Blog

FraudCast Blog

rss

Pondera FraudCast

Welcome to the Pondera FraudCast, a weekly blog where we post information on fraud trends, lessons learned from client engagements, and observations from our investigators in the field. We hope you’ll check back often to stay current with our efforts to combat fraud, waste, and abuse in large government programs.

How Fraudsters Stole Money from Venmo Users

How Fraudsters Stole Money from Venmo Users

In yet another example of the creativity of fraudsters exploiting security flaws in commonly used services, the Federal Trade Commission recently announced a settlement with Venmo, the popular money exchange service. The charges, filed in 2016, include some surprisingly basic security flaws in Venmo, which boasts of “bank-grade security”.

One major problem was found in Venmo’s cash reconciliation process. It would notify users that money had been deposited in their accounts when, in reality, many of the transactions were still under review. This allowed fraudsters to “purchase” and receive products before their payments were validated. Sellers, assuming that cash had been received, would ship the product and then find themselves without an actual payment. One scammer used this technique over several years to steal over $125,000 before being discovered.

In addition to this security flaw, federal regulators also noted that Venmo neglected to notify users of username and password changes or when new devices were added to their accounts. This allowed hackers to hijack accounts without any warnings to the actual account owners.

While the FTC’s settlement does not include any cash damages, it is likely that Venmo will face a slew of upcoming lawsuits. Beyond this, Venmo’s issues are particularly concerning to consumers. We often assume a certain level of security and common-sense practices when we use well-known applications and services. Clearly, we should all be concerned about trusting our money and identities with any company—regardless of how safe it appears to be.
City of Atlanta Victimized by Ransomware

City of Atlanta Victimized by Ransomware

Imagine walking in to work and being handed a printed out note instructing you to not turn on your computer because of a ransomware attack. Then imagine that you are instructed to monitor your personal bank accounts because your employer is unsure exactly what information has been compromised. For city employees in Atlanta, they don’t have to imagine. They are living this nightmare after the city was hit last week by SamSam Ransomware.

The city is working with federal law enforcement after the hackers demanded a $51,000 payment to turn control of the computers back to the city. And Hartsfield-Jackson Airport, one of the busiest airports in the world, turned off their WiFi out of “an abundance of caution”.

Ransomware, which is malicious computer code that often enters networks after users click on a link in a phishing email, is the most “popular” form of malware. In effect, it renders your data unusable until you pay a ransom to reclaim it. In 2017, a business was attacked every 40 seconds and individuals were attacked every 10 seconds by ransomware, according to Kapersky Security. A recent IBM study concluded that 70% of businesses have been hit by ransomware with half paying more than $10,000 to regain their data.

Despite recent prosecutions (for example, a Russian judge sentenced the criminals behind the Blackhole malware to up to eight years in prison), it is still extremely difficult to locate and prosecute the hackers because many of them operate from overseas. And now, even novice computer users can get in on the scam via Ransomware as a Service sites on the dark web. These sites allow you to configure and run your own ransomware campaigns without having to be an expert coder.

This combination of high success rates, easy access to ransomware code, and difficulty with prosecutions means that ransomware attacks are only going to increase. As employers and as individuals, it’s critical that we remain vigilant or we’re all going to end up victims.
Ambulette Fraud

Ambulette Fraud

“Ambulette” is a term to describe the vans and cars that transport Medicaid patients to non-emergency appointments. Despite the presence of ambulettes, millions of Americans continue to miss medical appointments each year because of transportation problems. One possible answer to this problem? Rideshare companies like Uber and Lyft who sign agreements with hospitals and medical groups.

In my opinion, however, rideshare companies should proceed with caution. Fraud is rampant in Non-Emergency Medical Transportation (NEMT) and the under-the-table cash temptations may prove too strong for some drivers to ignore. Kickback schemes, billing for rides never actually given, illegal referrals, and providing rides to deceased patients are common NEMT fraud schemes.

The Centers for Medicare and Medicaid Services (CMS) recently gave a presentation on NEMT compliance and reporting requirements (which are the responsibility of the rideshare companies) and common fraud schemes. In one, a Medicare beneficiary drove patients to dialysis appointments but also provided the medical IDs to an ambulance company so they could bill as well. In another, a parent was jailed 30 days for billing Medicaid for trips for her child’s treatments. Although the parent was authorized to transport her child, the trips never actually took place.

It’s not easy for ridesharing companies to monitor their drivers’ behaviors, especially because of the flexible driver contracts and work hours. Combine this with NEMT fraud fines that often run into the hundreds of thousands of dollars and it is clear that rideshare companies may be opening themselves up to some serious problems.
An “Amazing” Contributor to the Nation’s Opioid Crisis

An “Amazing” Contributor to the Nation’s Opioid Crisis

The Sacramento Bee, my local newspaper, reported this week on an area doctor, a seemingly successful cardiologist and graduate of Northwestern’s medical school, who plead guilty and was sentenced to 52 months for illegally prescribing opioids.

After reading about Doctor Capos’s crimes, 52 months seems grossly inadequate. The sentencing judge agreed, despite acknowledging the doctor’s cooperation, stating that "It's probably giving you a break more than you deserve at this time."

The sheer volume of Capos’s crimes are alarming. In one case, he prescribed 2,640 hydrocodone pills to a single patient in 28 days. This would have required the patient to take 98 doses per day. Of course, what likely happened is that the pills were sold on the street to addicts and future addicts—some undoubtedly to our young people.

The judge called his actions an “amazing” contribution to the opioid crisis. Yet a quick look at average sentences for drug dealers reveals that convicted methamphetamine dealers average 87 months in prison. Heroin dealers average 63 months. While this “amazing” opioid dealer only received 52 months.

It seems to me that the time for talking about the opioid crisis has passed. It’s time for action and one place to start would be tougher sentencing laws on the greedy fraudsters who push these drugs into our neighborhoods.
A New Way to Rip Off the Taxpayer

A New Way to Rip Off the Taxpayer

I often mention how “impressed” I am by the ingenuity of fraudsters and their ability to find new and creative ways to steal money. And now, with the country starting to pay attention to the opioid crisis, comes word of one of these fraud innovations. This time, fraud (and to be fair, often just massive waste) is found in the escalating number of urine tests being performed to detect opioids and other drugs in patients.

Kaiser Health News, with help from the Mayo Clinic, found billing for urine screens and related tests quadrupled from 2011 to 2014 to $8.5 billion a year. The federal government paid providers more for drug urine screens than they paid for the four most common types of cancer screens combined. $8.5 billion is more than the annual budget of the Environmental Protection Agency!

It’s easy to see how this could happen. In the cases of 50 less-than-scrupulous doctors who operate their own labs, Medicare paid over $1 million for drug tests at their pain management practices. 31 of these received over 80 percent of their Medicare payments from urine tests—in other words, less than 20 percent was for patient care!

Other labs have hired sales team that employ high-pressure tactics, telling doctors to order more tests to lower patients’ risks and to protect their practices against law enforcement or medical licensing board investigations. One labs sales manager earned $700,000 in salary and commissions, and the company later had to pay $256 million to settle claims with the justice department.

While some of the data in this blog post is over two years old, opioid prescriptions (and deaths) continue to climb—the latter at about 20 percent per year. Despite the government’s enforcement efforts, I assume that the urine test cash grab is also accelerating. It’s also safe to assume that when this scheme is shut down, the fraudsters will find another way to rip us off.
Jackpotting Comes to the U.S.

Jackpotting Comes to the U.S.

We’ve written several times about skimmers, devices that thieves place into gas pumps, ATMs, and other machines to steal personal and financial information from unsuspecting patrons. Now, it seems that a form of skimming, called “jackpotting” is making its way from Europe and Asia to the states.

The aptly named jackpotting, like skimming, uses a device inserted into ATM machines to take control of the CPU and dispense large amounts of cash to the fraudsters. The thieves often dress as ATM technicians and use an endoscope to view the inside of the machine and attach their system to the ATM. They can then control the system remotely and dispense as many as 120 bills per minute to “jackpotting mules” who collect the money.

The Secret Service is now issuing warnings about the spread of jackpotting, and organized criminal gangs are targeting stand-alone ATMs in pharmacies, big box retailers and drive-thru ATMs. And, of course, thanks to the anonymity of the dark web, criminals can easily purchase the software and equipment necessary to pull off the schemes.

While still in its infancy here in the states-- in a recent week there were six attacks that stole just over $1 million-- jackpotting is quickly establishing itself as one more fraud tactic that businesses and citizens will have to watch out for. The good news in this case is that the ATMs, when hacked, appear as out-of-order to consumers. At least we won’t insert our cards and we won’t lose our data. The bad news is that institutional losses often get passed to us in the form of higher fees and more complex processes. As usual, we all pay in the end.
How Startups Benefit Government

How Startups Benefit Government

What a delight it was to read a commentary in Government Technology magazine by Rebecca Woodbury, a Senior Management Analyst with the city of San Rafael, California. In the article, Rebecca recounts her experiences working with technology startups and the benefits to the city of moving beyond a small set of traditional providers.

Rebecca argues that startups offer “simple and intuitive interfaces, don’t require costly implementation fees or long-term contracts, embody the spirit of continuous improvement, and have their eyes keenly on the future.” She goes on to state that these benefits are far more important than “the number of years a company has existed or the number of clients they have.” And she even provides ways to mitigate the risks associated with startups such as avoiding long term contracts.

Right on Rebecca! While Pondera is no longer considered a startup and we can meet the stringent financial and customer qualification requirements in public sector bids, we work hard to hold on to the EXACT list of benefits Rebecca articulated. And when Pondera was a startup, we counted on people recognizing those benefits. That’s why we would get so frustrated when we would read RFPs that asked for “innovative solutions” but required that they be implemented for at least five years! In the age of cloud computing and Agile development, the gap between business needs and archaic procurement policies has grown into a gaping canyon.

So, at the risk of inviting competitors into our market, I applaud Rebecca’s efforts and those of similar public servants who recognize that nimble, innovative startups offer compelling alternatives to large, established IT companies. I also know that competition makes all companies better. In the end, isn’t that what government wants in its partners?
Nigerian Email Fraud

Nigerian Email Fraud

In December, a 67-year-old Louisiana man was charged with 269 counts of money laundering for serving as a middle man in a Nigerian Internet scam. These scams, which everyone with an email account has encountered, promise large sums of money from inheritance or from a “prince” trying to leave the country in exchange for your financial information. Typically, they then require you to send money to release the funds and the operation continues to run into obstacles for which more money is required.

When I receive these emails, I’m always struck by just how ridiculous the stories are. They are so obviously fake that only the most naïve would lend them any credence. Given the sophistication of some of the fraudsters we combat at Pondera, I’ve always wondered why these clearly unsophisticated scammers can’t put out more believable emails.

After a bit of research on the subject, it turns out I’m the unsophisticated one. In fact, Microsoft Researcher Cormac Herley wrote a thought-provoking paper on the Nigerian Scams that concludes in part “By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.” So, like any good salesperson would do, the scammers are essentially feeding only the best leads into their pipeline and eliminating the poor leads early in the process so they don’t waste time pursuing them.

Pretty brilliant actually, if you’re in to despicable crimes. And the results show it. The FBI’s Crime Complaint Center says that over the past five years it has received an average of 280,000 complaints and, more importantly, it estimates that victims have lost over $4.6 billion in that time. In the most extreme cases, victims were lured to Nigeria, held against their will, and extorted for additional money.

If you’re interested in reading more about this, check out Mr. Herley’s paper at the link below:

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/WhyFromNigeria.pdf
Skimmer Fraud

Skimmer Fraud

I read with great interest a recent article about card skimmers that were found at “The Stop and Shop” gas station where I often fill up my tank. While they were discovered relatively quickly, more than a dozen customers were scammed. Several of them had their entire bank accounts wiped out.

Skimmers, for those of you that are not aware, are malicious card readers that take data from your credit or debit card’s magnetic stripe. The data is stored on a drive where it is stolen, requiring the fraudsters to return to pick up the data files. They can then clone your card or just steal directly from your accounts. What makes them so effective is that the skimmers don’t interfere in the actual transaction, making you think that you’re just filling up your tank like you have hundreds of times before.

Turns out that skimmers are growing both in popularity and sophistication. Through the first half of last year alone, skimmer use grew 21% which was on top of high growth rates the year before. In Florida, authorities found 315 skimmers during this time period, triple the number found in the same period the previous year. Considering that 29 million people use credit or debit cards to pay for gas every day, this is certainly a rich target market for fraudsters.

To take advantage of this opportunity, fraudsters continue to improve the skimming devices. They are now almost undetectable by the average citizen. So what do we do to keep our information safe? Authorities suggest visually scanning the card readers for anything unusual, tugging on the reader to see if it is loose, and checking for forced entry into the pump itself. There are even smartphone applications that use Bluetooth to help discover skimmers. Of course, you can also simply pay the attendant for your gas.

This is just one more case of honest people being inconvenienced, at best, or ripped off, at worst, by tech-savvy fraudsters. And because the use of skimmers is sure to increase over the next several years, we all may want to think twice about “paying at the pump”.
Social Security Fraudster Captured in Honduras

Social Security Fraudster Captured in Honduras

Several months ago, we wrote a post about the self-proclaimed “Mr. Social Security”, Kentucky attorney Eric Conn, who fled prosecutors in the face of a 12-year prison sentence. Conn had concocted a scheme where he bribed a judge and a psychologist to defraud the Social Security Administration out of $550 million. The colorful Mr. Conn made flamboyant claims on television ads and attended events with “Conn’s Hotties” (his words, not mine) to drum up business.

After cutting off his electronic monitoring ankle device in June, Mr. Conn had been spotted in various locations around the western United States. Now, it appears his days on the lam have come to an end as Honduran authorities arrested him outside a Pizza Hut restaurant. U.S. authorities are now working to extradite him back to this country.

While Mr. Conn’s experience certainly contains elements of humor, Social Security Fraud is a serious subject. Recent estimates peg the annual amount at around $10 billion per year. About half of this is in Mr. Conn’s “specialty” area of retirement, survivors’ benefits, and disability insurance.

Newsletter

Keep up on our always evolving product features and technology. Enter your e-mail and subscribe to our newsletter.

Email:

About Our Company

Pondera leverages advanced prediction algorithms and the power of cloud computing to combat fraud, waste, and abuse in government programs.



Get in touch

  • Sacramento Address: 80 Blue Ravine Road, Suite 250, Folsom, CA 95630

  • Phone: (916) 389-7800

  • Email: info@ponderasolutions.com