News &
Information

Ask Jack: Can An Image Deliver Malware?

Is it possible to deliver malware through an image? Jack provides the answer.

Ask Jack: What Is The Real Risk For Small- And Medium-Sized Businesses After A Cyber Attack?

Jack McCalmon, Esq. details the mindset small- and medium-sized employers should have when addressing cyber breach risk, and the end results of a breach.

Ask Jack: If I Purchase Macs, Do I Really Lower My Cyber Exposure?

An employer asks Jack McCalmon, Esq. if macOS will lower cyber exposures.

Emotet Malware Makes A Comeback: What is It And What Prevention Steps Can Employers Take?

Cybersecurity experts notice a significant increase in cybercriminals are using this malware to attack networks. What can you do to help prevent it?

Synthetic Identities And Ghost Employees

The 2020 arrest, indictment, and sentencing of a dozen criminals in New York on 108 counts of defrauding banks of more than one million dollars highlights the newest trick used by cybercriminals to steal money: synthetic identity fraud.

By combining real Social Security numbers with mismatched or phony names, the criminals created new identities which they used to borrow money from banks with no intent to repay the loans.

Later, the same criminals used synthetic identities to steal funds from the federal Paycheck Protection Program, designed to help people who had lost their businesses or employment because of the pandemic.

Synthetic identity fraud schemes have now become the biggest form of identity theft in the U.S., according to the Boston financial company FiVerity, which reported that fraud losses amounted to an estimated $20 billion in 2020. Five years earlier, the Federal Reserve estimated the losses that year were six billion dollars. Many states are now challenged by cybercriminals who have turned their focus to stealing state unemployment benefits.

Consumers may not know they are identity theft victims until years later when they apply for credit. Most of the synthetic identity schemes steal Social Security numbers from people who are not using credit, such as children, recent immigrants, or lower-income older adults who may not have credit cards. The theft may not be discovered until a person - perhaps a student applying for a college loan or their first credit card - is rejected because there is a record of a previous default. In the intervening years, the cybercriminal may have built a "person" with a real Social Security number and a fake name, address, and other identifying information. Often, cybercriminals will cultivate fake accounts for years, building credit and paying for small purchases regularly before suddenly maxing out the credit card and defaulting. "Thieves Hit on a New Scam: Synthetic Identity Fraud" www.pewtrusts.org (Apr. 21, 2022).

 

Commentary

Synthetic identity fraud is not limited to cyber thieves stealing money from banks or government assistance programs. Sometimes they target organizations in the form of “ghost employees.”

This is a type of fraud in which an organization is paying a person who does not actually work for the entity, but is nevertheless on the employer’s payroll. Sometimes, this is a fictitious employee who is created in the payroll records, but it could also be an actual ex-employee or just someone whose identity is being used to perpetuate the fraud.

Ways to reduce your risk of being a victim of an embezzlement scheme involving ghost employees include conducting random, but thorough, audits of your payroll records, including “eyes on” employees who are on the payroll. 

Compare payroll records to timecard reports and review employee personnel files to look for discrepancies such as fake employees, duplicate Social Security numbers, duplicate addresses, or duplicate bank accounts.

Finally, your opinion is important to us. Please complete the opinion survey: