Tag Archives: ftc

Aggressive Regulation on Data Breaches

Below is an excerpt from John Farley’s new book: “Online and Under Attack: What Every Business Needs To Do Now To Manage Cyber Risk and Win Its Cyber War.

The Internet of Things

Every one of us lives in a brave new connected world. For most of us, our first foray into the online world occurred at work, as business discovered the internet provided a means to efficiencies that made them more competitive. The convenience of the internet has spilled over in dramatic fashion into our personal lives. The average home contains 13 internet-connected devices, and that number is growing fast. It has given birth to the term we know today as the Internet of Things (IoT). According to the FTC’s 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World,” the number of internet-connected devices surpassed the number of people living on the earth several years ago. As of 2015, there were an estimated 25 internet-connected devices. The FTC estimates that this number will double to 50 billion by 2020.

Consumers love the convenience that these products bring, and manufacturers recognize this. There has been a tremendous rush to the market, as everything from security cameras, DVRs, routers, TVs, cars, thermostats and children’s toys are being designed to connect to the internet. The list grows daily. Unfortunately, recent history has shown that as manufacturers hurry to capture their share of the market for these devices, many have ignored the concept of security at the design stage. Instead, the focus was to get products manufactured quickly and economically. Extra steps in the product design stage, such as addressing security, would likely increase design time, make them more difficult for the consumer to set up and ultimately increase cost. As a result, many products in our homes lack basic cybersecurity controls and are subject to online threats as demonstrated earlier in this book in the Dynamic Network Systems attack in October 2016. Many products come with easily guessed passwords or none at all. When security flaws are recognized by manufacturers, they are often not easily patchable.

See also: Firms Ally to Respond to Data Breaches  

The FTC has taken notice and made its concerns heard in January 2017 by filing a lawsuit against Taiwanese D-Link and its U.S. subsidiary, D-Link Systems. In the complaint, the FTC alleges the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to do things like monitor their homes and children in real time. Consumers simply access the live feeds from their home cameras using their mobile devices or any computer.

The crux of the lawsuit alleges that D-Link failed to protect consumers from “widely known and reasonably foreseeable risks of unauthorized access.” There are several allegations made by the FTC where it alleges D-Link failed to do the following:

  • Take reasonable software testing and remediation measures to protect its routers and IP cameras against well-known and easily preventable software security flaws that would potentially allow remote attackers to gain control of consumers’ devices.
  • Take reasonable steps to maintain the confidentiality of the “signature” key that D-Link used, which resulted in the exposure of the private key on a public website for approximately six months.
  • Use free software, available since at least 2008, to secure users’ mobile app login credentials, instead storing those credentials in clear, readable text on users’ mobile devices.

The case is especially noteworthy because it is not alleging a known breach of security in D-Link devices. Instead, the FTC appears to be taking measures against the company, and not waiting for a successful cyberattack to occur before acting. So we may refer back to the FTC 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World” for guidance. In that report, the following recommendations are made by the FTC:

  • Build security measures into devices from the outset and at every stage of development—don’t wait to implement retroactive security measures after the devices have already been produced and sold.
  • Consistently maintain up-to-date software to secure consumer personal information, and ensure regular software testing. Any identified vulnerabilities should be remediated promptly; connected devices should be monitored throughout their life cycles; and security patches should be issued to cover known risks.
  • Take steps to implement reasonable access-control measures for IoT devices, including making sure proprietary device signatures remain confidential.
  • Accurately describe the products’ safety and security features in marketing and promotional materials.

See also: Data Breach Law Could Hurt Consumer

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

The Destructive Search for an Elixir of Life

For 3,500 or more years, mankind has been searching for the mythological elixir of life, the Fountain of Youth, the philosopher’s stone, pool of nectar, etc. that will defeat aging and extend life, if not achieve immortality.

According to Wiki, “The elixir of life, also known as the elixir of immortality and sometimes equated with the philosopher’s stone, is a mythical potion that, when drunk from a certain cup at a certain time, supposedly grants the drinker eternal life and/or eternal youth.”

All around the globe from 400 BC on, alchemists from India to China to Europe were seeking the elixir of life. Many thought gold was an essential ingredient.

The Fountain of Youth, also known as the water of life, was part of the search for the elixir of life. That search was in full throttle during the crusades and was carried to the New World by Spanish explorers, the most famous of whom was Ponce de Leon in the 1500s. Even the Mayans had legends about waters of eternal youth.

The search for the elixir of life didn’t end there.

In the 19th century in the U.S., many believed that bathing in special springs had healing powers. During that era, people flocked to eureka springs, hot springs, healing springs and many, many more. So-called healing spas are still very popular today.

“Snake oil” salesmen were peddling various cure-alls into the 20th century. A search on the Internet will reveal a large number of “promising” balms and salves, some of which actually worked for minor scrapes and burns.

If you’re over 60 or so, you may recall Carter’s Little Liver Pills. They were advertised to treat biliousness and other ailments. The FTC made the company drop the word “liver” from the name. Carter’s Little Pills are still sold, but as a laxative.

If you watched the Lawrence Welk show, you saw ads for Serutan, which is “natures” spelled backward. It’s a “vegetable hydrogel.”

Today, the search for an elixir of life, by various names, is still in high gear, and salesmen abound.

People still pursue the same goal of longer and healthier lives through a mix of vitamins, supplements, wellness, incentives, education, exams, tests, etc. that will push the time of their death out a few years.

But, alas, the human body and its organs simply wear out over time. No insurance plan, wellness plan, patient education program or prevention combination can defeat the inevitable. As we age, our bodies just wear out. For example, the reason brain aneurysms and strokes occur in the elderly is that blood vessels get thinner and more fragile with age. The same applies to other vascular diseases. Joint diseases are common as we age. Why? Joints just wear out over time. Dementia is usually related to aging. The list goes on and on.

According to NIH data, all cancer rates begin to skyrocket at about age 65. That is partially the effect of age-related diminishing immune systems. Our immune systems wear out as we age.

Companies are paying huge dollars to elixir of life promoters today, when all the facts show the elixirs just doesn’t work as advertised. Such companies’ intentions are good, even noble, but doomed to fail. Lesson: Whatever you seek, someone will find a way to sell it to you.

We are all going to have a mortal illness someday unless we die sooner from something like an auto accident. My grandfather died at age 99. Every organ in his body was failing. His kidneys were failing, as were his vascular system, his brain and his liver. Why? He simply outlived his body. I’ve known a number of good people who died a miserable death after years in nursing homes. I wouldn’t wish that on my worst enemy.

Another factor driving up costs in the U.S. has been the creation of the emergency phone number system — dialing 911 and having a life-saving trained team show up at your door in a few minutes. The 911 system saves live, no doubt, but there have been unintended health cost consequences.

If one survives a heart attack, the average cost is about $250,000. Because of the 911 phone system, some 80-year-olds are surviving three heart attacks in nine months just to die from the fourth one, adding $750,000 of cost to their last 12 months. Now, healthcare providers are even putting ventricular assist devices in people like that to keep them alive for one more day. The cost for that procedure alone is $900,000.

I’m not making a comment on the morality of deferring an elderly person’s death for nine months at a cost of $750,000 to $2 million. But we need to have an adult conversation in America about how we are going to pay for all this. By any measurement, Medicare and Social Security are both totally unsustainable unless huge changes are made that will affect everyone. Beware of proposed changes that promote intergenerational rivalries.

This chart shows death rates by age). When people hit about age 50, the death and sickness rates begin to skyrocket.

This chart shows leading causes of death. See the strong correlation to aging and heart disease. People are simply outliving their hearts and blood vessels. In 1900, people rarely died of heart disease because they didn’t live long enough to develop chronic conditions. Most of the chronic diseases we worry about are simply a consequence of aging. They are irreversible. As with the Hydra of Greek mythology, if you defeat one chronic condition, three others will pop up.

The third chart shows health spending by age; again, disease correlates to aging. That will always be the case until someone comes up with a way to prevent aging or finds an “elixir of life.” That chart also illustrates the massive, wasteful spending on end-of-life care in the U.S. compared with peer countries.

People born in the U.S. today can expect to die along a bell curve centering on age 80. If we all do everything we can possibly do to be healthier for all of our lives, there will be slightly fewer deaths around ages 78 or 79. (A great source of information on this topic is Nortin Hadler’s The Last Well Person: How to Stay Well Despite the Health-Care System.)

In any case, if you are able to add a year to your life it will, obviously, be added to the end. For most people, that will mean another year in a nursing home, in assisted living or as an invalid at home. (For a Washington Post article on just how nasty nursing homes can be, click here. Again, I would not wish that on my worst enemy.) People sometimes tell me about someone who was more or less healthy and independent at age 90. For every person like that there are a hundred in nursing homes or dementia units.

Most people retiring today don’t have enough in savings to support themselves for more than a few years, let alone enough to pay for assisted living or nursing homes when they are elderly and frail. Medicaid nursing home budgets are likewise unsustainable. Don’t count on that. For many people, living a year or two longer will simply mean being a burden to your children for another year or two, both financially and emotionally.

What about your children’s lives? Do you really want them to have to look after you well into their 60s? At that age, they should be concentrating on their own welfare.

As people age into their 80s and 90s, many become demanding in an irrational way. Some people aged 55 and up are relieved when their elderly parents pass away, but often with feelings of guilt. Most people have witnessed this in their own families.

Someday, researchers may discover a way to delay the effects of aging. Personally, I believe such is the province of science fiction. If aging is ever reversed, God help us. That would be very destructive to mankind.

Imagine our world populated by a billion or more centenarians. Imagine a nation with an average age of 65. Imagine yourself at age 90 with a 120-year-old parent or two. Who will look after whom? Will 70-year-old children or their 45-year-old children be able to look after and support such parents, grandparents and great-grandparents? The news from Asia is that many young people are no longer willing to support their centenarian parents or grandparents today, let alone great-grandparents.

What should we all do then? Simple. Spend less time wringing your hands over which illness will get you in the end; rather, make the most of the time you have. Worry will never add a day to your life.

The Romans had a blessing: May you live well and die suddenly.

New Worry on ID Theft: Tax Fraud

Statistics on identity theft show that tax-related fraud causes billions of dollars of financial harm, but tax fraud assistance may or may not be included in identity theft protection products. For comprehensive coverage, an identity theft protection service must include tax fraud assistance.

What is tax fraud?

Instances of tax fraud could involve…

  • Phone scams where thieves pretend to be the IRS calling for money or information
  • Phishing scams where fraudsters send fake IRS emails or set up unsolicited websites to get money or information
  • Criminals using false information or a taxpayer’s stolen information to file fraudulent tax returns, thereby getting the victim’s refund
  • Dishonest tax preparers who defraud their clients with false deductions, inflated expenses or the like

How common is tax fraud?

Every tax season – and all the months in between – the U.S. Treasury Inspector General for Tax Administration (TIGTA) deals with dishonest tax-related schemes. The TIGTA has received well over 90,000 complaints about IRS phone scams and found that victims have lost approximately $5 million.

In 2013, the Federal Trade Commission (FTC) received 1,455,146 identity theft complaints – a third of which stemmed from tax-related fraud. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were also tax-related.

Fake tax returns cause problems, as well: $4 billion of tax refunds went to fraudsters after they sent in fake tax returns to the IRS.

How do identity theft protection plans address tax fraud?

Unfortunately, not many products provide services specifically geared toward preventing tax fraud. Common features, like credit monitoring, are less likely to catch these kinds of crimes because tax information is not connected to the main credit activity being monitored.

Another reason for lack of tax fraud assistance could be strict limitations on a third party’s ability to communicate with the IRS. The IRS requires that anyone communicating with it on a victim’s behalf must have IRS-approved credentials (e.g. enrolled agent, certified tax preparer or certified public accountant).

The upkeep of a tax fraud assistance division can get expensive, as well. A significant amount of time and money are needed for finding approved specialists, giving them the time to work through each case and maintaining the correct credentials. Some certifications involve continuing education, periodic renewal fees that can really add up and purchasing and maintaining a tax preparer bond in the thousands of dollars.

Despite limited capabilities to detect that a member is a victim of tax fraud or act on a victim’s behalf with the IRS, a specialist could still assist victims by guiding them on what to do next and giving them the necessary resources to carry out the steps themselves.

How can you avoid tax fraud?

First, whether it’s on your own or through an identity theft protection plan, tap into resources about how to avoid victimization. For example, learn how to pick a reliable tax preparer and how to handle tax documents with confidential information.

Second, make sure your protection plan includes Social Security number (SSN) monitoring because your SSN is a key piece of information that the IRS uses to confirm your tax return actually came from you. In some instances, if a taxpayer’s SSN is at risk, the IRS will issue a special PIN number that differentiates the taxpayer’s real tax return from the thief’s fake ones.

Third is tax fraud assistance, which provides access to professionals who will help victims report the crime and address the resulting issues. Victims of tax scams deal with the same burden of significant financial losses and rebuilding reputations that accompany any other kind of fraud. Support from people who are familiar with both the tax system and identity theft recovery will give victims direction and help them take action.

Taxes are already frustrating for many, so adding the problem of identity theft only aggravates the situation. The statistics prove that tax fraud is relevant and must be taken into account when building security against identity theft and fraudulent activity.

‘Phone Spoofing’ – Yes, It Can Happen to You

Not so long ago, a senior executive at Insurance Thought Leadership received a phone call on his smartphone in which the caller claimed to be returning a call.  The ITL executive politely let the caller know that he hadn’t called. Then came another “returned” call… and another. Each caller said he had received a call from the ITL executive’s mobile number and that the caller hadn’t left a message. All told, the ITL executive received about a call a day for about a week.

Naturally, he called his mobile provider to find out what was going on. The provider said it sounded like “phone spoofing.”

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a return email address. “Phone spoofing” relates to the number that shows up on caller ID — someone appears to be calling from that number but doesn’t own that number and is really calling from somewhere else.  Spoofing is used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, attorneys general in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically challenged telemarketers, debt collectors or scammers. And, as with most sketchy callers, they don’t leave a message if the target doesn’t answer. If the recipients are curious about who called, all they have to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim — though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the U.S. from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value….” The act also includes penalties of as much as $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the U.S., it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: The FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses on actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s fairly difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you have to. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do if It Does Happen to You?

For starters, you can file a complaint with the FCC.

But, although it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1)    You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2)    You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

Happy Ending

In the case of the spoofing against the ITL executive, the system worked as well as possible. The authorities, working with the carrier, tracked the spoofing back to a scam artist in Germany, and an arrest was made.