Posts Tagged ‘Fraud’
Last Updated on Sunday, 17 June 2012 08:46 Written by Celframe Security Team Sunday, 14 October 2012 09:41
Identity fraud training is one of the main requirements of the Red Flags Rule and there is a good reason for this Federal requirement because once red flags which lead to fraud have been identified through risk assessments and procedures are developed to detect and mitigate such fraud red flags, employees must be provided appropriate training to properly follow established identity theft prevention policies and procedures.
Front line staff are often the ones who face identity thieves as they commit their planned fraud using someone else’s identity. Depending on how transactions are initiated, these front line employees must be aware of how identity fraud occurs, how to detect fraud, and what to do when they detect or even suspect fraud. Internet transactions processors also face online identity fraud as increasingly transactions and communications occur online without physical interaction while certain related processes might occur off line to complete the requests. Depending on whether transactions are initiated offline or online, defined procedures and requirements for identity theft prevention might vary and must be addressed in fraud training materials.
As we discuss the need to provide fraud training to front line employees, we must step back for a moment and note that individuals who track and analyze fraud trends, assess identity theft risks, draft policies and procedures, train employees, and oversee the identity theft prevention program also need to receive fraud training in order to effectively perform their job duties in support of the identity theft program.
Many laws have already laid out private data safeguard and breach management requirements however identity fraud prevention is just beginning to be addressed through the Federal Red Flags Rule. As we start to acknowledge that loss of private information and subsequently identity fraud are inevitable and on the rise, we have arrived at a junction where similar to the Sarbanes-Oxley Act, we have Federal requirements to proactively address identity theft prevention thorough specific steps and one such requirement is fraud training for all employees who are in a position to support any and all aspects of the identity theft prevention program to detect and mitigate fraud.
Fraud training can be administered by qualified internal or external staff through a variety of means. Although the law requires employee training, it does not specify the format and length of the training however as fraud occurs, employee knowledge as well as effectiveness and adequacy of provided training will be assessed by regulators or attorneys to identify whether lack of employee knowledge regarding policies and procedures has led to the recurring identity fraud cases and determine any regulatory violations.
The penalties for violating any aspect of the Red Flags Rule as stated on the FTC website is as follows:
“The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.”
One specific conclusion that can be drawn from the above statement is that the government regulators will continue to audit the organization which was found to be non-compliant to make sure that they have implemented all identified deficiencies. Therefore it is necessary for management to ensure that their identity theft prevention program is fully in place and operating effectively before the regulators do.
The Certified Red Flag Specialist (CRFS) designation is the identity fraud certification developed to provide the necessary fraud training for preventing identity theft, reducing fraud costs, and complying with the Red Flags Rule. The CRFS identity fraud certification not only provides the required training for identity theft management and compliance but it also includes an examination to assess and certify the knowledge of candidates regarding identity fraud prevention requirements.
For any fraud training or certification questions, please visit Identity Management Institute.
Address Change Fraud
Last Updated on Sunday, 17 June 2012 08:47 Written by Celframe Security Team Saturday, 29 September 2012 02:06
Address change fraud is one of the easiest, oldest, cheapest and non technical tricks to steal personal information and take over someone’s identity for a variety of reasons including fraud. The scheme by which a company’s employee with system and information access is fooled to share customer’s information with thieves and complete their requests to change customer information or take specific actions is called social engineering. Social engineered scams know that all employees are not well educated regarding company policies and procedures for protecting customer information and validating requestor identity and assume from the very beginning that upon multiple attempts, an unsuspecting employee will be found who can help complete the scam. The scam is so low tech that anyone can succeed on their first try which is why employees are the weakest link in fraud prevention efforts and the risk must be addressed through employee education and monitoring. All it takes for such scams to be executed successfully is one employee. The scammer just needs to find one employee who is able and willing to unknowingly follow orders and go above and beyond his or her ability to provide the best possible customer service to the wrong customer.
An address change fraud occurs much too often and its victims include celebrities, company executives as well as millions of regular customers. Identity fraud does not discriminate unless of course the scam can provide the most bang for the buck which is why high credit worthy and high credit balance consumers are often the best targets. Sometimes, an unauthorized address change is detected after the fact when the customer information is stolen through address diversion. Here’s one example; an identity thief calls the bank to request and address change which is eventually executed by an uneducated and unsuspecting employee leading to address change fraud. A few days later, the fraudster calls to report a lost or stolen credit or debit card which prompts the bank to issue a new one by sending it to the identity thief’s address. Once the card is received, the fraudster goes shopping or takes money out of the bank for as long as the cards remain active. Usually the banks have fraud detection systems which are configured to detect a variety of common fraud red flags. Depending on how well a bank’s fraud detection system is configured and managed, the address change fraud may be detected early on or much later. For example, the system might not recognize the address change as a suspicious account activity although the address change occurred only a few days before the card was reported as lost or stolen, however, the system might detect the fraudulent transaction as the thief continues with his shopping spree.
Address change fraud is one of the identity fraud red flags which is addressed by the Federal Red Flags Rule for preventing fraud. This type of scheme also knows as social engineering is meant to easily bypass system security controls and take advantage of an employee’s lack of risk awareness and education regarding company procedures and their applications in their daily work. Address change fraud scams can be detected if banks properly identify it as part of their red flag management during the identity theft risk assessment process, configures their fraud systems to report suspicious activities according to the results of the risks assessment, follow up with reported events, update their identity theft prevention policies and procedures, and educate their employees especially regarding customer identity verification.
Customers can also help banks prevent and detect identity theft early on. For example, a couple of the most important things that consumers can do are to observe the frequency of their bank or credit account statements and notify the bank when they do not receive one on the scheduled date and also review their account statements to detect any unrecognized transactions and notify the banks even if they do not expect any activities on the account.
For address change fraud prevention and education, consider the Certified Red Flag Specialist (CRFS) program.
Last Updated on Monday, 26 March 2012 05:41 Written by Celframe Security Team Thursday, 20 September 2012 04:04
Placing fraud alerts or fraud warnings on your credit reports is a good identity theft prevention control. You need to place them on your credit reports as soon as you discover or even suspect possible identity theft. There are currently two types of alerts that you can place on your credit reports; initial alert and extended alert.
The purpose of the alerts placed on your credit reports is to alert the businesses which do business with you regarding your possible identity theft and fraud case and encourage them to contact you and confirm your identity if a transaction is initiated under your name. This is to make sure someone else is not getting loans or opening new credit accounts under your name for example. Although this may not be effective in stopping your identity theft if businesses do not contact you to validate your identity, you may have legal options in case of an identity theft if it occurs after you placed the alerts. Plus, it's better than having no control at all. To validate your identity, businesses will call you at home or your business number available on your credit files. That’s why it’s a good idea to have your current phone number properly listed and validated with the credit reporting agencies to help businesses find you as quickly as possible.
You may place a fraud warning by contacting the credit reporting agencies and it may take them 24 hours to activate the alert on your credit files and send you the confirmation.
An initial alert placed with any of the 3 credit reporting agencies stays on your credit report for 90 days and you should typically place an initial alert when you suspect you are a victim of identity theft or are even about to become one. It’s a very good idea to place an initial alert if and when you lose your identity cards, passport, wallet or any other identity component, which cannot be readily found. Although, the credit agency where you placed your fraud alert is required to share the information with the other 2 agencies, it’s always a good idea to contact the other ones as well and place separate alerts just in case there is a failure in the process which I’m sure is extremely rare, right? I mentioned placing an initial alert on your credit report is a good idea when you suspect someone is either using or even considers using your financial identity, and I also suggested placing fraud alerts when you lose your personal information like a credit card to prevent potential identity theft. What I would also add to my statements is to place a fraud alert on your credit reports at all 3 agencies regardless of your suspicions of someone using your identity or whether you have lost your personal information because I just think that businesses should validate an identity before completing transactions anyway and they need to be reminded if they forget to do so. You should consider placing a fraud alert and then renewing that alert every 90 days. This way, you know for sure creditors are warned to contact and validate your identity before granting credit by opening new accounts. If you're worried about remembering when to renew, don't worry, many companies now provide automated services to place and renew the alerts. This is the latest control and most effective in preventing identity theft other than credit or security freeze implemented in some states and being considered in others which will require your involvement to lift the freeze before agencies can release your credit reports to creditors.
Placing fraud warning or alerts on your credit files is a great way to prevent credit identity theft if businesses take them seriously and some identity theft prevention services sold in the market these days can place the alerts for you and automatically renew the alert every 90 days for a fee. So, if you have tendency to forget or have little time for placing and renewing fraud alerts, consider subscribing to such services which according to recent statistics greatly reduce the risk of identity theft by asking creditors to contact you in order to open new accounts or extend existing credit limits. The only problem with fraud alerts in my opinion is that businesses may not take the alerts seriously enough to validate identities before granting credit as more people routinely place them these days, although I think it makes a of business sense to do so. However, the Red Flags Rule clearly requires businesses to take them seriously and verify identities before granting a new line of credit.
You can place your free initial fraud alert at either or both links below:
Equifax Fraud Website
TransUnion Fraud Website
You can also place an extended alert on your credit reports when in fact you have become an identity theft victim. To place an extended fraud alert, you will need an identity theft report. The extended alert will stay on your report for 7 years, but don't worry; you can remove the alerts at any time by contacting the agencies. An extended report also entitles you to 2 free credit reports from each one of the 3 agencies.
Learn why credit freeze may be a better option than fraud alerts for some people.