SCAM WARNING

I recently received an email warning about a new credit card scam. Read below so you don’t get stung.

 

The following is a recounting of the incident from the victim:

Wednesday a week ago, I had a phone call from someone saying that he was from some outfit called: “Express Couriers,”(The name could be any courier company) He asked if I was going to be home because there was a package for me that required a signature .

The caller said that the delivery would arrive at my home in roughly an hour. Sure enough, about an hour later, a uniformed delivery man turned up with a beautiful basket of flowers and a bottle of wine. I was very surprised since there was no special occasion or holiday, and I certainly didn’t expect anything like it. Intrigued, I inquired as to who the sender was.

The courier replied, “I don’t know, I’m only delivering the package.”

Apparently, a card was being sent separately… (the card has never arrived!) There was also a consignment note with the gift.

He then went on to explain that because the gift contained alcohol, there was a $3.50 “delivery/ verification charge,” providing proof that he had actually delivered the package to an adult (of legal drinking age), and not just left it on the doorstep where it could be stolen or taken by anyone, especially a minor.

This sounded logical and I offered to pay him cash. He then said that the delivery company required payment to be by credit or debit card only, so that everything is properly accounted for, and this would help in keeping a legal record of the transaction.

He added couriers don’t carry cash to avoid loss or likely targets for robbery.

My husband, who by this time was standing beside me, pulled out his credit card, and ‘John,’ the “delivery man,” asked him to swipe the card on a small mobile card machine with a small screen and keypad. Frank, my husband, was asked to enter his PIN number and a receipt was printed out. He was given a copy of the transaction.

The guy said everything was in order, and wished us good day.

To our horrible surprise, between Thursday and the following Monday,  $4,000 had been charged/withdrawn from our credit/debit
account at various ATM machines.

Apparently the “mobile credit card machine,” which the deliveryman carried now had all the info necessary to create a “dummy”  card with all our card details including the PIN number.

Upon finding out about the illegal transactions on our card, we immediately notified the bank which issued us a new card, and our credit/debit  account was closed.

We also personally went to the Police, where it was confirmed that it is definitely a scam because several households had been similarly hit.

WARNING: Be wary of accepting any “surprise gift or package,” which you neither expected nor personally ordered, especially if it involves any  kind of payment as a condition of receiving the gift or package. Also, never accept anything if you do not personally know or there is no proper identification of who the sender is.

Above all, the only time you should give out any personal credit/debit card information is when you yourself initiated the purchase or transaction!

Read Me View comments

2 words of warning regarding motor vehicle claims

On one of the television channels special report shows they had a segment last week criticising the insurance industry, including a broker, over damage to a vehicle that had been insured for only third party property damage.

This form of cover is risky in itself as there is no cover for damage to the vehicle when the driver themselves is at fault and/or if it is damaged whilst parked and the person that hit the vehicle does not leave an honest note. Further, there is no cover for weather perils or if the car catches fire or is stolen.

Having said this there are fire, theft and third party property damage covers available, but they are still not as good as comprehensive.

I do not know the circumstances of the matter and cannot comment as to why the other vehicles insurer is not coming to the party. There may be an exclusion such as drink driving, unregistered vehicle, or the vehicle may have been un-roadworthy. it is possible that the insurance may have expired. These are all risks you take when you do not have full comprehensive insurance.

In addition, to remind people of this issue I also want to again warn that there are a lot of unscrupulous firms preying on unsuspecting people. They typically focus on people in the lower socioeconomic community. This group of course can least afford to be caught up in the scam financially and often do not have the training or experience to know how to fight the fraud.

What we have seen is such a person, end up with a repair bill of say $10,000, plus a hire car bill of over $25,000, kindly provided by the scammer, when the damaged car has a net value after salvage of say $5,000.

This is becoming a major problem in Australia, along with staged accidents and dodgy repairs. It was great to see arrests reported a little while back on fake injury claims and I know the insurance industry is throwing a lot of resources on building the case against many others as well.

The sooner the better as it sickens that any one is caught by scammers but particularly those who are already victims and can least afford it.

Any journalists out there please be careful of the companies you inadvertently promote in your programs and please go back after a few months and ensure that the whole thing has had a good ending for the innocent party.

 

 

Read Me 1

Scam watch

I could just about start a separate blog for scam alerts there are so many different forms of email and phone scams of late. Here is just one to be wary of.

Read Me 1

Crime does not pay

On the back of my post yesterday, I do not want anyone to think that I am in any way in favour of insurance fraud. I have in fact spent my entire working life fighting insurance fraud.

It was therefore with great interest that I read the article [link removed] from the Boxing Day edition (26 December 2016) of The Age following the case against two men, [name suppressed by County Court order] who was engaged to set fire to a pizza shop owned by [name suppressed by court order] in 2013. Unlike yesterday’s article this one I do have more information that what was reported.

What was not reported from the court case was that [name suppressed by Country Court order] had instructed his paid arsonist to turn on the gas jets despite the fact that 4 people were residing in a flat above the shop. View full post…

Read Me 3 Comments

“Watch out for this scam!” – Guest Post by Adam Courtenay from INTHEBLACK

scamwatch-feature

adam-courtenay

Author: Adam Courtenay

Scammers are using social media sites to research you and your company, but there are ways to fight back.

Melbourne-based insurance claims expert Allan Manning was out of town recently when his wife received an unexpected email that appeared to come from him. A project needed to be funded and “could she please process a payment urgently?”

As financial controller of Manning’s company LMI Group, his wife, Helen, promptly replied that she would arrange payment as soon as he sent her the details.

A second email purportedly from Manning followed, seeking a payment of A$42,947 and saying a tax invoice would follow shortly. The instruction was to transfer the money directly to a bank account in Cranbourne, Victoria. Helen duly complied.

Just before 5pm when Manning returned to the office, his wife casually mentioned she had processed the remittance.

“What remittance?” When they realised what had happened Manning says they were both in shock.

LMI’s chief executive officer and financial controller had been hit by what some call “business email compromise” – also known as a whaling or spear-phishing scam.  The fraudster had successfully impersonated Manning and the money had been sent six hours earlier.

“At the time we were doing renovations in the Melbourne office, as well as renovations on our home and an upgrade of one of our web-based products,” Manning explains.

“The ‘project’ could have been payment for any number of things and the email looked like it came directly from me.”

By sheer luck, the fraudster had made an error in his own bank account number and the payment was stopped at Cranbourne. Manning then tried to lure the fraudster. Why not come to the office and pick up a cheque, he asked, writing as Helen.

The fraudster was having none of it. In the end, three fraudulent bank accounts were uncovered and details provided to the authorities.

Fraud experts say Manning’s situation is almost commonplace these days. He was a victim of social engineering fraud.

“It’s not about exploiting technology, but exploiting the person,” says Warren Dunn, partner in the fraud investigations and dispute services practice at Ernst & Young. Dunn rates this kind of fraud as among the top three scams globally.

Dunn says the “engineering” comes in three forms, each more sophisticated than the last. The first, like Manning’s, is an email seeking a quick funds transfer. The second asks the victim to telephone external lawyers, citing the remittance as confidential; and the third form is a fake vendor emailing or phoning someone in accounts payable and asking to change a real vendor’s address and bank details. In the last case, scammers have even been known to request updates on monies coming due.

Fraudsters are researching you and your company

All this relies on the fraudster building a picture of company personnel and processes. The fraudster may start with a corporate website, but Dunn says most often they are studying social media such as LinkedIn.

“He’ll know the potential victim is the finance manager, who he or she is linked to, who clicked on that person and who these people clicked on,” Dunn says.

“Then he’ll use Facebook to find out that the person is out of the country or at a conference. That’s when he’ll strike.”

Will a cyber insurance policy cover the loss? One insurance expert, who asked not to be named, says there is confusion on this issue.

“Victims think that since the email system was compromised it’s a network attack – but that’s not always the case. The fraudster has worked on relationships rather than the system. It’s a straight crime and if someone willingly paid the bogus bill there may be a problem on the claim.”

How to combat the fraudsters

Matthew Green, a partner and technology adviser at Grant Thornton, says the solution entails combining people, processes and technology. Not only do people need to be regularly trained to be aware of these frauds, but companies must review their processes so that enough controls are in place and working.

“If in doubt, ring the CEO back on the number you have for them – not the one offered to you in the bogus email,” says Green. He also suggests ensuring “there are multiple authorisations over a certain payment threshold”.

Employees must be trained to be suspicious of requests for secrecy or pressure for immediate action. If a request to transfer funds wouldn’t normally arrive via email, it should be treated with suspicion.

Green also recommends firms subscribe to a cloud-based email filtering service such as Mimecast or SpamTitan, even if some bogus mails will get through.

“You need to train staff to look behind an email and see that it comes from a verifiable source.”

Sometimes the best way to train someone is to show them what phishing emails look like and how convincing they can be. Consider running a phishing simulator such as PhishMe or a similar product.

PhishMe launches a company-wide, fake phishing email campaign, allowing you and your staff to see how many people open the message and click the embedded link or file. When clicked, the link or attachment displays a message explaining that the user has fallen for a fake phishing attack. It shows employees the red flags that were built into the email that can help them identify future attacks.

Extra controls for banking and finance systems

Companies can introduce additional controls for accessing and monitoring critical systems, including bank systems, accounts payable cheque runs and sensitive financial records.

Manning has changed his email system to ensure any emails from outside LMI Group are sent to one inbox, and internal “correct” emails are sent to another. Any payment over A$5000 must also receive a second pair of eyes and verbal confirmation that the request is legitimate.

Segregate responsibilities

Another tip is for companies to segregate approval responsibilities from requesting responsibilities and ensure role changes are reviewed against system permissions. For example, an employee with the ability to set up vendors should never have responsibility for disbursements added to their role.

Dunn advises to always check social media.

“Where you work, who you work for, what your role is – all this information can be exploited,” he says. “I would look carefully at controls on LinkedIn and make sure you know who can see your information.

“Be ever vigilant with all incoming persons. Don’t just click onto anyone who wants to be your friend or colleague. This is the easy pathway in for the smart hoaxer.”

 

This article was kindly given to us by Adam Courtenay from INTHEBLACK. Please view the original article here.

Read Me View comments

Scams, scams, scams and more scams..

scamwatchThey have always been around in many forms, however the influx of scams via all communication methods lately has been overwhelming. I reported not long ago, shortly after an aggravated burglary at our Melbourne office of an email scam directed at our financial controller, since then we have also had other employees targeted with similar email scams as well as bank account skimming to another few employees.

Unfortunately, I am here again reporting on a phone scam suffered by one of our employees whereby they received a phone call, the person on the other end claiming to be from Telstra who was informing them that their IP address had been hacked and they were monitoring the computer until now where it will be shut down because of this threat. A full detail of the scam can be found on the Scam Watch website and while posted back in 2014, the scam is still occurring due to lack of knowledge and understanding. I encourage you all to read through the latest scams and consistently be up to date with the possibilities so you are not caught out.

It is important that if you are at all in doubt of the legitimacy of an email or a scam from a company that you either go in store and question them in person or call them yourself on a number that you know belongs to their company and seek clarification of the email or phone call.

Read Me View comments

The dangers of gift cards

Color Gift CardsRecently, LMI have been involved in a number of claims involving theft by trickery and what we have found is that people have skimmed credit cards and then used them to purchase gift cards, which at the end leaves the retailer of those gift cards with the loss when the bank has reversed the transaction and the thief has the equivalent of cash in the form of gift cards. Consumers are also being caught with gift cards in a number of different ways.

One of the things that I’ve felt was extremely unfair leading up to Christmas is that the Dick Smith stores were encouraging consumers to purchase gift cards and then went into liquidation shortly thereafter leaving all the consumers with the unused proportion of the gift card as an unsecured creditor with little to no hope of them getting anything back. Dick Smith are not the only ones, there are a number of examples in recent times of day spas and beauty salons selling these gift vouchers, taking the cash and then shutting doors. A member of staff recently purchased a voucher as a mother’s day gift where the shop has now closed up. However, a new store has now opened in the same place, with the same staff, same uniforms, however a different business name therefore leaving the vouchers unusable and the store turns around to say “that isn’t them, it’s a different business”.

Another member of our team, purchased a substantial gift card for their daughter before Christmas. The daughter’s purse was stolen and so the staff member went to the retail store, in this case David Jones, where they showed proof of purchase of the gift card and asked that it be stopped and a fresh card reissued. The retailer refused to do this saying that the loss was at the risk of the consumer.

A more common issue is the fact that most gift cards have an expiry date which is said to be there to protect the consumer, but of course, the retailer has a win every time the consumer fails to use the gift card within the stipulated period. Therefore, anyone with a busy life is likely to get caught out with this issue.

Having said this, I will say that my wife was given a gift card for Village Cinemas and when she realised it was about to expire, she rang up the company and they were happy to extend it for another month to be used at no extra cost, which was both surprising and pleasing. I congratulate them on their approach which enhances a good customer experience, in contrast to the earlier examples cited.

I will conclude with three points.

  • I think that the Government should legislate that any monies received by a retailer for the sale of gift cards, should be immediately placed into a trust account so that the consumer knows the funds will be available when called upon.
  • The whole concept of the gift card, while originally had good intentions, particularly if you are looking to purchase a gift for someone who is hard to pick for, I really think the risks of the cards far outweighs the benefits. It may be better to leave a note in the card saying “Please spend $___” and then reimbursing up to the agreed amount for the individual when they find something they wish to buy. This is not as classy; however, it does offer greater protection.
  • If you do purchase a gift card to minimise your risk, choose a store that is long standing and a reputable brand, however in the David Jones example it does demonstrate you are never fully guaranteed your purchase from particular circumstances.
Read Me 1

It will never happen to me – again

Scam AlertThe first business day after our robbery, which I reported on last week, we dodged a very near bullet with an email scam attack.

The circumstances were that I was out of the office travelling to film an episode for our YouTube channel when our financial controller received an email from an email account set with the name ‘Allan Manning’, reportedly me, asking if our they had time to process an urgent electronic transfer.

The staff member was stressed because her office had been ransacked from the robbery just days prior, another staff member had emailed to resign and another in the department was on leave. All of this on top of business as usual with urgent requests for invoices to be raised etc. The controller did not carefully read the email but thought that the recipient of the funds was to be a lawyer and that the email was from me.

In hind sight there were three things that were wrong. First, the Australian resident had LLC after their name which stands for Limited Liability Corporation, a UK term meaning the same as Pty Ltd in Australia. The email, while saying it was from Allan Manning, was actually from a gmail account and it did not have my usual footer. Having said this, the wording could easily have been from me as it was a polite business style.

The staff member wrote back and said ‘yes’ they could do that and then an email came back giving details of where the money was to be sent and I would bring in the invoice when I returned. Believing it to be genuine, the controller processed the payment. Fortunately, I returned from the trip just a short while later and in passing the member mentioned that she had processed the payment that I had requested. I then said ‘what payment?’ followed by her ‘Well you have written me two emails about it’. I then explained that I had been out and what I had been doing, I had not sent any emails at any time during the day. We then went to her computer to immediately discover it was fraudulent and were able with the help of both our bank and the receiving bank to stop the payment.

I can say without reservation that the staff member would not have been caught but for the stressful conditions we were all working under at the time. The person is well educated and dedicated, with a very high IQ. What this shows is that anyone can be caught and no matter how busy you are, you need to be on your ‘A game’ when it comes to cyber security.

Still feeling ill over the near miss and the effect it would have had on the business, the staff member was in the bank and in the time that they were there 5 people came in distressed that they had been scammed by either email or through Linked In, Facebook or text messages. Five people in under forty minutes at just one branch of one bank is a terrifying statistic.

The human mind sees what it expects to see.

For example, if you read the next sentence:

 

spring time

in the

the park

 

Most people will read this as ‘spring time in the park’ they completely miss the second ‘the’. The mind does not pick up every single word, but only picks up what it expects to see. So when the email came in from Allan Manning, they did not pick up the wrong suffix or usual footer.

Further, this is not a usual request,  it is only because we are doing some renovations in the building that they thought it was legitimate. Normally they would ring me to check it was legitimate and get the second check before authorising payment.

During this whole process, I found that our own bank, the Commonwealth Bank were a bit ordinary whereas the Cranbourne Branch of Westpac were fantastic as were Victoria Police.

My final comment is that we can all have the very best procedures in place but the biggest risk is people risk when it comes to cyber security. I’m just so thankful that we dodged a second bullet only two days apart.

Read Me View comments

Keeping yourself safe

Stay Safe Red Rubber Stamp On WhiteAs I reported yesterday, LMI Group was the subject of a violent robbery on Saturday 9th July 2016.

The police asked if we had anyone unusual come to our building in the last week or so before the robbery and our receptionist recalled that someone claiming to be from Google wanted to do a 360 walk through of our office. She and two other staff who went to her aid when he would not take the initial no as an answer, all explained that it was a security breach and we would not allow it.

Since the robbery, we have contacted Google to see if the person is legitimate and they advised that they do have people out doing this sort of thing but cannot advise where they operate from, whether they have identification or the type of buildings they are to do.

While I can see the advantage of this in museums and shopping centres, I do not see any advantage in having this information publicly available in private businesses other than it being a great tool for dishonest acts of all types, whether this be burglary, armed hold ups, terrorism, kidnap or arson.
From a security point of view, I would not allow anyone to come through my building and I would strongly urge that Google provide some form of identification to these contractors to ensure that they are legitimate.

If anyone else comes to our building, I have instructed our staff to take a photocopy of their identification.

I urge all my readers, and in the case of insurance brokers, to discuss this security issue with your Insureds. It is one thing to do a walk through with a camera or video camera to record your premises for Risk Management and Insurance purposes, but it is another to make it publicly available.

Read Me View comments

Reflecting on an earlier claim

Couple's home that was burnt down

Couple accused of deliberately burning down their own home. The fire allegedly began in the back craft room.

The recent reported case of a Tasmanian couple who successfully won a case in the courts to have the denial of their house claim for their destroyed home overturned, see here for link to the article, takes me back to the first claim that I was involved in where I genuinely believed that the Insured had set fire to the home.

In this case, dating back to February 1982, while as a loss adjuster I proved that the Insured had a strong financial motive and had in fact received death threats for non-payment of moneys owed.

At the time of the fire, I determined that for the first night in any of the neighbour’s memory, their family pet had been removed from the home.

In this house fire the fire, which started early in the morning was discovered relatively early by a neighbour who worked as a chef in a restaurant. As a result of this early discovery, I was able to carry out a detailed inspection of the home and found that all the jewellery and family photographs had been removed. In the case of the lounge room, the empty frames were still sitting on the wall with the portraits of the family.

My enquiries also proved that it was possible for the Insured to have lit the fire, although he claims to have been an hour away at the time of the fire (opportunity).

What I was not able to prove was exactly how the fire started. I brought in the best forensic chemists available to me, in fact flew them in from Melbourne to Brisbane, but the exact cause of the fire could not be established. What I was able to eliminate was an electrical fault or the other usual accidental causes of a house fire.

In my early training, it was drummed into me that we had to prove three things to successfully win a case of arson /fraud. First, a motive, second opportunity, and third, a deliberate fire. While I could not prove all three in this old case, I felt that the evidence accumulated on the first two points was more than sufficient to persuade a judge that the claim should not be paid. The insurer and their legal team agreed.

After a trial, that ran for, from memory, well over a week, the judge handed down a decision that was in favour of the Insured. In his summing up, he stated that he felt in such a case, it was better to see 9 dishonest people receive payment than 1 honest person miss out on having a valid claim indemnified. The fact that the cause of the fire could not be established was the stumbling block in his mind.

At the time, I was completely shattered and thought that it was an impossible task to win such a case, but the very next case where we had evidence on all three of these points, we won.

In the second case, we did not allege arson but fraud even though we had evidence pointing to the Insured on all 3 points.  The case was  based on the fact the Insured grossly exaggerated the amount of their loss. The work I did, which I hate to say was pre-computers and spreadsheets, required heaps of forensic accounting work by hand was able to prove that the client, a business owner was claiming more stock than the business had ever purchased. In other words the claim was for much more than they had on the premises even if the Insured had never made a sale while they were in business. In this second case, the judge recommended the matter be referred to the police as he felt arson was involved.

It still wrangled me at the time that the first case had not gone the way I believed it should have, but now all these years later, whilst I still think that particular claim should have not been paid, the words of the judge about the effect on an honest person who has had their claim wrongfully denied, rings true.

I have seen at least two cases where I genuinely believe that a claim has been wrongfully denied and where the Insured has not had the funds to defend the matter. It is not only the financial loss at the time, but it is the fact that the Insured is not able to obtain Insurance into the future that is just as devastating.

As a result of this, after all my years in claims, I take the approach that the Insured is innocent until proven guilty and secondly, that before I act as judge, jury and executioner and recommend a claim be denied, I ensure that there is enough evidence and that some alternative explanation for the loss etc is not realistic.

Read Me View comments