. Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) warning consumers and small businesses that "foreign cyber actors" have targeted their wireless routers. The May 25th PSA explained the threat:

"The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic... The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer... VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."

The "VPN" acronym usually refers to a Virtual Private Network. Why use the VPNfilter name for a sophisticated computer virus? Wired magazine explained:

"... the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities."

The FBI's PSA advised users to, a) reboot (e.g., turn off and then back on) their routers; b) disable remote management features which attackers could take over to gain access; and c) update their routers with the latest software and security patches. For routers purchased independently, security experts advise consumers to contact the router manufacturer's tech support or customer service site.

For routers leased or purchased from an internet service providers (ISP), consumers should contact their ISP's customer service or technical department for software updates and security patches. Example: the Verizon FiOS forums site section lists the brands and models affected by the VPNfilter malware, since several manufacturers produce routers for the Verizon FiOS service.

It is critical for consumers to heed this PSA. The New York Times reported:

"An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the [VPNfilter] malware... A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency... To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.” Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device..."

Readers wanting technical details about VPNfilter, should read the Talos Intelligence blog post.

When consumers contact their ISP about router software updates, it is wise to also inquire about security patches for the Krack malware, which the bad actors have used recently. Example: the Verizon site also provides information about the Krack malware.

The latest threat provides several strong reminders:

  1. The conveniences of wireless internet connectivity which consumers demand and enjoy, also benefits the bad guys,
  2. The bad guys are persistent and will continue to target internet-connected devices with weak or no protection, including devices consumers fail to protect,
  3. Wireless benefits come with a responsibility for consumers to shop wisely for internet-connected devices featuring easy, continual software updates and security patches. Otherwise, that shiny new device you recently purchased is nothing more than an expensive "brick," and
  4. Manufacturers have a responsibility to provide consumers with easy, continual software updates and security patches for the internet-connected devices they sell.

What are your opinions of the VPNfilter malware? What has been your experience with securing your wireless home router?


Medicare Scams Still Operate. How To Avoid Getting Your Identity Information Stolen

To minimize fraud, the new Medicare cards display a unique 11-digit identification number instead of patients' Social Security numbers. However, scammers have created a new tactic to trick patients into revealing their sensitive Medicare information. The Oregon Department of Justice warned:

"If someone calls and asks you for your personal information, money to activate the new card, or threatens to cancel your Medicare benefits if you don’t share your personal information, just hang up! It is a scam," said Attorney General Ellen Rosenblum.

Medicare will not call you nor ask for your Social Security number or bank information. That's good advice for patients nationwide. Experts estimate that Medicare loses about $60 billion yearly to con artists via a variety of scams.

Oregon residents suspecting healthcare fraud or wanting to report scammers, should contact Oregon's Department of Justice’s Consumer Protection (hotline: 1-877-877-9392 or www.oregonconsumer.gov). Consumers in other states should contact their state's attorney general, and/or report suspected fraud directly to Medicare.

The video below from 2017 includes advice about how patients should protect their Medicare cards.


News Media Alliance Challenges Tech Companies To 'Accept Accountability' And Responsibility For Filtering News In Their Platforms

Last week, David Chavern, the President and CEO of News Media Alliance (NMA), testified before the House Judiciary Committee. The NMA is a nonprofit trade association representing over 2,000 news organizations across the United States. Mr. Chavern's testimony focused upon the problem of fake news, often aided by social networking platform.

His comments first described current conditions:

"... Quality journalism is essential to a healthy and functioning democracy -- and my members are united in their desire to fight for its future.

Too often in today’s information-driven environment, news is included in the broad term "digital content." It’s actually much more important than that. While some low-quality entertainment or posts by friends can be disappointing, inaccurate information about world events can be immediately destructive. Civil society depends upon the availability of real, accurate news.

The internet represents an extraordinary opportunity for broader understanding and education. We have never been more interconnected or had easier and quicker means of communication. However, as currently structured, the digital ecosystem gives tremendous viewpoint control and economic power to a very small number of companies – the tech platforms that distribute online content. That control and power must come with new responsibilities... Historically, newspapers controlled the distribution of their product; the news. They invested in the journalism required to deliver it, and then printed it in a form that could be handed directly to readers. No other party decided who got access to the information, or on what terms. The distribution of online news is now dominated by the major technology platforms. They decide what news is delivered and to whom – and they control the economics of digital news..."

Last month, a survey found that roughly two-thirds of U.S. adults (68%) use Facebook.com, and about three-quarters of those use the social networking site daily. In 2016, a survey found that 62 percent of adults in the United States get their news from social networking sites. The corresponding statistic in 2012 was 49 percent. That 2016 survey also found that fewer social media users get their news from other platforms: local television (46 percent), cable TV (31 percent), nightly network TV (30 percent), news websites/apps (28 percent), radio (25 percent), and print newspapers (20 percent).

Mr. Chavern then described the problems with two specific tech companies:

"The First Amendment prohibits the government from regulating the press. But it doesn’t prevent Facebook and Google from acting as de facto regulators of the news business.

Neither Google nor Facebook are – or have ever been – "neutral pipes." To the contrary, their businesses depend upon their ability to make nuanced decisions through sophisticated algorithms about how and when content is delivered to users. The term “algorithm” makes these decisions seem scientific and neutral. The fact is that, while their decision processes may be highly-automated, both companies make extensive editorial judgments about accuracy, relevance, newsworthiness and many other criteria.

The business models of Facebook and Google are complex and varied. However, we do know that they are both immense advertising platforms that sell people’s time and attention. Their "secret algorithms" are used to cultivate that time and attention. We have seen many examples of the types of content favored by these systems – namely, click-bait and anything that can generate outrage, disgust and passion. Their systems also favor giving users information like that which they previously consumed, thereby generating intense filter bubbles and undermining common understandings of issues and challenges.

All of these things are antithetical to a healthy news business – and a healthy democracy..."

Earlier this month, Apple Computer and Facebook executives exchanged criticisms about each other's business models and privacy. Mr. Chavern's testimony before Congress also described more problems and threats:

"Good journalism is factual, verified and takes into account multiple points of view. It can take a lot of time and investment. Most particularly, it requires someone to take responsibility for what is published. Whether or not one agrees with a particular piece of journalism, my members put their names on their product and stand behind it. Readers know where to send complaints. The same cannot be said of the sea of bad information that is delivered by the platforms in paid priority over my members’ quality information. The major platforms’ control over distribution also threatens the quality of news for another reason: it results in the “commoditization” of news. Many news publishers have spent decades – often more than a century – establishing their brands. Readers know the brands that they can trust — publishers whose reporting demonstrates the principles of verification, accuracy and fidelity to facts. The major platforms, however, work hard to erase these distinctions. Publishers are forced to squeeze their content into uniform, homogeneous formats. The result is that every digital publication starts to look the same. This is reinforced by things like the Google News Carousel, which encourages users to flick back and forth through articles on the same topic without ever noticing the publisher. This erosion of news publishers’ brands has played no small part in the rise of "fake news." When hard news sources and tabloids all look the same, how is a customer supposed to tell the difference? The bottom line is that while Facebook and Google claim that they do not want to be "arbiters of truth," they are continually making huge decisions on how and to whom news content is delivered. These decisions too often favor free and commoditized junk over quality journalism. The platforms created by both companies could be wonderful means for distributing important and high-quality information about the world. But, for that to happen, they must accept accountability for the power they have and the ultimate impacts their decisions have on our economic, social and political systems..."

Download Mr. Chavern's complete testimony. Industry watchers argue that recent changes by Facebook have hurt local news organizations. MediaPost reported:

"When Facebook changed its algorithm earlier this year to focus on “meaningful” interactions, publishers across the board were hit hard. However, local news seemed particularly vulnerable to the alterations. To assuage this issue, the company announced that it would prioritize news related to local towns and metro areas where a user resided... To determine how positively that tweak affected local news outlets, the Tow Center measured interactions for posts from publications coming from 13 metro areas... The survey found that 11 out of those 13 have consistently seen a drop in traffic between January 1 and April 1 of 2018, allowing the results to show how outlets are faring nine weeks after the algorithm change. According to the Tow Center study, three outlets saw interactions on their pages decrease by a dramatic 50%. These include The Dallas Morning News, The Denver Post, and The San Francisco Chronicle. The Atlanta Journal-Constitution saw interactions drop by 46%."

So, huge problems persist.

Early in my business career, I had the opportunity to develop and market an online service using content from Dow Jones News/Retrieval. That experience taught me that the news - hard news - included who, where, when, and what happened. Everything else is either opinion, commentary, analysis, an advertisement, or fiction. And, it is critical to know the differences and/or learn to spot each type. Otherwise, you are likely to be misled, misinformed, or fooled.


Many People Are Concerned About Facebook. Any Other Tech Companies Pose Privacy Threats?

The massive data breach involving Facebook and Cambridge Analytica focused attention and privacy concerns on the social networking giant. Reports about extensive tracking of users and non-users, testimony by its CEO before the U.S. Congress, and online tools allegedly allowing advertisers to violate federal housing laws have also focused attention on Facebook.

Are there any other tech or advertising companies which consumers should have privacy concerns about?  What other companies collect massive amounts of information about consumers? It seems wise to look beyond Facebook in to avoid missing significant threats.

Google logo To answer these questions, the Wall Street Journal compared Facebook and Google:

"... Alphabet Inc.’s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps... It’s likely that Google has shadow profiles on at least as many people as Facebook does, says Chandler Givens, chief executive of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting. Yet, like Facebook, it continues to gather your data... Google Analytics is far and away the web’s most dominant analytics platform. Used on the sites of about half of the biggest companies in the U.S., it has a total reach of 30 million to 50 million sites. Google Analytics tracks you whether or not you are logged in... Google uses, among other things, our browsing and search history, apps we’ve installed, demographics such as age and gender and, from its own analytics and other sources, where we’ve shopped in the real world. Google says it doesn’t use information from “sensitive categories” such as race, religion, sexual orientation or health..."

There's plenty more, so read the entire WSJ article. A good review worthy of further discussion.

However, more companies pose privacy threats. Equifax, one of three major credit reporting agencies, easily makes my list. Its massive data breach affected half the population in the USA, plus persons worldwide. An investigation discovered several data security failures at Equifax.

Also on my list would be the U.S. Federal Communications Commission (FCC). Using some  "light touch" legal ju-jitsu and vague promises of enabling infrastructure investments, the Republican-majority Commissioners and Trump appointee Ajit Pai at the FCC revoked broadband privacy protections for consumers last year... and punted broadband oversight responsibility to the U.S. Federal Trade Commission (FTC). This allowed corporate internet service providers (ISPs) to freely track and collect sensitive data about internet users without requiring notices nor opt-out mechanisms.

Uber logo Uber also makes my list, given its massive data breach affecting 57 million persons. Earlier this month, the FTC announced a revised settlement agreement where Uber:

"... failed to disclose a significant breach of consumer data that occurred in 2016 -- in the midst of the FTC’s investigation that led to the August 2017 settlement announcement... the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information... In announcing the original proposed settlement with Uber in August 2017, the FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.

In the revised complaint, the FTC alleges that Uber learned in November 2016 that intruders had again accessed consumer data the company stored on its third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website... the intruders used the access key to download from Uber’s cloud storage unencrypted files that contained more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders... Uber paid the intruders $100,000 through its third-party “bug bounty” program and failed to disclose the breach to consumers or the Commission until November 2017... the new provisions in the revised proposed order include requirements for Uber to submit to the Commission all the reports from the required third-party audits of Uber’s privacy program rather than only the initial such report..."

Yes, Wells Fargo bank makes my list, too. This blog post explains why. Who is on your list of the biggest privacy threats to consumers?


New Technologies Will Soon Make It More Difficult For Consumers To Spot Fake News

We've all heard the old saying: seeing is believing. Right? Not necessarily anymore.

New technologies  will soon make it very easy for bad actors to manipulate videos of people -- politicians, law enforcement officials, celebrities, or anyone -- to say things they never said. This will cause many problems, one of which will be the increasing difficulty, or impossibility, for consumers to spoke fake news. CBS News explained:

"It starts with a selfie. Using that simple image, Hao Li, CEO of Los Angeles-based Pinscreen, can manipulate someone's face. You can literally put words in someone else's mouth. Li said it's all part of building a new virtual chat room world, but this type of advanced artificial intelligence technology is raising real eyebrows... For example, someone could take an image of President Trump and make him say something he didn't really say. Li said these kind of things are already possible in some ways. Comedian Jordan Peele used lip sync technology in a public service announcement (PSA) out Tuesday, warning against the dangers of fake news..."

Below is the PSA by Peele, which has already gotten more than 2.3 million views:

This is more confirmation that artificial intelligence is ripe for misuse by bad actors. The CBS News report also described some of the efforts by software developers to quickly create tools to spot manipulated images and video. Here's why:

"... at Pinscreen, Li said it won't take long before the line between what's real or not is erased. "It might be a year actually." "

Watch the entire CBS News report. These new image/video detection tools can't come soon enough. Consumers will need them. Journalists, military, intelligence, government watch-dog agencies, and corporate executives will need them, too. One can easily imagine bad actors using A.I. and other new technologies to create fake endorsements by celebrities of products, services, and/or politicians they really didn't endorse. What are your opinions?


2017 FTC Complaints Report: Debt Collection Tops The List. Older Consumers Better At Spotting Scams

Earlier this month,, the U.S. Federal Trade Commission (FTC) released its annual report of complaints submitted by consumers in the United States. The report is helpful is understand the most frequent types of scams and reports consumers experienced.

The latest report, titled 2017 Consumer Sentinel Network Data Book, includes complaints from 2.68 million consumers, a decrease from 2.98 million in 2016. However, consumers reported losing a total of $905 million to fraud in 2017, which is $63 million more than in 2016. The most frequent complaints were about debt collection (23 percent), identity theft (14 percent), and imposter scams (13 percent). The top 20 complaint categories:

Rank Category # Of
Reports
% Of
Reports
1 Debt Collection 608,535 22.74%
2 Identity Theft 371,061 13.87%
3 Imposter Scams 347,829 13.00%
4 Telephone & Mobile Services 149,578 5.59%
5 Banks & Lenders 149,316 5.58%
6 Prizes, Sweepstakes & Lotteries 142,870 5.34%
7 Shop-at-Home & Catalog Sales 126,387 4.72%
8 Credit Bureaus, Information
Furnishers & Report Users
107,473 4.02%
9 Auto Related 86,289 3.23%
10 Television and Electronic Media 47,456 1.77%
11 Credit Cards 45,428 1.70%
12 Internet Services 45,093 1.69%
13 Foreign Money Offers &
Counterfeit Check Scams
31,980 1.20%
14 Health Care 27,660 1.03%
15 Travel, Vacations &
Timeshare Plans
22,264 0.83%
16 Business & Job Opportunities 19,082 0.71%
17 Advance Payments for
Credit Services
17,762 0.66%
18 Investment Related 15,079 0.56%
19 Computer Equipment
& Software
9,762 0.36%
20 Mortgage Foreclosure Relief
& Debt Management
8,973 0.34%

While the median loss for all fraud reports in 2017 was $429, consumers reported larger losses in certain types of scams: travel, vacations and timeshare plans ($1,710); mortgage foreclosure relief and debt management ($1,200); and business/job opportunities ($1,063).

The telephone was the most frequently-reported method (70 percent) scammers used to contact consumers, and  wire transfers was the most frequently-reported payment method for fraud ($333 million in losses reported). Also:

"The states with the highest per capita rates of fraud reports in 2017 were Florida, Georgia, Nevada, Delaware, and Michigan. For identity theft, the top states in 2017 were Michigan, Florida, California, Maryland, and Nevada."

What's new in this report is that it details financial losses by age group. The FTC report concluded:

"Consumers in their twenties reported losing money to fraud more often than those over age 70. For example, among people aged 20-29 who reported fraud, 40 percent indicated they lost money. In comparison, just 18 percent of those 70 and older who reported fraud indicated they lost any money. However, when these older adults did report losing money to a scammer, the median amount lost was greater. The median reported loss for people age 80 and older was $1,092 compared to $400 for those aged 20-29."

Detailed information supporting this conclusion:

2017 FTC Consumer Sentinel complaints report. Reports and losses by age group. Click to view larger image

2017 FTC Consumer Sentinel complaints report. Median losses by age group. Click to view larger image

The second chart is key. Twice as many younger consumers (40 percent, ages 20 - 29) reported fraud losses compared to 18 percent of consumers ages 70 and older. At the same time, those older consumers lost more money. So, older consumers were more skilled at spotting scams and few fell victim to scams. It seems both groups could learn from each other.

CBS News interviewed a millennial who fell victim to a mystery-shopper scam, which seemed to be a slick version of the old check scam. It seems wise for all consumers, regardless of age, to maintain awareness about the types of scams. Pick a news source or blog you trust. Hopefully, this blog.

Below is a graphic summarizing the 2017 FTC report:

Ftc-complaints-report-2017


Security Experts: Artificial Intelligence Is Ripe For Misuse By Bad Actors

Over the years, bad actors (e.g., criminals, terrorists, rogue states, ethically-challenged business executives) have used a variety of online technologies to remotely hack computers, track users online without consent nor notice, and circumvent privacy settings by consumers on their internet-connected devices. During the past year or two, reports surfaced about bad actors using advertising and social networking technologies to sway public opinion.

Security researchers and experts have warned in a new report that two of the newest technologies can be also be used maliciously:

"Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis... Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed."

Companies currently use or test artificial intelligence (A.I.) to automate mundane tasks, upgrade and improve existing automated processes, and/or personalize employee (and customer) experiences in a variety of applications and business functions, including sales, customer service, and human resources. "Machine learning" refers to the development of digital systems to improve the performance of a task using experience. Both are part of a business trend often referred to as "digital transformation" or the "intelligent workplace." The CXO Talk site, featuring interviews with business leaders and innovators, is a good resource to learn more about A.I. and digital transformation.

A survey last year of employees in the USA, France, Germany, and the United Kingdom found that they, "see A.I. as the technology that will cause the most disruption to the workplace." The survey also found: 70 percent of employees surveyed expect A.I. to impact their jobs during the next ten years, half expect impacts within the next three years, and about a third percent see A.I. as a job creator.

This new report was authored by 26 security experts from a variety of educational institutions including American University, Stanford University, Yale University, the University of Cambridge, the University of Oxford, and others. The report cited three general ways bad actors could misuse A.I.:

"1. Expansion of existing threats. The costs of attacks may be lowered by the scalable use of AI systems to complete tasks that would ordinarily require human labor, intelligence and expertise. A natural effect would be to expand the set of actors who can carry out particular attacks, the rate at which they can carry out these attacks, and the set of potential targets.

2. Introduction of new threats. New attacks may arise through the use of AI systems to complete tasks that would be otherwise impractical for humans. In addition, malicious actors may exploit the vulnerabilities of AI systems deployed by defenders.

3. Change to the typical character of threats. We believe there is reason to expect attacks enabled by the growing use of AI to be especially effective, finely targeted, difficult to attribute, and likely to exploit vulnerabilities in AI systems."

So, A.I. could make it easier for the bad guys to automated labor-intensive cyber-attacks such as spear-fishing. The bad guys could also create new cyber-attacks by combining A.I. with speech synthesis. The authors of the report cited examples of more threats:

"The use of AI to automate tasks involved in carrying out attacks with drones and other physical systems (e.g. through the deployment of autonomous weapons systems) may expand the threats associated with these attacks. We also expect novel attacks that subvert cyber-physical systems (e.g. causing autonomous vehicles to crash) or involve physical systems that it would be infeasible to direct remotely (e.g. a swarm of thousands of micro-drones)... The use of AI to automate tasks involved in surveillance (e.g. analyzing mass-collected data), persuasion (e.g. creating targeted propaganda), and deception (e.g. manipulating videos) may expand threats associated with privacy invasion and social manipulation..."

BBC News reported even more possible threats:

"Technologies such as AlphaGo - an AI developed by Google's DeepMind and able to outwit human Go players - could be used by hackers to find patterns in data and new exploits in code. A malicious individual could buy a drone and train it with facial recognition software to target a certain individual. Bots could be automated or "fake" lifelike videos for political manipulation. Hackers could use speech synthesis to impersonate targets."

From all of this, one can conclude that the 2016 elections interference cited by intelligence officials is probably mild compared to what will come: more serious, sophisticated, and numerous attacks. The report included four high-level recommendations:

"1. Policymakers should collaborate closely with technical researchers to investigate, prevent, and mitigate potential malicious uses of AI.

2. Researchers and engineers in artificial intelligence should take the dual-use nature of their work seriously, allowing misuse-related considerations to influence research priorities and norms, and proactively reaching out to relevant actors when harmful applications are foreseeable.

3. Best practices should be identified in research areas with more mature methods for addressing dual-use concerns, such as computer security, and imported where applicable to the case of AI.

4. Actively seek to expand the range of stakeholders and domain experts involved in discussions of these challenges."

Download the 101-page report titled, "The Malicious Use Of Artificial Intelligence: Forecasting, Prevention, And Mitigation" A copy of the report is also available here (Adobe PDF; 1,400 k bytes)here.

To prepare, both corporate and government executives would be wise to both harden their computer networks and (re)train their employees to recognize and guard against cyber attacks. What do you think?


Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Security Experts: Massive Botnet Forming. A 'Botnet Storm' Coming

Online security experts have detected a massive botnet -- a network of zombie robots -- forming. Its operator and purpose are both unknown. Check Point Software Technologies, a cyber security firm, warned in a blog post that its researchers:

"... had discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016... Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others..."

Reportedly, the botnet has been named either "Reaper" or "IoTroop." The McClatchy news wire reported:

"A Chinese cybersecurity firm, Qihoo 360, says the botnet is swelling by 10,000 devices a day..."

Criminals use malware or computer viruses to add to the botnet weakly protected or insecure Internet-connect devices (commonly referred to as the internet of things, or IoT) in homes and businesses. Then, criminals use botnets to overwhelm a targeted website with page requests. This type of attack, called a Distributed Denial of Service (DDoS), prevents valid users from accessing the targeted site; knocking the site offline. If the attack is large enough, it can disable large portions of the Internet.

A version of the attack could also include a ransom demand, where the criminals will stop the attack only after a large cash payment by the targeted company or website. With multiple sites targeted, either version of cyber attack could have huge, negative impacts upon businesses and users.

How bad was the Mirai botnet? According to the US-CERT unit within the U.S. Department of Homeland Security:

"On September 20, 2016, Brian Krebs’ security blog was targeted by a massive DDoS attack, one of the largest on record... The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices... The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack..."

Wired reported last year that after the attack on Krebs' blog, the Mirai botnet:

"... managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone... Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover..."

The Wired report also explained the difficulty with identifying and cleaning infected devices:

"One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam—or more likely, a small business's—is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product."

It this seems scary, it is. The coming botnet storm has the potential to do lots of damage.

So, a word to the wise. Experts advise consumers to, a) disconnect the device from your network and reboot it before re-connecting it to the internet, b) buy internet-connected devices that support security software updates, c) change the passwords on your devices from the defaults to strong passwords, d) update the operating system (OS) software on your devices with security patches as soon as they are available, e) keep the anti-virus software on your devices current, and f) regularly backup the data on your devices.

US-CERT also advised consumers to:

"Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. Purchase IoT devices from companies with a reputation for providing secure devices... Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected."


Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?