Archive | February 2015

Employee Refund Scheme Leads To Embezzlement – Why Inside Jobs Are A Big Risk For Employers

web-criminal stoles moneyA car dealership employee confessed to embezzling over $13,000 from her employer. The woman worked in the dealership’s service department as an appointment coordinator and had access to customers’ credit card information.

After a client’s service repairs were completed and paid, the employee would reverse the charges to her credit account, which was in the dealership’s system from car repairs she had paid for previously. Jennifer Soules “Mesa auto-dealer employee accused of embezzlement,” www.azcentral.com (Oct. 20, 2014).

Commentary

Inside threats are still an employer’s greatest risk from theft.

Limiting employee access to customer credit card information can reduce the possibility of theft. Employers can restrict employee access by utilizing payment machines that accept credit cards without assistance from a clerk and that do not print the entire credit card number on the receipt. Provide customers with adequate privacy when entering PINs. Direct security cameras so they cannot record a customer entering a PIN.

In addition to limiting access to financial information, regular audits of financial transactions can also uncover risks, while sending a strong message that can help prevent theft.

Advertisements

New Malware Targets Smart Phones – What Is It And What You Need To Do To Avoid Infection

malwareBlue Coat Labs, a cybersecurity firm, recently investigated one of the most sophisticated malware attacks to date.

The new malware is designed to target the “smartphones of business, government, and embassy officials around the world.” Hackers first send a spearphishing email claiming to be a “What’s App” application update to select users in 37 countries. Then, if a user clicks the link, it downloads an Android, Blackberry, or iOS version of the app infected with the malware.

Once installed on a smartphone, the malware records calls made by the user and then drops them at various Internet addresses. The system is complex, involving encrypted instructions on hacked blog posts for the malware to deposit the data on compromised web pages.

The high-level malware is able to cover its tracks and hide the identity of the hackers. “If anything is wrong or the system is not configured just right, this malware detects it, quietly backs off, doesn’t make any errors, cleans itself up and is gone,” says the senior malware researcher. Mark Anderson “Cyber Espionage Malware Taps Smartphones, Sends Chills,” spectrum.ieee.org (Dec. 29, 2014).

Commentary and Checklist

Malware can go undetected for months, all the while stealing your most valuable and sensitive data and sending it to hackers thousands of miles away. A malware attack can cost an organization hundreds of thousands of dollars, as well as countless hours trying to repair the computer system and your reputation.

Educating all employees on the dangers of malware is essential.

Teach employees the following to help prevent a malware attack:

  •        Respond quickly if you receive reports of spam coming from your account.
  •        Install security software, including anti-virus and anti-spyware software, and pop-up blockers.
  •        Maintain a firewall on all computers and devices.
  •        Set your security software, Internet browser, and operating system to update automatically.
  •        Back-up your data regularly to prevent lost data if your computer becomes infected and crashes.
  •        Set your browser’s security setting to detect unauthorized downloads.
  •        Do not select links or open any attachments in emails unless you are familiar with the link or attachment.
  •        Only download and install software from trusted websites.
  •        Avoid downloading free online software.
  •        Never select any links in a pop-up window.
  •        Never download software in response to an unexpected pop-up, especially if it claims to have detected malware on your computer.
  •        Remember that most legitimate organizations will never ask for personal or account information through email.
  •        Never respond to spam.
  •        Never reveal personal or financial information in response to an email request.
  •        Use common sense. If an offer sounds too good to be true, it probably is.
  •        Confirm requests for information by contacting the sender by phone, using the number on an invoice or legitimate email.

What’s My Risk for Earthquake Insurance?

Earthquakes are few and far between, but when they do occur they can be devastating. In fact, among natural disasters, earthquakeearthquakes are the most costly to recover from. Despite the enormous financial impact that an earthquake poses to one’s home and belongings, many view earthquakes as an abstract risk—one that will likely never happen to them. However unlikely it may seem, it is important to get the facts and take prudent financial precautions, including opting for earthquake insurance to protect your assets.

Typically, we think of earthquake risk existing only in a small portion of the country: California, Oregon and Washington. However, recent experience tells us that the Midwest region of Illinois, Arkansas, Indiana, Kentucky, Mississippi, Missouri and Tennessee is also at a relatively high risk due to a fault line that runs through those states. And we know all too well locally that earthquakes ARE occurring.

  • Earthquakes have occurred in 39 states since 1900 and about 90 percent of Americans live in seismically active areas.
  • There is a 40 to 60 percent chance that a major earthquake will strike in the eastern U.S. in the next 20 years.
  • The Midwest region mentioned above has a 40 to 63 percent chance of suffering a major earthquake in the next 15 years.

Earthquake Insurance

Many people do not realize this, but most homeowner’s and commercial property policies do not include earthquake coverage. You will need to purchase either a supplemental policy to your current policy, or a separate earthquake insurance policy. (Automobile insurance policies generally cover vehicles for earthquake damage under the optional comprehensive portion of the policy.)

What Does Earthquake Insurance Cover?

Earthquake policies typically cover damage to your house or commercial property and your belongings, up to the insured amount. If possible, you’ll want to buy enough to cover the cost of rebuilding and replacing your belongings. While your standard property policy may cover fire damage that results from an earthquake, an earthquake policy is important to cover damage that results from shaking, such as structure collapse.

How Much Will it Cost?

Because of the massive potential risk associated with an earthquake, coverage tends to be expensive. Your premium amount will depend on your location, along with the age and structural composition of your property. In addition, earthquake policies include a percentage deductible, generally ranging from 2 to 20 percent of total damages, which means you’ll still have significant out-of-pocket costs in the event of an earthquake. However, you’ll want to weigh the cost against your perceived risk of experiencing an earthquake, and your ability to survive the financial aftermath of such a catastrophic event. In assessing your risk, it’s important to know that the government typically will not provide much financial aid for earthquake victims, and help may be limited to low-interest loans that you will need to repay.

Other Considerations

When buying a policy, you should read it closely to be sure you understand what is covered and what is not. Find out if it covers your house or property only or the garage as well, whether it will cover additional living expenses if necessary, and any other exclusions or limitations. You also should know how much time you have to file a claim following a quake, as damage is often not apparent immediately after the incident. Each policy is different. Tower Insurance Agency can offer you recommendations and help find the policy that best fits your needs.

Ransomware: The New Cyber Threat

ransomeareTechnology security experts have discovered a new threat to computer networks—a new variety of “ransomware” called VirRansom. This new malware is particularly troubling because once inside the network, it can clone itself and infect every file it finds. If infected, users are required to make a “ransom” payment (typically in bitcoin) before they can access a network or device.

The aggressive nature of the virus can make cleaning a system difficult. If every trace of the malware is not removed, it will easily replicate itself and re-infect the entire network.

Security experts stress the importance of keeping a full set of backups at an offsite location, and using asynchronous real-time back-ups that can be performed with a few simple steps. Organizations should also test their system’s restore function to make certain it works. Experts recommend replacing standard mapped drives with Universal Naming Convention (UNC) for folders that are shared, and running software that allows only pre-approved applications to run on the system, also called Whitelisting.

The most crucial protective tactic, however, is continuous employee training on system security measures. Mitch Lipka “A new strain of “ransomware” is striking,” www.cbsnews.com (Dec. 8, 2014).

Commentary and Checklist

The U.S. Computer Emergency Readiness Team (US-CERT) recently released an alert to users of Microsoft Windows, detailing the emerging issue surrounding ransomware.

Like most malware, the infection occurs when a user unwittingly visits an infected website or opens an infected attachment in an email. The malware is then downloaded onto their computer and begins its work. The user will typically see a message that is meant to frighten them into clicking on a link or paying a ransom. Some examples of these messages are:

“Your computer has been infected with a virus. Click here to resolve the issue.”

“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

The technology security firm, Symantec, looked at data from one command and control server with 5,700 compromised computers. They estimate nearly 2.9 percent of infected users choose to pay the ransom, which means one server could generate about $394,000 of revenue per month.

Unfortunately, there is no assurance the system will be restored if the ransom is paid, and in some instances, further viruses may be installed when the victim tries to make a payment.

Aside from the financial loss incurred by paying the ransom, business systems infected with malware can experience loss of corporate information and other sensitive data, interruption of daily operations, and damage to the organization’s reputation.

Employers must stay alert to new and growing threats to their information systems. Educating employees on security threats needs to be a continual effort.

US-CERT suggests taking the following steps to protect your organization’s computer networks from ransomware infection:

  • Conduct system backups on a regular basis, and store those backups on a separate device that is offline.
  • Make certain all computers are running anti-virus software that is up-to-date.
  • Maintain updated operating systems and software, installing the latest patches. Create a procedure for users to confirm that updates are being completed in a timely manner.
  • Perform regular employee training that includes safe web-browsing practices and safe handling of email attachments.
  • Keep employees informed on the latest phishing email scams.
  • Create a method in which employees can report instances of ransomware or other malware to the IT department.
  • Notify the FBI if computer fraud is discovered.

The Government’s Misclassification Initiative: Why Use of Independent Contractors Is A Target

Written exclusively for Hartford Help

ICon Professional Services, a leader in 1099 contractor compliance and payroll and benefits administration, released a report earlier this year exposing a significant gap between executives’ perceptions and reality about misclassification risk.

The survey methodology used a sampling of senior executives to provide insight on their worker misclassification experiences. Respondents came from a range of industries including energy, government, health care, and technology. Employers with fewer than 100 workers using only a few independent contractors a year were polled, as well as employers with more than 5,000 workers using hundreds of independent contractors.

According to ICon’s report:

  • Eighty-four percent of respondents plan to maintain or increase their investment in independent contractors in 2015.
  • Half of respondents use up to 20 independent contractors per year. Thirty percent use up to 100 independent contractors per year and, 15 percent utilize more than 500 contractors per year.
  • Thirty-seven percent retain their relationship with contractors for up to a year. Twenty-eight percent maintain relationships for up to three years.
  •  Nearly seven-in-ten respondents use independent contractors because of their unique specialist skills.

The report also reveals that 77 percent of respondents think their total financial risk exposure to failing a worker misclassification audit is below $100,000. In reality, for 100 independent contractors paid an average $100K annually, an employer’s financial risk could exceed $4,500,000. Only 57 percent of respondents have “great confidence” in knowing the exact number of independent contractors they are currently using.

According to Dana Shaw, COO at Icon,

The majority of Fortune 2000 employers are either ignoring or seriously underestimating the reach of the government mandates and therefore financial risk to which they are exposing themselves. With the contingent labor market on the rise, business leaders can’t afford to ignore the importance of properly classifying their employees.
Ann Warren for ClearEdge Marketing, “Companies Largely Unaware of Financial Risk of Independent Contractor Misclassification, Reveals ICon Survey Report,” www.marketwatch.com (Oct. 6, 2014).

Commentary and Checklist

The Internal Revenue Service (IRS) estimated that 3.4 million employees were misclassified as independent contractors back in 2011. The IRS estimated an annual revenue loss of $3.4 billion because of the misclassifications.

Independent contractors reduce labor costs because employers do not have to pay their unemployment taxes, workers’ compensation, overtime, health care, and other benefits. As revealed in the survey, many employers take advantage of specialized skills. Some employers use independent contractors to keep the number of employees down, which allows them to avoid regulations that apply to larger employers.

To crack down on misclassification, the U.S. Department of Labor (DOL) announced the Misclassification Initiative and teamed up with the IRS and state governments to rectify the problem. To fund the Initiative, the government issued $14 million to combat misclassification, including $10 million in grants to states to identify misclassification and recover unpaid taxes, and $4 million for DOL investigators. In 2012, the DOL’s Wage and Hour Division requested an additional $3.8 million and 35 full-time employees for increased enforcement related specifically to misclassifications.

Federal and state governments continue to focus time and money on detection and deterrence of misclassified workers.

In the event your organization is audited, the DOL will closely examine the relationship between the organization and your independent contractors. “Independent” is the key word in determining whether your relationships pass muster. True independence depends largely on how much the employer controls the contractor’s activities.

The Supreme Court has held that employee status is not determined by the timing or mode of pay. According to the DOL, “independent contractor agreements” also are not determinative, and neither is the fact that the individual is incorporated or licensed as a separate business entity.

There is no single rule or test for determining whether a person is an employee or independent contractor under the Fair Labor Standards Act and tests vary from state to state.

Here are some considerations for employers trying to keep their contractors independent:

  • Independent contractors should furnish their own equipment.
  • Consider the permanency or length of the independent contractor relationship. Longer relationships will draw more scrutiny.
  • Make sure no one in your organization exercises specific direction and control over the contractor’s employees.
  • Although labels are not determinative, contractors should have their own workers’ compensation insurance and be licensed and incorporated.
  • Similarly, even though “independent contractor agreements” are not decisive by themselves, have one anyway. Make certain that the workers are employees of the contractor and that the contractor is responsible for hiring, firing, payroll, paying workers’ compensation premiums, and managing workers.
  • Make sure contractors exercise managerial skills that influence their profits and losses.
  • Make sure independent contractors maintain their own initiative and judgment in open market competition. The contractor should have other clients and contracts.
  • Employers should consult with legal counsel and tax professionals before deciding an individual is an independent contractor.