It’s the Most Fraudulent Time of the Year

Seeing an increase in financial crimes and fraud during the holidays is par for the course in this industry. But as with nearly everything we’ve experienced this year, we can expect a “new normal” in seasonal fraud and scams. The coronavirus isn’t the only thing hitting record numbers as it surges across the country and the world.

The Federal Trade Commission (FTC) reports that more than 200,000 complaints of scams and fraud have been filed this year and Americans have lost more than $190 million to fraud related to the coronavirus. The FTC’s Sentinel Network tracked about 206,000 reports of fraud, identity theft, spam telephone calls, and other potential COVID-related scams from January 1 through September 22.

Fraud is going even more viral on social media channels. According to the FTC’s latest Consumer Protection Data Spotlight, the number of complaints about scams that started on social media more than tripled in the last year. People reported losing more than $117 million to this type of scam in just the first six months of 2020, compared to $134 million for all of 2019. Online shopping topped the list of complaints from consumers who reported a scam to the FTC that originated on social media when they responded to an ad. Facebook and Instagram were the top two social media platforms identified in complaints by 94 percent of consumers. The surge in fraud is not just happening in the U.S. UK Finance reports over £27 million was lost to fraud at online marketplaces and auction websites in the first half of 2020.

While Black Friday has traditionally been the busiest shopping day of the year for big box stores and malls, people are playing it safe during the pandemic and doing their shopping online. A recent survey led by Pitney Bowes found that 57 percent of consumers plan to shop online more this year, with 45 percent reporting they already do more than half of their current shopping online – that’s nearly three times the number prepandemic. Online shoppers are projected to spend a record $13 billion this year.

The pandemic has impacted how consumers live, work, play, and shop – and their financial safety. As transactions and distractions increase during the holiday, consumers become prime targets for seasonal scams and holiday hoaxes. These can lead to account takeovers, fraudulent activity, and identity fraud. According to an Experian survey, more than half (57%) of consumers feel the risk of identity theft is greater this year due to the pandemic. reported that over 60 percent of banks say fraud volumes are rising, with over 40 percent reporting that average fraud hit value is going up and that 22 percent of Americans have been targeted by pandemic-related fraud attempts since April.

Cybercriminals know that consumers are shopping online more and paying less attention to their bank and credit card statements during the pandemic, especially during the holidays. They also know that higher transaction volumes and a demand for faster processing times leave merchants vulnerable to attacks. With the increase in real-time payments, account push payment (APP) attacks have risen dramatically.

Fraudsters take advantage of the spending frenzy to hide their illicit transactions. Con artists prey on consumers who are looking for that too-good-to-pass-up bargain. It’s not just online fraud and scams that become more prevalent this time of year. Other common holiday threats include phishing email scams, skimming devices at ATMs, retailer, and fuel stations, and gift card fraud. Counterfeit cases also rise as innovative new color printers that come out just before Christmas make it easier for creative crooks to create counterfeit checks or a passable IDs. Thieves will target ATMs under the assumption that banks keep more money in them for late night holiday shoppers.

During this most fraudulent time of the year, staff training and consumer education should be at the top of your holiday checklist. Train your frontline staff on how to detect fraudulent checks or fake IDs. Make sure they know the red flags that a consumer, particularly a senior customer, may be the victim of a scam. Have procedures and technology in place to identify unusual transaction activity on accounts. Increase robbery training and review opening and closing procedures. Be alert for mortgage and lending fraud that has substantially increased during the pandemic.

Give the Gift of Education
While you’re spreading holiday cheer on social media or your website, include the following tips to ensure your customers have a merry and bright holiday – and protect themselves from those nefarious cyber Grinches!

Think before you click: Never follow links in unsolicited emails. Check that any emails you receive are from a known or verified email address.

Authenticate and update: Use authentication methods offered by apps and websites, such as one-time passcodes sent via text or email or biometrics, particularly for banking and financial apps. Update passwords frequently and never reuse passwords.

Use trusted payment methods: New payment apps may be cool but they can also be bogus. Only use those you have verified are legitimate, such as PayPal or Zelle. If sending cash from your online or mobile banking app to a new recipient, do a small test transaction and confirm they got it.

Don’t send anything via wire transfer or prepaid cards to someone you don’t know. Use a credit card, single-use debit card, or prepaid reloadable card for online purchases.

When in doubt, hang up. Never provide credit card info as part of an unsolicited phone call. If it sounds too good to be true, it probably is.

‘Tis the season for safe giving. To protect yourself from charity fraud, make sure the donation website is legitimate or an online request to support a person or family is someone you know or can be verified. Monitor your accounts. Frequently check your financial accounts for any activity you do not recognize.

Monitor your credit report: Not just during the holidays. Periodically monitor your credit report for strange or unexpected activity for potential signs of identity theft.

The most wonderful time of the year is also the most vulnerable time of year for consumers struggling to make ends meet during a pandemic.

Written for and originally appeared in Bankers’ Hotline Vol. 30, No. 11, 11/30/20

Stranger Danger: Kids and Risky IoT Devices

It’s the most wonderful time of the year – for holiday shopping and getting the best deals on the latest tech gadgets and gear.   According to the 2020 U.S. Retail Holiday Trends Guide, the holiday shopping season will begin earlier this year. Brick-and-mortar sales will be down due to COVID and online retail sales will experience unprecedented growth.  

Two of the biggest shopping days of the season – Black Friday and Cyber Monday – are just around the corner. Moms and dads will be searching for the hottest items on those letters kids send to Ole St Nick and their family’s wish lists.  Gone are the days when kids asked for barbie dolls, stuffed animals, toy trucks, and bicycles. Phones, tablets, game consoles, and interactive toys have replaced the traditional items that used to entertain young minds. Instead of elves hammering away at wooden cars, modern-day toy makers are integrating technology into their products to appeal to today’s tech-savvy kids with augmented reality, Bluetooth capabilities, and internet connectivity.

Creepy covert IoT devices for kids

A University of Iowa study found that 90 percent of kids under the age of two had a moderate ability to use a tablet. While tablets and other interactive, connected devices can help kids learn, there are also heightened privacy risk factors to consider with any device that connects to the internet – especially those designed to appeal to kids.  Any device or toy that contains cameras or microphones, has GPS, connects to the internet, or requests and stores data can potentially expose your kids or their information to trackers and hackers.

It’s a parent’s job to protect their kids –  online and off. Even the founders of big tech take that job seriously.  Apple founder Steve Jobs didn’t let his kids use the iPad or any product their dad invented.  In a 2104 article published by The New York Times, Jobs said “We limit how much technology our kids use at home.” Other tech-savvy families that were interviewed for the Times piece also reported wanting to protect their children from the dangers of technology.  

In 2017, Microsoft founder Bill Gates told a British newspaper that he didn’t give his kids cell phones until they were 14, saying “smartphones and related devices were useful for homework and staying in touch with friends, but had the potential for excess.”

Rich Stokes, CEO/Founder of Winston Privacy and a parent, left his former position in advertising after realizing it ceased to be about consumers and became more about finding novel ways to extract their personal data from computers, phones, and smart homes – and toys.  He started Winston Privacy because he didn’t want Big Tech following your kids around, profiling them, pushing their buttons from cradle to grave…and collecting their personal data.

I didn’t want my kids – or anyone else’s – growing up in a surveillance state.” ~ Richard Stokes

Following are some tips you can take to protect your kids from the risks of data exposure when using IoT devices so they can have a merry but safe holiday season:

  • Talk to your kids, young and old, about online risks, limiting use of technology, and not sharing personal information.
  • Review and adjust the device’s privacy settings, only enabling features that won’t compromise your kid’s privacy.
  • For GPS-enabled devices, check the device’s location settings. The safest measure is to turn off geolocation tracking or at the very least make sure they it’s set to show just a general area and not an exact address.
  • If the device includes a camera, make sure the child is old enough to understand the dangers of sharing photos or videos with other people. For younger kids, turn the camera off.  For older children, make sure its set to manually turn on only when in use and supervise when the camera is used.
  • For devices with audio-recording features, disable default recording of audio. If there’s a microphone on your kid’s smart device, make sure that the mute button is turned on so the device is not listening in on conversations. Review and/or delete audio files that are unnecessary to be stored in the device.
  • Make use of parental controls and safe-search filters to help manage what content your kids can see or access. 

Even if you follow all of the above tips, limiting use of these devices and parental supervision are the most effective measures you can take to keep your child safe when using any connected devices. 

Why You Need to Watch the Great Hack

Four years ago, Americans across the country were preparing to cast their ballots for the 45th President of the United States.  The 2016 election not only spawned unconventional and divisive campaigns that led to a stunning upset but also features the kind of cloak-and-dagger stuff that movies are made of.  In fact, a movie was produced that highlights how social media sites and data firms harvest and use data to influence and sell people things — including political candidates and agendas.

If you haven’t seen it yet, the 2019 Netflix documentary The Great Hack should be on your pre-election reading list.  The 2-hour documentary explores how Russian-linked data analytics firm Cambridge Analytica exploited the personal data of 50 million US Facebook users and used their information, without their knowledge or consent, to target vulnerable and impressionable Americans with political propaganda.

The Great Hack

Cambridge Analytica’s former Director of Business Development Brittany Kaiser blew the whistle on the data firm after they showed their employees how much data they collected, how they modeled it, how they identified those individuals that were vulnerable, and the types of disinformation they sent to those people to sway their votes.  “It was the most horrific two days of my life,” said Kaiser.  Cambridge Analytica claimed to have 5,000 data points on every single American voter.

Who provides big tech and data firms with thousands of data points? You do.  Those Facebook quizzes that determine what Disney villain you are, or what celebrity you look like, or other seemingly innocent questions you answer and then share with your friends are harvesting data.  This and other information they gather from Facebook posts and the friends you associate with are extracted with data analysis tools that use artificial intelligence and evaluations to create a startlingly accurate profile of you.  It’s not just social media.  Nearly every digital interaction – credit card swipes, online searches, and location tracking– is collected in real-time and attached to your identity, giving any buyer direct access to your emotional pulse.  

Great Hack data points

Data is the most valuable asset on earth.” ~ Brittany Kaiser

After watching this modern-day horror story, you’ll have a much better understanding of the reality of data tracking, harvesting, and selling, and how so many things you do today leave a trail of digital psychological clues that just about anyone can – and often will – use to their advantage. It may, and should, cause you to stop and consider the digital footprints you leave behind on the world wide web.  The internet isn’t just where you socialize and buy things – it’s where you and everything about you are up for sale.

“In today’s surveillance economy, you are the product. Now more than ever, it’s critical that consumers take action to protect themselves from unwanted third-party tracking.” ~ Richard Stokes, CEO/Founder, Winston Privacy

In today’s digitally connected society, there is no silver bullet that will offer 100% protection of your data.  Winston Privacy was founded to give you back control of your personal data and limit the amount of data that you are leaking all over the place.

Whether you watch “The Great Hack” or not (we hope you do!), keep these three things in mind:

  1. If you put any personal information on social media – Facebook, Instagram, Twitter, LinkedIn – you can expect it to be gathered and used.
  2. No matter how fun or interesting a social media quiz seems, if it requires you to gain access using your Facebook account, don’t do it.  The only purpose of these quizzes is to gather your personal data.
  3. Check to see what apps already have access to your data.  Many sites and apps use Facebook Connect logins as their logins. There are likely apps that you may not be using or that you may not even be aware are accessing down your data. Delete these. 

The Social Dilemma

On September 9, Netflix aired a documentary-drama that provides insight into the impact social media has had and continues to have on society.  “The Social Dilemma,” directed by Jeff Orlowski, is designed to provoke thoughts, questions – and hopefully actions – that every member of society should be pausing to consider when they use social media. The film explores the dangerous human impact of social networking, with tech experts sounding the alarm on their own creations.

At Winston, we believe – and Winston was founded on the principle – that “If you aren’t paying for the product, you are the product.” That reality is brought to life in this dramatic film that includes interviews with some of the very masterminds who designed the networks and platforms that nearly every one of us uses every single day.  These tech wizards from Silicon Valley are effectively shaping the way we think, act, and live with manipulative algorithms and addictive features woven into the fabric of Facebook and other social media platforms. Think about it. When you search for something on Google, the results are rendered based on where you live and what Google knows about you.  Do you ever give any thought to how Google knows all about you? It’s not by accident. It’s by design. Everything you do online is being watched and tracked, with every action carefully monitored and recorded.  Facebook and Instagram is much more than just a place you go to see what your family and friends are up to.  Your likes, your emotions, your shares, your clicks are all collected and filtered into Facebook’s algorithms. 

How often have you pledged to spend less time interacting on social media and more time interacting directly with your family and friends? How many times has that resolution failed? That’s no accident. “The Social Dilemma” explores how addiction – and it is an addiction – and privacy breaches are features, not bugs, of social media platforms.  It also covers such topics as the spread of conspiracy theories and misinformation, extreme polarization in politics, surveillance capitalism (the commodification of personal data), and data mining.  The film suggests that with the right changes, we can salvage the good of social media without the bad.

Following are some simple and practical tips from the experts to help loosen the grasp social media giants have on your lives:

#1 Recognize The Problem

The first step to taking back control of your privacy is to recognize that there is a problem.

#2 Create Massive Public Pressure

Generate conversations and put public pressure on the tech companies and governments to take control of the situation. Voice your opinion, even if it’s through the very same technologies that need to take action.

#3 Uninstall Apps and Turn Off Notifications. 

Uninstall needless social media, news, and other apps from your phone, and turn off notifications that prompt you to look at your phone every time it pings or vibrates.

#4 Use Search Engines That Don’t Store Search History

Use search engines such as DuckDuckGo which offers search privacy, browser extensions that help stop tracking, and more. Winston provides browser extensions for Chrome and Firefox.

#5 Don’t Go For Recommendations, Always Choose

Never go for YouTube or other site recommendations. Instead make your own decision as to what to watch, buy, or what site to visit.

#6 Research it First!

Always fact-check anything before you share it and consider the source it came from.  Search (using Qwant) for legitimate sources, especially if the topic is supposed to push your emotional buttons. If you got it from a social media feed, it probably is.

#7 Avoid Clickbait

Clickbait websites and stories with compelling headlines are designed to provoke your interaction. When you click on clickbait, you’re creating a financial incentive that perpetuates this existing system.

#8 Follow People With Opinions Different From YouAnother way to avoid getting influenced by fake news and your own echo chamber is to follow people on social media who have a different opinion than you.

#9 Keep Kids Away From Social Media

If you want to shield your kids and teenagers from the negative impact of social media, don’t give them access at all. The Social Dilemma highlights the adverse effects that social media can have on kids self-worth. Experts report that kids’ immersion in a virtual world delays their emotional and social development. In the film’s ending credits, it is noted that many tech executives don’t allow their kids to use social media apps.

#10 Get Out of the System!

The most effective way to keep your life away from digital surveillance is to delete all the social media apps and get it out of your system. There is a beautiful world waiting for you outside!

We believe internet companies have fundamentally turned against us, using our personal data to turn us into products, and, now more than ever, it’s critical, that consumers take action to protect themselves from unwanted third-party tracking and advertising.” ~ Rich Stokes, CEO/Founder, Winston Privacy

Written for and published on

BEC: What’s In Your Inbox?

We’re all familiar with the ubiquitous Capital One ad campaign featuring celebrities asking the now cliché’ question “What’s In Your Wallet?” Leveraging a misconfigured web application firewall on a cloud server used by one of the largest credit card issuers in the U.S., the investigation continues into the massive Capital One breach that exposed the personal information of nearly 106 million of the bank’s customers and applicants. The New York Attorney General’s office is looking into the breach and the company’s failure to have appropriate safeguards in place to prevent the incident. The chairman of the Senate Banking, Housing and Urban Affairs Committee also said the committee will look into the matter. Sen. Mike Crapo (Idaho) plans legislation that would establish new data safeguards for consumers. While Capital One asserts that no credit card account numbers or log-in credentials were compromised, a treasure trove of consumer data was compromised that can be used to open new accounts and perpetrate targeted phishing scams. Capital One victims are likely to be phished for years to come – long after the complimentary 12 month credit monitoring service runs out.

In the wake of the Capital One breach and other high-profile hacking incidents that have exposed consumers’ PII (personal identifiable information), the question consumers, businesses and banks should consider is “What’s in Your Inbox?

In July, following a meeting held in New York City with industry players that focused on identifying and combating BEC (Business Email Compromise) scams, FinCEN issued an update to its “Advisory to Financial Institutions on E-mail Compromise Fraud Schemes,” first published in 2016. Since FinCEN’s 2016 BEC Advisory, the agency has received over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes affecting U.S. financial institutions and their customers. A Financial Trend Analysis of Bank Secrecy Act data released by the agency revealed that the total value of attempted BEC thefts reported in SARs climbed to an average of $301 million per month in 2018 (up from $110 million per month in 2016). The advisory highlights the potential for institutions to share BEC schemes they encounter to help identify risks of fraudulent transactions and money laundering, including convertible virtual currency payments. It alerts financial institutions to risks associated with the targeting of vulnerable business processes and provides updated operational definitions for email compromise fraud, information on the targeting of non-business entities and data by BEC schemes, highlights general trends in BEC schemes targeting the financial and other sectors and jurisdictions, and alerts financial institutions to risks associated with the targeting of vulnerable business processes by BEC criminals.

According to reports published by the FBI’s Internet Crime Complaint Center (IC3) earlier this year, the number and sophistication of BEC scams have been on the rise over the past several years. Losses associated with BEC scams in the U.S. reached $1.3 billion last year alone, according to the FBI, who also reports that the number of BEC complaints were up as well. Between October 2013 and May 2018, this type of fraud caused potential losses of more than $12 billion globally.

In November 2018, cyber thieves siphoned $2.5 million in an elaborate BEC scheme that started with phishing emails targeting Cabarrus County, North Carolina. Employees of Cabarrus County Schools and Cabarrus County Government received emails purporting to be from Branch and Associates, a general contracting firm who was hired for construction of a new high school.

The cyber conspirators posed as representatives from the contracting firm in a series of emails requesting updated bank account information, which county employees unwittingly provided to the attackers. When the county started making vendor payments, the scammers diverted the payments through multiple different accounts. The scam was discovered when the contracting firm notified the county about a missed payment. SunTrust, the bank from which the funds were transferred, and Bank of America, the bank to which funds were transferred, were notified. While $776,518.40 of the funds remained in traceable accounts and were recovered, more than $1,700,000 remains missing.

Earlier this year, email security firm Agari released details about a new type of BEC fraud targeting HR or payroll departments where scammers attempt to divert funds by adding fictional accounts to company payrolls. The attackers masquerade as existing employees asking to update their bank accounts. Allowing the attackers to siphon off smaller, but continuous, amounts of money. Depending on how often the employee checks their bank account, this scheme can continue for weeks, or even months, before the scheme is even discovered.

Financial institutions play an important role in identifying and reporting fraud schemes. While most BEC scams are carried out via wire transfer, FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through other methods of payment, to include convertible virtual currency payments, automated clearing house transfers, and purchases of gift cards. The agency stresses the importance of communication and collaboration among internal AML divisions, compliance, business, fraud prevention, legal and cybersecurity departments as well as with other institutions across the financial sector.

A new “2019 Phishing by Industry Benchmarking Study” released by security awareness training and simulated phishing platform KnowBe4 revealed that security awareness training can dramatically decrease the chances of employees falling prey to phishing scams. The study showed that after training, far fewer phishing emails were clicked on by employees. Any industry can be targeted by phishing scams. Companies and financial firms need to protect themselves by ensuring that employees are security aware. Turn your weakest links into one of your strongest defenses.

Written for and originally appeared in Bankers’ Hotline Vol. 29, No. 8, 8/27/19