Tag Archives: website

New Worry on ID Theft: Tax Fraud

Statistics on identity theft show that tax-related fraud causes billions of dollars of financial harm, but tax fraud assistance may or may not be included in identity theft protection products. For comprehensive coverage, an identity theft protection service must include tax fraud assistance.

What is tax fraud?

Instances of tax fraud could involve…

  • Phone scams where thieves pretend to be the IRS calling for money or information
  • Phishing scams where fraudsters send fake IRS emails or set up unsolicited websites to get money or information
  • Criminals using false information or a taxpayer’s stolen information to file fraudulent tax returns, thereby getting the victim’s refund
  • Dishonest tax preparers who defraud their clients with false deductions, inflated expenses or the like

How common is tax fraud?

Every tax season – and all the months in between – the U.S. Treasury Inspector General for Tax Administration (TIGTA) deals with dishonest tax-related schemes. The TIGTA has received well over 90,000 complaints about IRS phone scams and found that victims have lost approximately $5 million.

In 2013, the Federal Trade Commission (FTC) received 1,455,146 identity theft complaints – a third of which stemmed from tax-related fraud. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were also tax-related.

Fake tax returns cause problems, as well: $4 billion of tax refunds went to fraudsters after they sent in fake tax returns to the IRS.

How do identity theft protection plans address tax fraud?

Unfortunately, not many products provide services specifically geared toward preventing tax fraud. Common features, like credit monitoring, are less likely to catch these kinds of crimes because tax information is not connected to the main credit activity being monitored.

Another reason for lack of tax fraud assistance could be strict limitations on a third party’s ability to communicate with the IRS. The IRS requires that anyone communicating with it on a victim’s behalf must have IRS-approved credentials (e.g. enrolled agent, certified tax preparer or certified public accountant).

The upkeep of a tax fraud assistance division can get expensive, as well. A significant amount of time and money are needed for finding approved specialists, giving them the time to work through each case and maintaining the correct credentials. Some certifications involve continuing education, periodic renewal fees that can really add up and purchasing and maintaining a tax preparer bond in the thousands of dollars.

Despite limited capabilities to detect that a member is a victim of tax fraud or act on a victim’s behalf with the IRS, a specialist could still assist victims by guiding them on what to do next and giving them the necessary resources to carry out the steps themselves.

How can you avoid tax fraud?

First, whether it’s on your own or through an identity theft protection plan, tap into resources about how to avoid victimization. For example, learn how to pick a reliable tax preparer and how to handle tax documents with confidential information.

Second, make sure your protection plan includes Social Security number (SSN) monitoring because your SSN is a key piece of information that the IRS uses to confirm your tax return actually came from you. In some instances, if a taxpayer’s SSN is at risk, the IRS will issue a special PIN number that differentiates the taxpayer’s real tax return from the thief’s fake ones.

Third is tax fraud assistance, which provides access to professionals who will help victims report the crime and address the resulting issues. Victims of tax scams deal with the same burden of significant financial losses and rebuilding reputations that accompany any other kind of fraud. Support from people who are familiar with both the tax system and identity theft recovery will give victims direction and help them take action.

Taxes are already frustrating for many, so adding the problem of identity theft only aggravates the situation. The statistics prove that tax fraud is relevant and must be taken into account when building security against identity theft and fraudulent activity.

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.

The Insurance Implications of Social Networking Websites, Part 3

This is the third part of a six part series of articles discussing insurance coverage for claims that can be brought against individuals or companies because of the use of Social Media websites. Earlier articles in this series can be found here: Part 1 and Part 2. This article discusses coverages potentially triggered under Coverage A – Bodily Injury.

Bodily Injury Coverage
Even if the policy contains a personal injury coverage part (as discussed in part 2 of this series), analysis should still be made whether the policy provides coverage under the bodily injury coverage part. Oftentimes, this is dependent on the policy’s definition of “bodily injury” and “occurrence.”

Does The Defamatory Comment/Posting Made On A Blog/Website Constitute An Occurrence?
In order to trigger coverage under the policy’s insuring agreement there must be a defined “occurrence” that results in defined “bodily injury” during the policy period. Policies typically define “occurrence” as an “accident, including continuous or repeated exposure to substantially the same general harmful conditions” which results in bodily injury. Most jurisdictions hold that it is the insured’s standpoint that controls in determining whether there has been an “occurrence” that triggers the duty to defend under the policy. A majority of jurisdictions have held that an accident is “an unexpected, unforeseen, or undesigned happening or consequence from either a known or an unknown cause.” A deliberate act, therefore, is not an accident.

If the defendant publishes an internet posting that referred to the plaintiff in a derogatory manner, e.g., accusing the person of being a pedophile, then this is a deliberate act which does not constitute an occurrence as defined by the policy. Stellar v. State Farm General Ins. Co., 157 Cal. App. 4th 1498, 69 Cal. Rptr.3d 350 (Cal. App. 2007). Some jurisdictions have held that the very nature of defamation precludes the conclusion that it can occur “accidentally.” See, e.g., Uhrich v. State Farm Fire & Cas. Co., 109 Cal.App.4th 598, 135 Cal.Rptr.2d 131 (Cal. App. 2003); Rogers v. Allstate Ins. Co., 938 So.2d 871, 876 (Miss. App. 2006); Iafallo v. Nationwide Mut. Fire Ins. Co., 299 A.D.2d 925, 926, 750 N.Y.S.2d 386, 388 (N.Y. App. Div. 2002). Some jurisdictions, however, recognize negligent defamation and, therefore, there may be an occurrence triggering coverage. Cincinnati Ins. Co. v. Eastern Atlantic Ins. Co., 260 F.3d 742 (7th Cir. 2001); cf., Baumann v. Elliott, 704 N.W.2d 361 (Wis. App. 2005) (finding no occurrence because complaint did not allege a negligent defamation); Farmers Ins. Exchange v. Hallaway, 564 F.Supp.2d 1047 (D. Minn. 2008) (reversing summary judgment and holding that there may be personal injury coverage because underlying lawsuit alleged negligent defamation and intent to injure had not been decided).

There are, obviously, certain factual situations that may at first blush appear to be intentional, but, upon further, investigation, may constitute an occurrence triggering coverage. For example, an individual intends on posting a defamatory comment on Facebook, spends time typing out the comment, but later decides against posting the comment, but accidentally hits “share” rather than “cancel” and so the item is accidentally posted on Facebook against the user’s wishes. Although the individual may have originally intended to post a defamatory comment, at the moment the comment was indeed posted, the individual did not have that intention. This may constitute an “occurrence” triggering coverage.

Similarly, an individual may have intended to respond to a message on Facebook with defamatory or libelous remarks, but rather than clicking the “reply” button, the individually mistakenly clicked the “reply all” button and, consequently, the message is sent to everyone on the list, rather than just the individual that the user originally intended.

Another example includes attaching a video or picture to a social media website. The individual may have intended to attach file A, but when selecting the file, the individual selected file B, which contained a picture/video of a person in a compromising position such that the individual’s privacy is invaded.

These are a few examples where the claim or complaint may allege conduct that may at first blush appear intentional, but the true facts may reveal that coverage is triggered. Further investigation may be needed to determine coverage.

Does The Emotional Distress Or Other Alleged Damages Resulting From The Defamation Constitute Bodily Injury?
“Bodily injury” is typically defined in a policy as “bodily injury, sickness or disease sustained by a person, including required care, loss of service and death that results.” Courts have held that “bodily injury” encompasses only physical injury and its consequences and does not include emotional distress in the absence of physical injury. Waller v. Truck Ins. Exchange, Inc., 11 Cal.4th 1, 44 Cal.Rptr.2d 370, 900 P.2d 619 (1995); Nguyen v. State Farm Lloyds, Inc., 947 S.W.2d 320, 323 (Tex. Ct. App. 1997); Wiard v. State Farm Mutual Auto Ins. Co., 132 N.M. 470, 50 P.3d 565 (N.M. Ct. App. 2000). Thus, pure emotional distress does not constitute “bodily injury” for purposes of a policy unless there is specific policy language providing coverage for pure emotional injuries.

Because most social media claims do not involve direct physical contact, there is generally no “bodily injury” triggering coverage in the traditional sense. However, physical manifestations of emotional distress may be covered by the policy even if there was no direct physical contact with the claimant. This may include loss of hair, loss of weight, exacerbation of existing illnesses like Crohn’s disease, etc. If the claimant alleges such physical manifestations resulting from social media torts, then there may be qualifying “bodily injury” as defined by the policy.

Hopefully, this article makes the reader aware that social media torts may not only trigger coverage under the typical personal and advertising injury provided under Coverage B of the policy, if available, but that such social media torts may also trigger “bodily injury” coverage under Coverage A, depending on the particular factual circumstances.