The tale of a scary nine-page background check

I wasn’t too long out of college and at my first “real job” (no background check required) when I stumbled into my very first fraud. I’d been assigned to do some job costing reports because my boss could not find out why the company was losing so much money on a job. After some digging, I found checks that should have been destroyed (and were voided in the accounting system) but had been cashed at the bank. Turns out there was fraud in the accounting department. Not only were “voided” checks being cashed but the payroll person was issuing two checks per payroll for herself and her accounting buddy (including the double 401K contributions for the company AND double vacation hours). The employee had been there for more than eight years – and had been committing fraud for seven and a half of them.

I can remember sitting in the hot warehouse of the company, in the summer, on a box, looking through bankers boxes of check stubs when I found the duplicate stubs. My disbelief that someone would actually DO that. And my fear about who I was going to have to tell and how bad the ramifications would be to me. These were senior people. And I had all the proof in my hands, but still I knew it would be bad, and to be honest, when it all came down, it was.I think since that day I have had a nose for fraud. That whole experience changed how I looked at a lot of things. It honed my detail skills. It made me more suspicious of people who were “too nice”. These women I’d worked side by side with for four years were not what they appeared to be. They weren’t my friends, they were thieves.

Since that day I seem to have walked into a number of cases of fraud, at other companies and with clients in my business. I’ve counseled my clients when they’ve had an employe rob them blind. Fake checks, fake vendors, missing deposits – nothing takes the anguish away when they realize someone they trusted has stolen from them.

It has also made me hyper-vigilant about The Wren Group, Inc. and how to keep us as safe as possible from fraud and theft. I have been studying to be a Certified Fraud Examiner (CFE). And one of the things I’ve learned is how important a background check and a reference check is in the hiring process.

One of the very best ways to prevent fraud in the workplace is to have a sound hiring process including reference checks and most importantly, background checks.

The thought here is that rarely do people all of a sudden start stealing. There have been issues as past employers and potentially even with law enforcement. And for what a background checks tells you (and potentially saves you), they’re really inexpensive, between $17 and $50 depending on the number of states and what you’re checking.

Before your run a background check on a potential employee, you have to have a policy that tells the potential candidate what you will do with the information, especially if it’s negative. Definitely check with an attorney or your background check company for the right language. Basically my policy says that I will give the potential candidate the opportunity to explain any incidents found, and that if what is found influences the hiring decision, they will be informed of what the information was and why.

A couple of years ago I was hiring for a bookkeeper in my office, and found a delightful candidate that checked all the boxes for the position. Great at QuickBooks. Strong Accounting knowledge. Bright. A college graduate. Super personality. Lots of volunteer work. Sounded too good to be true, and I offered her a position contingent on a background check. It’s the first (and only) time I’ve offered a position before I got the results back but I felt so good about this person that i just knew the background check was a formality.

Ha. Nine scary pages of check fraud (about 30 offenses). Two incidents of forgery. Theft by taking. I was aghast. How could my people-meter have been so off? This was a delightful person, great background, perfect candidate. And a thief, forger, and potential company-ending hire. I dutifully sent the required e-mail asking for clarification and explanation and I never heard back from the candidate. I’m pretty sure she’s probably working in an accounting office somewhere and I hope to God she’s not skimming, stealing, or forging there because they didn’t do their due diligence.

Another candidate had a clear background check, but the reference check was a little off. The litigious society we live in has made former employers reticent to give feedback freely. Nobody wants to be honest lest they prevent someone from getting a job and are sued for their honesty. This means that as the potential employer, you have to ask a few questions and listen for the long pauses. Not sure what to ask? Look here: http://tinyurl.com/cz7rgl5 There have been a couple of times when I’ve said to the reference, “I know that you are reluctant to be honest, but I hear something in your voice that worries me. I have a business too. What aren’t you telling me? This is a confidential phone call.” And that has usually worked. Ask tough question, expect straight answers.

There’s been a couple of times recently where a client has told me they’re hiring and asked me if I’d do a background check – or worse, if they tell me they don’t want to do them. There seems to be a stigma that if an employer does a background check, they don’t trust their employees. But it’s not about trust; it’s about taking care of the business you built and maintain every day. It’s about protecting your income, your business, your clients, and employees.

For information on finding a background check company, you can check the web or contact your attorney. We’re happy to share the local company that we use (and have been extremely happy with), just give us a call at our office.

Create complex passwords you know & hackers won’t

I don’t know about you but it’s gotten to the point that I wonder how in the world someone else can hack my password when I have trouble remembering it myself.

When a scare like the Heartbleed Bug happens websites respond by increasing password complexity requirements, making it even more difficult to remember which password goes where – and which one is the one that has the capital letter, and the special character, or the set of numbers. How many of you have paper notes in your desks, wallets, notebooks, wherever, to keep your passwords “safe”?

PC Magazine recently published a list of the worst passwords of 2013. You can read the full article here but here’s the short list:

123456, password, 12345678, qwerty, abc123, adobe123, 111111, 1234567

Anything look familiar? The list was skewed a little bit because of the Adobe breach (and those who used adobe123 as their password) but the simplicity of the passwords above make them easy to steal. The reason that people use simple passwords is pretty obvious – because they’re easy to remember, and I think all of realize we should be using more complex passwords. At the end of the day we’re still left with the same problem: How to remember multiple passwords across multiple platforms without having to resort to writing them all down.

So about six months ago, I tried to figure out what might be a better solution for me to create complex passwords. I didn’t want to use the same password at each site, because if one is compromised, they all are compromised. How could I devise a method to meet all the weird complexity requirements, make it something not easily guessed, but would work across all platforms, yet STILL be unique at each site. Here’s what I’ve come up with, and honestly it works pretty well.

First what you need is a number, two, three or four digits, that means something to you but wouldn’t be trackable back to you. It shouldn’t be your address, birthday, or zip code – nothing current, and really nothing in your past since in this digital age almost every address you’ve ever lived at as an adult is searchable online. Some ideas are: your grandparent’s street address, your basketball jersey number, your PO box in college, the last four of your phone number when you were in grade school or even the model year of your first car. For this blog, I am going to use the example of a football jersey number, 54.

Then you need to decide what characters you’ll replace in your new passwords. If I’d headlined this post with H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? would you have known what I meant? H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? means How easy is it to guess your password?

Here’s how that works:

  • a=@ The “at” sign on your keyboard, above the number 2.
  • i=! The letter i,regardless of capitalization is an exclamation mark above the number 1.
  • o=0 The letter o is a zero
  • e=3 The letter e is a number 3
  • s=$ The letter s is a dollar sign

Now you need to figure out how you want to create your passwords using the web address for the website. I usually use what’s between the www and the .com or .net as long as it’s not too long. For Facebook.com I use facebook. Wellsfargo.com – wells. Merrilllynch.com – merrill.

Once you’ve decided how you’re going to abbreviate your website, you’re ready to start putting the passwords together. You need the number you chose, the character replacement, and the website abbreviation.

Here’s how it works using this system and adding the number I chose, 54, listed above. I added the number to the end, but you can add to the beginning if you want.

  • My Facebook.com password becomes F@ceb00k54
  • Wellsfargo.com becomes W3ll$54
  • Merrilllynch.com becomes M3rrill54

Here’s why this works so well: The passwords have complexity requirements – a capital letter, a number AND a special character. The passwords are unique at each site – so if your Facebook password gets compromised, no databot is going to figure out your Wells Fargo password. Best of all, once you come up with your own personal naming convention, you never have to write anything down. It’s in your head and you can pretty much remember every password you need to remember, because it’s all right in front of you.

This may seem a little “techie” at first, but I promise you once you figure out the basics, you’ll have it down pat. Print out the character replacements if you need to – no one is going to know what they’re for, and give it a try. Would love your feedback – is it working for you?

Anne

And for security purposes, your mother’s maiden name is……?

In last month’s blog, I shared some of the interesting ways that businesses can be subjected to fraud with their business checks, using simple household things like scotch tape.

Lately I’ve been thinking about passwords and how to keep personal information safe and secure.Now all of us are pretty careful about our social security numbers, our credit card numbers, EIN’s, those obvious chunks of data that could compromise us. It’s not sometimes obvious how small pieces of information could be out in the main stream internet and available to thieves.

So let’s start with what is seemingly a difficult piece of information to obtain, but is a potential key to unlock a whole host of personal data – your mother’s maiden name. Within the past few years, your mother’s maiden name has become one of the top two security questions needed for bank passwords, mortgage accounts, credit card accounts, and other areas where a password reset is needed. So how hard is it to find? On first thought, pretty hard. It’s on your birth certificate, and on your parent’s marriage license, but neither of those documents are ones we carry around. So how does the maiden name get out?

Facebook.

I enjoy Facebook as much as anybody. I keep up with friends and colleagues, and get to participate in groups and hobbies I enjoy. I share pictures of where I am, my children, my hilarious pets, and articles I find interesting. And as much as Facebook can be fun and interesting, it can be a treasure trove of personal data ripe for the picking.

If you’re a female with a Facebook account, then your maiden name is probably listed right on your profile. If you’re a dude, and your mom is on Facebook, it’s probable that her maiden name is right there for anyone to see. It’s listed for an innocent enough purpose – so those from your past, who you may not know now but you knew before you got married – can find you. Go check – is your Facebook (for the women out there) first name maiden name last name? While I’m penning this blog, I’m thinking of a number of my lady friends, and I think almost all of them use their maiden name. I did a quick count and 70% of my women Facebook friends (including my mom) list their current first name, maiden name, and last name up front on top of their profile.

How about your hometown? How many of you were born in your hometown? If it’s listed on your profile, then you’ve given a potential identity thief a second key piece of information in a quest to steal the data they need. Further, if you’ve listed all the places you’ve lived, you’ve put even more personal information out there for someone to steal.

Isn’t it nice to get birthday wishes on Facebook? Is it nice enough to give that information out to the whole world? ‘Cause if your birthday is on your profile, you’ve done just that.

Last is the lovely “family” part of the FB page – you know, where you list who is in your family. It’s in the about section of your profile.

With these four seemingly innocent pieces of data, you connect many dots for an identity thief. Your full name, your birthday, your family, your mother (and probably her maiden name) as well as your hometown and a list of where you’ve lived.

How to tighten your security and the information you share:

First fix. On Facebook you can list your maiden name in your profile (thus making it easy for people to search for you who KNOW your maiden name already) but not show it.

Go to the little settings gear on the top right, click settings, and then next to your name, click edit. When the window opens, you can put in your name as it is now, then under your Alternate Names, list your maiden name. Uncheck Include this on your timeline and then your maiden name is searchable for those who knew you, but not available to those who didn’t.

Your hometown is nice to list on your profile, but don’t make it too specific. If it happens to be the town you’re born in, you might want to go a bit broader to the nearest metropolitan area.

Next Fix: It’s easy to hide your birthday from your profile. Go to your profile, about, then basic information. You can list your birthday, but click the lock, and “only me”. Now your birthday is there, but it’s secure.

Last Fix: Click “About” on your page, then family, then edit. You can make your family members visible only to those who need to see it.

It goes without saying that you should also lock down your profile so that only friends can see what you post, about you, and most all of your profile This is handled under the settings gear as well, but click Privacy on the left side. This is where you control who sees what and who can find you on Facebook.

For more information about Facebook and privacy, click here.

Look for next month’s article about an easy way to learn different passwords for the web – and never have to write them down.

How Scotch Tape could cost you $100K

I was recently at a conference in San Francisco for Intuit Premier Resellers. Since it’s a reseller channel, we are regularly updated with business trends and how they relate to items we can sell, and this specific presentation was about checks.

As part of the presentation, I received a book called The Art of the Steal by Frank W. Abagnale. You may know the name – he is the author of Catch Me if you Can – which was made into a movie starring Leonardo DeCaprio.

The Art of the Steal was written to protect people and their businesses from fraud. In the book. Frank details some of the ways that businesses can be hit with fraud, and I was really blown away by how easy it is to do what’s called “washing a check”.

First I need to explain how the process starts. Most all the printers we use today are laser printers. These differ from dot matrix, ink jet, and even typewriters in how they lay ink down on any type of paper. Laser printers “lay” the ink on top using heat to attach the ink to the paper.. The other three methods actually inject ink or impact ink onto the paper.

A thief who wants to defraud you via a check can use scotch tape to do it. This process is called washing, in part because sometimes both scotch tape AND acetone (nail polish remover) are used. They’ll take a check and a piece of Scotch tape, the gray cloudy kind that doesn’t pull up paper when you use, and place the tape carefully on top of the payee, then the date, dollar amount and amount line. Then they scratch, using a fingernail or a coin, over top of the laser print. It’s kind of like a lottery ticket in reverse. The tape pulls the laser printing right off the check. If there’s any residue of toner left over, all they have to do is use a dental pick, toothpick, small x-acto knife, or even an eraser to pull it up. The signature line is left alone. Now, Voila’! Here is a signed, blank check for someone to fill in at their discretion.

And if they fill it in for $100,000, then that $2.69 roll of scotch tape just cost you $100K.

So what do you do? The first and most efficient way to stop these types of thieves is to have checks that are chemically treated to withstand these sorts of fraud attacks. The plain paper checks you receive from the bank or even order from a check printer are not devised to thwart the thief. They are basic checks.

If you have checks that look like this- in purple, green, yellow, red, or pink, where there is soft color and no markings, then you have basic checks like the ones on the clip on the right.

Premier checks are made to withstand many types of fraud, including our scotch tape example with a technology called toner adhesion, which makes pulling up the toner with tape nearly impossible. They also have features like chemically reactive paper, invisible fluorescent fibers, microprinting, and a prismatic color background.

Back to the reseller conference I started with above. In addition to the software and hardware I can sell, Intuit has extended the product offering to include checks, deposit slips, and deposit stamps. I was previously able to extend a 30% discount on the orders, but now am able to increase that discount to 35%. For a custom quote, just call our office at 770-554-5414. We’ll need a blank check copy faxed over and then the new secure checks are sent directly to your office.

So what areas can you improve in your business besides checks to help decrease your chance for fraud? Find out in our next article.