Travel — and travel scams — are back

Although COVID-19 remains a concern, many people have started traveling again — both for business and pleasure. Unfortunately, as travel demand has increased, so has travel-related fraud.

For example, some fraud perpetrators posing as airline employees call would-be victims to try to elicit credit card numbers. Other scam artists send phishing emails that appear to offer cheap seats or rooms. And there are plenty of fake websites masquerading as legitimate travel companies.

Don’t fall for fraud

As you plan your next trip, take these steps to help reduce fraud risk:

Ignore unsolicited communications. Whether you receive an email, text, flyer or telemarketing call regarding travel bargains, it’s probably smart to ignore it. Afraid of missing out on a legitimate deal? Directly contact the airline, hotel or rental car company featured in the promotion.

Book with established companies. Whether traveling for business or pleasure, make reservations with companies with names you know. If you’re booking with a new service provider, read online reviews by fellow travelers. Some review platforms allow you to search using keywords, others identify keywords frequently used by reviewers and allow you to filter for those reviews. Also perform an online search with the name of the company and words such as “fraud” or “scam.”

Watch out for lodging scams. Many travelers use online property marketplaces to find lodging. But you need to scrutinize listings. Some fraud perpetrators post ads for nonexistent properties with enticing, below-market rates. If a “property owner” asks you to move the conversation off the site to avoid fees, refuse the request. Reputable platforms provide certain protections, such as insurance in the event the transaction results in fraud. They also keep your credit card information confidential.

Work with trusted services. If you travel frequently for business or pleasure or don’t have time to research trips, consider engaging a travel advisor or travel agent. These professionals maintain close working relationships with legitimate companies, know about the latest deals, may be able to provide insider tips about your destination and can, of course, make reservations for you.

Go with your gut

Before booking your vacation or business trip, scrutinize it for signs of fraud. If you doubt the legitimacy of a service provider or are suspicious of individuals involved in a transaction, go with your gut and look elsewhere. Safe travel requires due diligence that starts long before your journey begins.

© 2021 Covenant CPA

Be careful. There might be a “visher” on the line

“Vishing” may sound familiar, but unless you’re a fraud investigator, you probably haven’t encountered it. Unfortunately, that could change … soon. To foil a scam that increasingly takes advantage of remote workers, learn what vishing is and how your business can prevent it from infiltrating your network.

Clarifying terms

Vishing isn’t the same as “phishing.” The latter is a type of social engineering fraud that involves email or text messages designed to trick someone into revealing sensitive personal information. Or it may target employees to gain access to worker and customer data, as well as intellectual property.

Voice vhishing (or vishing) scams, on the other hand, involve phones — rather than email or text messages. Vishing schemes often are more aggressive, elaborate and personalized than traditional phishing scams. Therefore, they can be harder to detect.

A look behind the scam

Vishing scams attacking businesses have grown as more employees have started working from home. Typically, fraudsters begin by researching employees online. Armed with such information as an employee’s name, position and duration of employment, the perpetrator poses as a member of the employer’s IT department, claiming he or she needs to install security updates on the employee’s laptop.

Believing they’re giving remote access to a coworker, victims enter their login information into a virtual private network (VPN) set up by the perpetrator. This includes any two-factor authentication or one-time passwords. It’s an honest mistake by the employee that gives the visher real-time access to the company’s actual VPN — and its proprietary information.

Turn a weakness into a strength

Most vishing schemes exploit VPN weaknesses. So if your remote workers access your network through a VPN, be sure to:

  • Restrict VPN connections to managed devices only,
  • Limit VPN access hours, if possible, to mitigate after-hours access,
  • Use domain monitoring to track changes to the company’s domains,
  • Actively scan and monitor Web applications for unauthorized access and modification, and
  • Employ the principle of least privilege (which restricts access to only those privileges needed to perform essential job functions).

Consider implementing a formalized authentication process for employee-to-employee phone communications. For example, you might require a second factor to authenticate the phone call before discussing sensitive information.

Training your employees 

Knowledgeable employees can also help you identify suspicious activity. So be sure to add vishing to your fraud training handbook. Contact us for help if you suspect fraud has attacked your business.

© 2021 Covenant CPA

Cash talks — and fraud experts are listening

Fraud perpetrators take whatever they can get their hands on. But they generally prefer cash because it’s virtually untraceable. Fortunately, fraud experts have the expertise and tools to trace even cash-based theft.

Multiple opportunities

According to the Association of Certified Fraud Examiners, there are three main categories of cash fraud, which includes checks because they’re easily converted to cash: 1) theft of cash on hand, 2) theft of cash receipts and 3) fraudulent disbursements. Fraudulent disbursements comprise many of the most frequently executed schemes, such as overbilling and “ghost” employee schemes.

Overbilling vendors usually submit inflated invoices by overstating the price per unit or the quantity delivered. A dishonest vendor also might submit a legitimate invoice several times. Overbilling may involve collusion with employees of the victim organization, who typically receive kickbacks for their assistance.

Employees also can conduct billing fraud on their own, submitting bogus invoices payable to a fictitious vendor and diverting the payments to themselves. Similarly, an employee might set up payroll disbursements to nonexistent employees.

Suspicious signs

Cash can be difficult to trace once it’s in the hands of a thief. But forensic experts usually are able to trace the path that stolen cash took before the fraudster pocketed it. This includes who “touched” the cash and what prompted its flow out of the organization.

Inflated invoices, for example, often leave a trail of red flags. Experts look for invoices that bill for “extra” or “special” charges with no explanation. Other suspicious signs may include:

  • Round dollar amounts
  • Amounts just below the threshold that requires management’s sign-off, and
  • Discrepancies between invoice amounts and purchase orders, contracts or inventory counts.

If forensic experts suspect that fictitious billing has occurred, they often investigate accounts with no tangible deliverables — such as those for consulting, commissions and advertising — and check vendor addresses against employee addresses. Invoices with consecutive numbers or payable to post office boxes receive extra scrutiny.

Other avenues to explore

Returned checks can supply useful information, too. Fraud perpetrators are more likely to cash checks, whereas legitimate businesses typically deposit them and rarely endorse checks to third parties.

To trace ghost employee schemes, experts examine payroll lists, withholding forms, employment applications, personnel files and other documents. The information collected from these sources may provide vital links between actual and ghost employees that wouldn’t otherwise be apparent.

Don’t waste time

If you suspect that any of these fraud schemes are underway in your business, contact us immediately. The best way to prevent significant losses is to catch the thief as quickly as possible. We can also help you implement internal controls to help prevent such fraud in the future.

© 2021 Covenant CPA

Some online sellers burnish their reputations at the expense of yours

Reports started trickling into state agricultural agencies in July: Consumers were worried about strange seed packets they had received in the mail. The unsolicited goods weren’t labeled and appeared to be sent from China. In a year already fraught with anxiety and paranoia, the story quickly made headlines.

Perhaps this was the first you’d heard of a scam known as “brushing,” in which some third-party e-commerce sellers set up fake buyer accounts and ship unordered goods (in this case, seeds) to “customers.” Why would they do this? Read on. 

A growing fraud 

Brushing scammers set up fake accounts with Amazon, eBay and other online platforms so that they can order their own merchandise, ship it to a real address and then post glowing reviews that bolster their ratings. The ultimate objective, of course, is to attract more buyers for their goods.

According to the U.S. Department of Agriculture (USDA), the seeds people received this summer seem to be part of a brushing scheme. (The USDA is continuing to investigate, but at this time, the seeds don’t appear to be dangerous or capable of producing invasive plants.) However, this isn’t the first time Americans have received unordered merchandise from unknown companies. Over the past couple of years, consumers have been surprised by gifts of everything from flashlights to hand warmers to Bluetooth speakers.

Considering that you aren’t obliged to pay for or send back merchandise you didn’t order, this may not seem like a big deal. However, it suggests that personal information has been disclosed or compromised. So if you receive one of their packages, brushers have — at the very least — your name and home address and may also have your phone number and email address. And, as the Federal Trade Commission (FTC) warns, these fraudsters may have set up fake accounts in your name on multiple websites — or even hacked your legitimate accounts.

Nip it in the bud

How can you prevent dishonest businesses from burnishing their own reputations at the possible expense of yours?

  • Report a suspicious package to the online retailer or platform (if you know what it is).
  • Check your accounts for suspicious activity and change your passwords.
  • If it appears accounts have been compromised, review your bank and credit card statements and credit reports. Consider freezing them to prevent fraud perpetrators from opening new accounts in your name.
  • File a report with the FTC at ftc.gov/complaint. 

Remember that it’s always possible a seller simply sent you something by mistake. Or a friend may have ordered a gift and forgotten to enclose a message to you. So do a little snooping before jumping to conclusions. But if it still seems your mystery package is part of a brushing scam, don’t just brush it off. Report the “gift” and make sure your accounts are secure.

© 2020 Covenant CPA

How COVID-19 poses new fraud threats to vulnerable businesses

Scam artists know how anxious business owners are during the current coronavirus (COVID-19) crisis. They know that as you struggle to meet customer demands, pay employees and stay solvent, you’re more likely to drop your guard and fall for a fraud scheme. The last thing your business needs right now is to suffer additional financial losses. So keep an eye out for the following scams:

Fake suppliers. Whether you’re a manufacturer seeking raw materials or a grocer desperate to keep shelves stocked, you may have trouble getting your usual supplies. If a regular supplier is temporarily — or permanently — shut down, be careful about doing business with unknown vendors. Many authentic-looking websites are, in fact, fronts for criminal operations, and if you place an order with them, you may never receive the goods. Also be wary of cold callers promising to source hard-to-get items. If it sounds too good to be true, it probably is.

Defective goods. Even if you do receive your supply order, there’s a chance its contents will be defective. In early March, an international team of law-enforcement agents arrested 121 criminals around the world who were selling counterfeit surgical masks, hand sanitizer and other in-demand products. Depending on your business, buying defective goods could be an expensive mistake — or a public health emergency.

Payment fraud. Online payment fraud was already growing aggressively. But COVID-19 is expected to throw fuel on the fire as more people turn to home services apps, such as those for food delivery and online learning. Consumers usually don’t pay when their stolen credit cards are used to make purchases. But businesses generally do. You’re likely to be held responsible for fraudulent transactions, as well as possible chargeback fees. So be vigilant about maintaining IT security. Retailers might consider adding an Address Verification Service, which confirms a cardholder’s billing address with the card company.

Google scam. Fake robocalls claiming to come from Google have circulated for several years. Now there’s a COVID-19 twist. The recorded message tells businesses “affected by the coronavirus” that they need to ensure their Google listing is correct so that customers can locate them during the pandemic. If you speak to someone, he or she may ask for payment to list your business or try to gain confidential information. Know that Google never makes unsolicited sales calls. If someone tries to convince you otherwise, hang up.

Unfortunately, these schemes represent only the tip of the iceberg. For the latest on COVID-19-related fraud, visit the Federal Trade Commission’s “Business Center” at ftc.gov/tips-advice/business-center. Or contact us.

© 2020 Covenant CPA

Fraud du jour: Social Security phone scams

Despite the National Do Not Call registry and features such as caller ID, phone fraud is thriving in the mobile phone era. Using spoofed numbers — which appear to be connected to legitimate government offices and businesses or that resemble your own number — fraud perpetrators say anything and everything to try to steal your money.

Recently, scammers have posed as Social Security officials to steal from unsuspecting consumers. Since January 2018, the Federal Trade Commission has received more than 63,000 reports about this scam. Only 3% of reporting call recipients lost money, but the losses total $16.6 million.

Anatomy of a crime

Here’s how the Social Security scheme works: Criminals call from spoofed phone numbers and tell consumers that their Social Security number has been linked to a crime and has been “suspended.” The callers claim that the consumer’s bank accounts will be seized by the government unless they withdraw money and transfer the amount to gift cards. While the thief remains on the line, the consumer purchases the gift cards. Then the caller asks for the gift card numbers and PINs, supposedly for “safekeeping.” With that information, the fraudster uses the cards or sells them on the black market.

The same callers also usually ask consumers for their Social Security number for confirmation purposes. With this critical piece of personal information, crooks can steal someone’s identity.

Truth of the matter

The truth is that the Social Security Administration doesn’t suspend Social Security numbers, nor does it ask people for their numbers over the phone. And no government entity would ask for payment in gift cards. Criminals hope that you aren’t aware of these facts. They also use fear — of arrest, loss of savings and, in some cases, deportation — and a sense of urgency to get what they want.

Fortunately, you can avoid becoming snared in a Social Security phone scam by following some simple guidelines:

  • If you don’t recognize the number appearing on your caller ID, don’t answer the phone.
  • Install a spam call blocker (available in mobile app stores) and use it for any calls that seem suspicious.
  • If you inadvertently answer a spam call, hang up immediately.
  • Never provide personal information, including bank account or Social Security numbers, to anyone over the phone.
  • Report suspicious calls to ftccomplaintassistant.gov.

Businesses beware, too

Note that it’s not just consumers who might fall victim to phone fraud schemes. Fraudsters also target businesses to secure sensitive information such as bank account numbers, routing numbers and passwords. If you’re a business owner, educate employees about phone scams and implement fraud controls. Contact us for more information at 205-345-9898 and [email protected].

© 2019 Covenant CPA

Ticket scams: When the price of admission is too high

Concert, sporting and other event tickets can go for astronomical prices — when they’re even available. Hoping to find reasonably priced tickets (or to find tickets at all), many consumers turn to the online resale market. But while most resale transactions are legitimate, some involve ticket scammers. Buy from one of these sellers and you may end up with stolen or counterfeit tickets.

Playing defense

Ticket scams generally succeed because they exploit a common desire to bag a bargain or gain access to something that isn’t easily obtainable. But you can avoid getting tricked. Here’s how:

Buy direct. Whenever possible, buy first-release or secondary market tickets from the event’s official ticketing agent. The ticket may cost more, but buying from a reputable agent comes with peace of mind.

Look out for crooks. Ticket scammers often use spam email and fake websites to impersonate legitimate ticketing agents. Don’t click on links contained in unsolicited emails and don’t buy tickets from sites until you’ve researched their authenticity. Plug the ticket agent’s name into search engines and look at the agent’s social media accounts. Pay close attention to how the agent interacts with customers and handles disputes.

Ask questions. When buying from individuals, ask them to disclose how they received the tickets and why they want to sell them. If their story sounds suspicious, look elsewhere.

Verifying and reporting

It’s only when they’re turned away on game or concert day that many ticket scam victims learn they’ve been conned. So if you have any doubts about your tickets’ legitimacy, call or present them at the venue’s box office for confirmation as early as possible.

And if you’ve indeed been sold stolen or counterfeit tickets, notify law enforcement and report the incident to the Federal Trade Commission. You may not get your money back, but you’ll help prevent criminals from fleecing other unsuspecting ticket buyers. You can protect yourself from losing money on ticket scams by buying tickets only from agents that accept credit cards. In the event of fraud, most credit card issuers will refund the cost of your tickets and pursue collection with the seller. Contact us at 205-345-9898.

© 2019 Covenant CPA

Slam the door on home energy scams

Deregulation of the energy industry was intended to give consumers a choice of electricity and natural gas providers — and an opportunity to save money. But many homeowners in deregulated states are receiving higher energy bills thanks to deceptive, and even fraudulent, door-to-door sales practices.

Deception and fraud

Not all states have deregulated. If yours has, you probably know it because you’ve received mailings, phone calls and sales rep visits from companies asking you to switch from your current provider. In most cases, traditional utilities continue to transmit the energy; the new providers, offering discounts and other incentives, deliver it to customers.

Many such offers are legitimate and can potentially save you money. But others are deceptive, designed to get you to agree to switching without a full understanding of the terms. For example, a company may offer an attractive introductory rate that becomes outrageously high after the introductory period ends. These companies usually ask you to sign a long-term contract, and getting out of one is likely to involve cancellation fees and a lot of hassle.

Then there are the cases of outright fraud. In the most common scam, slamming, a salesperson claims to represent your current utility company and tells you that there’s a problem with your account. The rep asks to see a current bill to “straighten out” the issue. Instead, the crooked rep copies down your account number and uses it to change your provider, claiming that you requested the switch. You may not even notice you’ve been conned until your bills suddenly skyrocket.

Prevention starts with knowledge

As with all consumer choices, a little knowledge can go a long way. First, find out what company currently delivers and provides energy to your home. Then learn which providers operate in your city by visiting the American Coalition of Competitive Energy Suppliers site at http://competitiveenergy.org or by contacting your state’s utility regulatory commission.

If someone comes to your door purporting to represent one of these companies, ask to see a business card and personal ID. Before inviting the rep into your home, call his or her office to confirm the individual’s identity.

Even if an offer seems above-board, never provide a door-to-door rep with:

  • A utility bill containing your account number,
  • Payment information such as credit card numbers, or
  • Personal information such as your Social Security number.

A legitimate alternative energy salesperson should be willing to leave materials so you can review them at your leisure and research your options. Be particularly suspicious of any high-pressure tactics such as special rates if you “sign today.” And, of course, if a rep makes threats or simply makes you uncomfortable, shut the door and call the police. Call us for more at 205-345-9898.

© 2019 Covenant CPA

How gift card scammers target companies — and what you can do

Gift cards offer businesses a convenient way to reward employees and thank customers. However, as the FBI recently warned, gift card scams specifically targeting companies are on the rise. Since January 2017, losses from such fraud schemes have surpassed $1 million. Here’s what you need to know to avoid being cheated.

Anatomy of a scam

Fraudsters use classic “spoofing” strategies to execute what law enforcement terms Business Internet Compromise (BIC) scams. They email or text an employee, claiming to be someone who can authorize gift card expenditures, such as the company’s CEO or HR director.

Messages typically instruct the employee to purchase gift cards for the executive to give as gifts or to use for office expenses, such as holiday party supplies. The employee is told to send the gift card information, including card numbers and PINs, back to the “executive” (in reality, the scammer) who then cashes out the cards’ value. By the time the business catches on, it’s already too late to recover the stolen funds.

All companies are vulnerable to this type of fraud. But certain sectors seem to be at increased risk, including real estate, legal, medical, and distribution and supply businesses, as well as nonprofit organizations.

Simple steps

Prevention starts with education. Inform employees about the scam and ask them to be on the lookout for emails or texts that ask them to buy multiple gift cards on someone else’s behalf. They should be particularly suspicious if the email urges them to act quickly or to reply with the gift card numbers and PINs.

To be on the safe side, require employees to follow up on any electronically delivered purchasing request with a phone call to the requesting party. And to reduce the chance that employees will receive spoofed emails, ensure that your network security is robust and up to date.

Report and control

The FBI asks businesses to report BIC gift card incidents to its Internet Crime Complaint Center at www.ic3.gov. Also, contact us at 205-345-9898. We can help you implement strong internal controls to prevent fraudsters from taking advantage of unsuspecting employees.

© 2018 Covenant CPA