Welcome to the November 2005 issue of the Credential Check Corporation Examiner! This issue explores "phishing" attacks, employees' music in the workplace, using Benford's Law to catch fraudulent checks, and many more issues to keep you, your family, and your business safe.

Keep the comments and suggestions coming.... we love to hear from our subscribers!

Todd Krost
Business Development Coordinator
Credential Check Corporation
"Don't just background check...CREDENTIAL CHECK!"

Phishing, or the art of scamming compromising information through Internet means, has once again mutated. We have all been warned to be wary of giving personal information to bad guys posing as credit card companies, banks, eBay, or PayPal, but it is now necessary to be concerned about online job offers and background check forms.

"The biggest red flag to watch for is the request for one's date of birth," said Timothy Whiting, Applicant Screening Director for Credential Check Corporation. "In a legitimate online application process, giving out one's Social Security number is necessary at some point, but if the online form is sufficiently encrypted, your information is protected."

Many identity-theft con artists are contacting job hunters who have posted resumes online. The phishers respond to the resume by making a job offer and then ask for a Social Security number and/or birth date, with the understanding that the victim will be filling out an online job application. This practice can also occur for those who are asked to complete a form for a background check.

The reality is that few companies actually ask job candidates to complete an online job application, as there is a high cost to set up and maintain such a system. The exception would be large companies that can handle such a cost and receive a high volume of applicants.

top

According to a new report by the Internal Revenue Service, high income earners appear to be paying more for our national security than anyone else. An analysis of 2003 returns (the most recent year available) reveals that the top 1% of filers paid 34.3% of all federal income tax collected. While their adjusted gross income (AGI) was more than $295,000, they made just 16.8% of all AGI. The top 5% paid 54% of the total income tax collected and made 31% of total AGI. They had incomes of $130,000 or more. The top 10% of all filers, those with an AGI of at least $94,900, bore 66% of the income tax burden, while contributing a little more than 42% of the total AGI. The bottom 50% of filers paid just 3.5% of the total income tax. The lowest earners actually had a negative income tax rate and received "refunds" while paying no taxes at all.

The report however does not tell the entire story. While our gross domestic product exceeds $11.7 trillion, our national debt is now more than $8 trillion, or approximately $26,963 for every man, woman, and child in the country. The day President Bush took office in 2001, the debt was $5.7 trillion and the federal budget had projected a surplus of more than $10 trillion over the next ten years. September 11th, the global war on terrorism and more than our share of natural disasters have since gobbled up that surplus. Today instead, the U.S. is operating on a deficit of approximately $1.6 billion a day. No, it is not high income earners who are paying to keep our country safe, it is our children and our grandchildren. Unless our lawmakers get control of our spending, today's security will be dearly paid with our children's money tomorrow.

Eugene F. Ferraro, CPP, CFE, PCI

Source: The Kiplinger Tax Letter (in part)

top

The Federal Deposit Insurance Corporation (FDIC) has recently issued new guidance on the implementation of fraud hotlines for financial institutions. The FDIC took notice of findings from the Association of Certified Fraud Examiners (ACFE) in its 2004 "Report to the Nation," which indicated that organizations without mechanisms in place to report fraud suffered losses that were more than twice as high as organizations with anonymous incident fraud-reporting systems.

The new FDIC guidelines instruct organizations on the implementation of a hotline and the characteristics that should be inherent within the hotline. The hotline should be anonymous and adhere to privacy and whistleblower protections, specifically allowing an employee who wishes to report fraud to do so in a fashion that their identity remains anonymous. Ideally, a third party should provide the hotline, therefore increasing the confidence the complainants will have in reporting misconduct. Furthermore, organizations are directed to have a tracking system in place so that reports are followed up and investigated if necessary, so that reporters and management can learn the disposition and the final closure of the complaint.

"Employees need to be able to report misconduct in a way that they won't fear retaliation from their employer," says Eugene Ferraro, CEO of Business Controls, Inc., provider of the anonymous incident reporting system MySafeWorkplace, "and the organization benefits by receiving better information about all types of incidents so that appropriate actions can be taken."

Here are some good questions to ask when selecting an anonymous incident reporting system:

• Do the calls go to a 24/7 call center?
• Can reports be made via the internet?
• Are the call takers trained to receive all types of reports?
• What is the report dissemination and retention system?
• How easy is the roll-out?
• Is the user interface easy to use?
• What level of consulting and support is there for significant incidents?

top

With the proliferation of high capacity portable music players entering the workplace, the question has arrived as to whether employees should be allowed to use these devices while working or if they hurt productivity, communication, and security.

As many offices have adopted the space-efficient cubicle to house its' employees, those same employees have responded by listening to personal, portable music players to compensate for the workplace distractions of keyboards, copiers, and loud co-workers.

Some companies encourage employees to listen to music, but they have ulterior motives: Yahoo!, for example, just launched a beta version of its Yahoo! Music product and is using its employees to test the product.

"Allowing workers to listen to their own music gives them more personal freedom and control over their work environment which can improve employee morale," said Todd N. Krost, Business Development Coordinator of Credential Check Corporation. "Some studies even suggest that music is associated with increased productivity, especially classical music."

Other workplace experts assert that workers who are plugged into their own music interact, talk, and socialize less with their colleagues, which can mean more stress and undermine teamwork in the long run.

Some companies recognize the security issues associated with having portable music players in the workplace and have made policy changes to compensate. Portable music players can be used to bypass firewalls, download and store sensitive information, and even introduce viruses, and, if connected to a company network when performing these functions, can compromise the security of that network.

top

There are several methods employed by fraud examiners to find instances of fraud, but one of the most useful tools is also one of the oldest and most fascinating to boot.

In the 1920's, a General Physicist at General Motors named Frank Benford observed that the pages of his logarithm table book with an initial digit of "1" were far more worn out than the pages for "2," which were more worn out than the pages for "3," and so on through "9" (the modern equivalent would be to notice that the "1" and "2" buttons on a calculator were the most worn out). Seeking to understand why logarithm tables, which were used to multiply or divide large numbers, behaved this way, Benford underwent years of exhaustive research. Benford's Law, as it came to be known, determined that the first digits of real-world numbers, such as populations, street addresses, numbers from a ledger, or any other numbers with a quantitative relationship, fall into a predictable distribution. In Benford's Law, a set of numbers will have within it about 30.1% of its numbers starting with "1," about 17.6% starting with "2," about 12.4% starting with "3," and in descending order all the way down to 4.5% starting with "9." The distribution of the second, third, and fourth digits in a number set can be similarly predicted.

What does Benford's Law mean for fraud detection? Well, fraudsters typically cook the books with fictitious numbers, or what Benford called anomalous numbers, like writing a check to a dummy account for $9,987.23. In a large data set, one can look at the distribution of the first, second, third, and fourth digits and find individual numbers which are anomalous and don't conform to Benford's Law. In a large data set, a number like 9,987 doesn't occur very often (it occurs quite rarely compared to four-digit numbers that start with "1") and, while the fraudster thinks they are being clever and not arousing suspicion by staying just below the 10,000 dollar mark, the check will be suspect.

There have been many advances in Benford's Law since the 1920's, and many other fascinating applications of the theory. To learn more about Benford's Law, visit http://www.nigrini.com/Benford's_law.htm.

top

Quote of the Month: "Better be despised for too anxious apprehensions, than ruined by too confident security."

- Edmund Burke (1729 - 1797)

Although no one could have predicted the terrible impact and far-reaching scope of this season's hurricanes in the Gulf Coast, particularly Katrina, many lessons have been learned in the aftermath. Businesses, like citizens, have a civic duty to properly prepare for any disaster, hurricane or otherwise, in an effort to allow resources to be most effectively utilized. Communities rely on their businesses to provide jobs and stability. Rather than scratch our heads and look at each other for direction, businesses must be proactive in assessing and improving, where necessary, their existing disaster protocols.

George M. Patak, Risk Management Consultant for Credential Check Corporation, offers these critical Issues for consideration:

• Be a bit pessimistic and plan for the worst. Just because a disaster has not necessarily ever occurred does not guarantee that it won't.
• Small, upfront investments of time and money can save you and your organization more in the long run. Spend time identifying the potential hazards you face in your area and prepare the appropriate evacuation and/or management procedures.
• Understand your insurance coverage. Is it adequate? What is covered and what isn't? How long can your organization survive if shut down? Annually review your coverage and your needs, making appropriate adjustments when necessary.
• Don't forget to protect your property. Consider upgrading/reinforcing facilities, equipment, and back up systems to include the back up of computerized data.
• Strategies in place to mitigate the aftermath of a disaster can also serve as passive crime prevention measures in the absence of disaster.

top

top