Verify and Validate

We appear to be in a truth crisis.

We see it on Facebook every day – someone has shared a story that simply is not true. Or a news headline from years ago, shared as if it just happened. I received a lime green postcard in my mail that stated they were trying to arrange a delivery, with big bold letters proclaiming PACKAGE SHIPMENT. The stamp was not cancelled, it had no return address, and when I “Googled” the card description, it was a scam.  Our local news station carried the warning that night.

Good grief.  The scams and schemes are flourishing and becoming ever-so deceiving.

The phone call was from a doctor I had not heard from in years.  I had set up his QuickBooks, he had heard me speak a few times and he was cruising right along until something was wrong with his payroll.  He had updated to the 2017 version but the payroll checks did not appear to be auto-calculating, stating his payroll subscription had expired, even after he knew he had paid it.

So, he did what many others do – he Googled “QuickBooks support” and called the first number in the list. He called someone in the “Philippines,” whose accent, he laughingly said, sounded different than 
he thought it should. He allowed the “customer support representative” (CSR) to remote access his computer to determine the problem, believing they were with Intuit.

The CSR moved aptly between screens for approximately 10 minutes before declaring the file was corrupt. The doctor was told he needed to send the file to be fixed but it would cost $4000. That’s when he hung up and called me. With great remorse, he admitted he should have called me first.

I remoted in to his computer and created a portable file. If his QuickBooks was corrupt, I would not have been able to create a portable file.  Now I was highly mistrustful of whom he had actually called.

I opened his file on my computer (different QuickBooks version) and began searching for the problem.  After reviewing, I concluded it was a simple payment conflict and called my Intuit payroll contact to verify his subscription.

The actual problem was fixed relatively quickly and much less costly! 

The doctor did not call Intuit support as he was led to believe, even trusting them to remote into his practice’s computer to view his QuickBooks.  He called the first number listed, which is paid advertisement, targeting countless victims.

Telephone calls, emails and mail – it seems we are being held hostage by deception for whatever we naively believe without verifying and validating!

Because of all the telephone scams, I do not buy anything or donate to anyone on the phone. I typically do not answer the phone if I do not recognize the phone number. If I can tell within a few seconds a phone call is a recording or sales call, I hang up. I do not need to offer an explanation. Hanging up is my polite form of rejection. It appears they are not enforcing The Do Not Call Registry and solicitors change their phone numbers often anyway.

Microsoft will never call to tell you your computer has a virus infecting the internet. The IRS will never call you to accept a payment for delinquent taxes. The County Jail will not call to say there is a warrant for your arrest for failure to appear as a juror but if you purchase and send a prepaid gift card to this address, the warrant will be dropped. If you ever get a notice that I am in trouble in a foreign country and need funds, don’t send it.  If I was in trouble, you have my permission to not bail me out! And, I’m pretty sure that no one in a foreign country needs help with a deceased person’s estate. 

Beware of getting emails to update your information with your bank, or Paypal or your credit card. While writing this article, I checked my spam folder to see how many such emails I had received – one from “American Express™” and another from “Paypal™.”  These phishing emails bank on the recipients being emotionally compelled to click on the link to take care of the request immediately, without thought.  Yet, if you hover your mouse over the email address and the link, it will not be from the company.  If in doubt, simply go directly to the financial institution’s site to see if you are required to update your information.  Verify and Validate.

Ransomware is a threat on a more  costly scale. Spread via email that has  an 
innocent looking link, that when clicked on, the computer is locked down for a ransom, encrypting files and spreading through the network, until you pay. Growing at an alarming speed, ransomware is becoming more sophisticated, often targeting their victims. Update all your software, ensure anti-virus and malware protection software is installed and updated.  Buy the full versions of both to maximize protection. 
Call the email’s sender to verify any links 
that are sent before clicking on them.  

In the past two weeks, I received two  emails with "document" links to review files, one from a dentist and one from a meeting planner. The email context was looked convincing enough. After reviewing the url the links would open to if clicked, I determined them both to be scams. The link in the meeting planner email was for a file embedded on an Australian real estate site. I thought it would be interesting to reply to the dentist's email, curious if I would get a reply. I did. 

"i sent u documant open and revew"  No punctuation with a poorly constructed sentence full of misspelled words. The dentist's personal email was Yahoo, which had recently, again, been hacked.

I called both offices to alert them to the problems, recommending they immediately call their IT expert. 

If you are hit by ransomware, unplug all the computers from the network immediately and call your technology advisor.  Also disconnect all other devices connected to the Wi-Fi, such as cell phones and laptops.

If it sounds too good to be true, it is neither true nor good.  We must protect our online accounts by enhancing our passwords to be exceptionally complicated.   PC Magazine’s recommended LastPass is a password generating program that complicates and remembers passwords.  It works in whatever browser or device you use.   And, you only need to remember LastPass’ password – it remembers all the rest. 

If you have a Yahoo email address, I suggest changing your password at least quarterly and that the password be a minimum combination of ten upper and lower case letters, numbers and symbols. 

A strong complicated password for every internet account is a sturdy line of defense BUT remain aware of the potential threats required to live in our social media world.  Have this conversation with everyone in your practice and your family, including your elderly.

Do not ever give any personal information via phone or email. Be suspicious of all incoming calls of whom you do not know. Sounds paranoid, right? Maybe. But, the calls and email scams continue because the behavior is reinforced by recipients not being cautious.

Be diligent to verify and validate. 

Twenty years!

Pulling into the garage after a long weekend at a client’s practice, I still can’t believe that I love my career even more than I did when I started 20 years ago today.

I moved home to care for my parents and step-grandmother, needing a flexible job that allowed me to schedule work around their appointments, hospital stays, rehab, etc.  Little did I know then how important that flexibility was needed.  And yet, I had absolutely no idea it would be such an amazing career.

After enjoying the corporate life, it was strange to be self-employed, yet I found colleagues that make great “co-workers,” on the same team, all with the same goal, through my three professional organizations!   We became a community of tight knit, like-minded hard working speakers, consultants, and fraud examiners, who also became friends.  The healthcare industry (primarily dental) has been a great home to my business.  

I love the relationship that is cultivated with my clients.  

I had a call last month from a doctor who told me he had read my book 5 times and was now ready to use QuickBooks in his practice.  I gave him a hard time and asked him if he didn’t want to read something a little more entertaining or was it night-time snooze material.  I suggested a series of David Baldacci’s that I had just completed to which he said he would check out.

I got a message last week that he called back only to tell me thanks on two fronts – for the QuickBooks help and the Baldacci recommendation!

Or another time when BJ & I were at the ballgame, and a dentist’s spouse stood up at the beginning of the 2^nd inning and proclaimed loudly for the whole section to hear, “Oh my gosh!  I know who you are.  I have your books.  I’ve taken your class.  I cannot believe you are sitting next to us!”

The feedback has served as affirmation that I am where I am to be.  It is my niche. 

Or the many times I’ve walked down a hard road with a client who has been embezzled by someone they trusted, and I am heartbroken with them.  Then, long after the investigation, after the embezzler was sentenced, to get a thank you note with a gift card, expressing their appreciation for the care they received.

Or the countless emails I receive from one of my newsletters or blog posts, like the one sent regarding what to do regarding the Equifax breach.  From a doctor:  “Thank you so much for helping us deal with this mess. You are such a great resource for us.  I am one of your students, having attended your courses.”

There were times I almost quit.  Like after September 11^th when the phone didn’t ring for five months.  Or after Mom passed away and I realized I could return to a “corporate-type” position.

But, I realized I truly love what I do.  

Very rarely do I take the time to attend conferences, being the one that is usually presenting in one.  But yesterday, I attended a workshop hosted by one of my professional organizations, the Association of Certified Fraud Examiners.

I sat by a gentleman who has a high level position with a very well-known corporation.  He has been thinking about starting his own consulting business after he retires in a couple of years.  During lunch, he asked, “Now that you’ve been in business for 20 years, what advice would you give me starting out?”

Without skipping a beat, I answered, “Find a niche that aligns with your passion.  Become the expert in that niche and stay in your lane.  Don’t try to be all things to all people because that never serves your clients or you very well.  Take the slow times to repurpose your offerings, and redesign them to meet client’s pain points. Keep your marketing fresh. Never pass up an opportunity to help someone else struggling in their business without charging them.  Be open and available.  And never stop learning.”

I was surprised at how quickly I answered.  Midway through my first sentence, he rapidly began taking notes.  We even talked about what that would look like for him.  I guess I’ve learned a few things along that 20 year path.

But, wow.  Who would have thunk it?

8 employees, over 1700 clients, 37 books written with over 4000 sold, spoken at over 100 venues.  Speaking has taken me all over the US and, at the conventions, I often meet clients face to face for the first time, after having talked to them for months only by phone! 

My mission statement has been “to serve clients in providing solutions that enable the practice owners to understand the business of their practice and to protect their practice.”  More simply put, I absolutely love being a positive change catalyst.  It is a rewarding career.

Thank you to every single one of you who have made this past twenty years so fulfilling and even a possibility!  I never imagined the scope or range of possibilities.  

Wow.  Twenty years.   

Hang on - I am certainly not finished yet!  I do love what I do.  And there’s a few more books to write!

Want to know more about what I do?  Check out my website:  www.SusanGunnSolutions.com.

Equifax Breach Part Two - Updated Information

After the Equifax post this past week, many of you had further questions.  Allow me to address them now.

Equifax's Trusted ID program validation email took a few days to arrive in my Inbox.  Be patient.  Free to those who have been breached or not, I do believe you should take advantage of this offer regardless.  Locking the credit does require a few more steps, including adding your social security number.  They need the number to know whose credit to lock down.  If you still need to check and see if your information was compromised, click here.  [Depending on your computer or browser security, you may or may not be able to click on the link.  Copy and paste this in your browser:  www.equifaxsecurity2017.com.]

TransUnion's True Identity program is free and allows you to lock your credit instantly.  It was very easy to sign in and instantly lock.  Take advantage of this offer.

Experian is offering a free service that allows you to see if any of your personal information has been compromised on the dark web.  However, until their recent website update, it appeared they only offered a monthly monitoring service, that included freezing your credit.  I searched their website for over an hour for other options but only came up with the monthly service.  I was very disappointed in them.  Now, with their website update, the average user can locate the information but they are still the only one that charges for the service, if the state allows them to do so.  The fee varies by state but Texas was $10.83 to freeze my credit.
[Update:  See links below to freeze your credit - thank you Malwarebytes!]

Yes, I know there is a fourth very small credit bureau, Innovis.  It was founded in 1970 but has never grown to the capacity of the other three major bureaus.  For instance, Innovis receives some information from lenders but not all of them report their information to Innovis, nor seek their information.  However...

Should you discount them?  As the scope of this breach has become greater, no.  I completed a Security Freeze Request Online with Innovis.   Always better to be safe, than very very very sorry.  I recommend you do the same.  Innovis.

Yes, if you will not be needing credit any time soon, lock your credit.  Assume your information has been compromised.  But again, that only pertains to new credit.  

• Equifax: (800) 685-1111 or https://www.freeze.equifax.com/
• Experian: (888) 397-3742 or https://www.experian.com/ncaconline/freeze
• TransUnion: (888) 909-8872 or https://freeze.transunion.com/
  • Note: their phone prompts move quickly, so have your newly thought-up PIN and credit card information readily available.
• Innovis: (800) 540-2505 or https://www.innovis.com/securityFreeze

Monitor your credit card transactions.  That is a great habit I teach to business owners anyway.  Download those credit card transactions to an accounting software. Now, it is even more vitally important that you do so. 
I use QuickBooks to download my business credit card transactions and Quicken to download my personal credit cards.  I recommend downloading them weekly to stay on top of the transactions.

Lifelock has several plans.  The premier plan is $29.95 a month.  I have the standard $9.95 a month membership. They will monitor the black market for any personal information, as well as give an opportunity to review what personal information is available online within a few keystrokes.  Remember, if you own a business that you use your own personal social security number to gain credit or loan approval, you could be affected.  Choosing a service like Lifelock could help protect your personal information.

Today I reviewed all the private details that Lifelock found on the internet, and all family members were listed in various degrees and even a couple of friends.  Some were high privacy threats that would include my birthdate, email, phone numbers and even court records, which there are none.  Though I have searched some of these same websites hoping to gain information on embezzlement subjects, it is a little disconcerting when it is your own information. 

Privacy Monitoring is one of the aspects of preventing identity theft.  With so much "private" information online, it truly is only one more small step to stealing your identity.  I have actually opted out in the past but it has been many years, and I had become complacent.  Life Lock’s Privacy Monitoring makes it easy to perform this check and stay on top of it.  By the way, the word "private" and the internet are not congruent.

Again, assume your personal information was compromised.  Similar to hurricanes, you need to be prepared.  Take an hour (or two) to do these four tangible tasks to protect your credit:

1. Assume your personal information has been compromised and there will be attempts to obtain credit based on your personal information that would greatly damage your credit. [sometimes people need a worse case scenario....]
2. Lock your credit if you will not be in search of credit or a loan in the near future.  You can always unlock your credit in case of an emergency.  At the least, place a Fraud Alert on your credit.
3. Monitor all your credit card transactions to ensure their validity.  I keep receipts until I see the transaction on the download in my accounting software.  That makes it easier to validate those small $$ amount transactions at out of the norm places.  Understand too, other vulnerabilities exist due to this breach, such as tax returns, insurance, benefits, etc.  Long term monitoring is required - do not become complacent.
4. Do a privacy monitoring check either through Lifelock, who makes that an easy task, or by searching your name.  Fill out and opt out when you find yourself listed online.  This will need to be done monthly, so if you do it manually, bookmark the website addresses.

Please feel free to share the blog links or follow any of the future blogs that will be forth coming.  Later this week, if there is one thing we can take away from the Equifax Breach, it is Why Updating Your Software IS Vital...

Equifax Data Breach - What you need to know and what you need to do

"Equifax. Wow," I muttered to no one in particular as I listened to the news. The headlines were dampened by a couple of catastrophic hurricanes and an earthquake, but now the severity of the Equifax breach is soaking in.

Since my corporate background included working for a major competitor of Equifax, I felt I should address this to my current industry, both from the stand-point of business but also personal.

Who is Equifax?

Based in Atlanta, Equifax is one of three major consumer data information bureaus (Equifax, Experian and TransUnion). They are the access point for which creditors look to on whether to give you credit, whether the credit is for a home, car, revolving credit, line of credit, etc. Anything and everything lending-wise depends on your information residing at the bureaus.

It is nothing that you can simply stop or un-enroll. You don't pay for it and never signed up for it but when you gained credit, your personal information, credit lenders and credit history was enlisted in their data files. Your credit rating itself depends on the bureau's accuracy.

What happened?

This breach is significant and should be taken every bit as serious as Hurricane Harvey and Hurricane Irma. It is estimated that at least half the population of the United States is at risk, with estimates greater than 143 million Americans. But the breach was not limited to Americans, by the way. Some limited information was obtained of UK and Canadian residents.

A weakness in Equifax's server security was hacked from mid-May through July, exposing names, addresses, social security numbers, birth dates and some driver's license numbers. PLUS credit card numbers for over 209,000.

Who did it?  No clue and if they knew, they aren't going to tell us.  But, I believe we can assume that whoever did this hack did it to use the information they gained not to our benefit. 

Are you affected?

Equifax has created an online registry to check. But, you should proceed as if you were hacked. It is safe to assume that if you have credit, you were breached.

Will it affect my businesses credit rating?

Since most of my clients are small business owners, allow me to address from that perspective. If you gain credit (loans, credit cards, LOC, etc) based on your own personal credit rating, then yes, it will affect you. This includes most small businesses.

If you were me, what would you do?

Exactly what I have done.

I checked Equifax online and, yes, they believe my information is one of the millions hacked. There is nothing like seeing that on the screen to cause a little angst. Being passive about this information will cause greater issues in the future, so here is my plan.

First, I enrolled in the credit monitoring program provided by Equifax for a year free after determining I am at risk. This monitors all bureaus, allows me to lock my Equifax credit report and gives me a copy of my existing report to review. In addition, should my identity be stolen, they provide up to $1m in insurance.

Because I travel extensively, I also use LifeLock and have for a number of years. I recommend this product, even when there are no breaches. Understand please - this breach will not suddenly go away within a year. The repercussions and your information will be sold way beyond into the future. At this time, the monitoring by Equifax is only a year.

Second, I downloaded all my business credit card accounts into QuickBooks and personal credit card accounts into Quicken. I will continue to do so weekly for this next year. One of my business cards does not have a chip so I requested a replacement card that has a chip. 

One of my credit card information was recently stolen locally. The card company called immediately due to the number of transactions used at non-chip reading machines. Chips matter. Basic credit information can be replicated on magnetic strips, as in this case, but chips cannot be reproduced. My credit card numbers and security code were probably stolen at a restaurant. They could reproduce a fake card with a magnetic strip but they could not reproduce the chip.

I have begun requesting retail outlets I shop at to have chip machines - it truly does prevent retail theft. Those businesses the thieves used my card at were not paid for their products. The theme I have heard in businesses that are not utilizing chip reading machines is that they don't want to pay to replace.

Seriously? The thieves were able to steal over $900 of products from 4 different stores and mine was just one card. I think the front end is not paying attention to the back end financially.

Third, I am in the process of locking down my credit at the bureaus. It is worth whatever few dollars it cost because the cost is incrementally less than identity theft. Freezing your credit with each of the bureaus blocks anyone from opening any kind of account with your credit. However, if you are in the market for a new home or new car or apply for a new credit card, you will need to then unfreeze your credit PRIOR to purchasing. Yes, it may cost $0 to $15 to freeze your credit at the bureau(s). In this case, it's worth it.

One of my mom's doctors had his identity stolen and the thieves were purchasing a home in Chicago. He lives here in Texas.  The only reason it was caught was that the underwriter called to verify he would be at the closing of the home. He did not make it to the closing but the police did!  He froze his accounts immediately.

If you do not want to freeze your accounts, put a fraud alert on your accounts. This will alert creditors to validate the identity of the one attempting to gain credit with your information. Typically, they will call the phone number to verify it is truly you. You can even get an extended fraud alert which is good for seven years.

It is less effective because there is no guarantee of follow-through with the creditor but it is still an option.

How to freeze?   Notify each of the bureaus you want to place a freeze:  Equifax, Experian and TransUnion. They will issue you a pin in the event you wish to unfreeze your account. Be sure you keep the pin secure. And, it may cost to unfreeze the account then refreeze again. Sounds like trouble but if you have ever experienced identity theft, you know this is no trouble at all.

Remember - if your information was stolen, a credit freeze only prevents new credit lines from being opened. Your existing account information may have already been stolen. You must attentively monitor these accounts for years or get new credit card numbers AND freeze your accounts.

Fourth, file next year's tax return as soon as allowed. Though this is a few months away, since they have your social security numbers, consider filing your tax return sooner than later. Start preparing now and then the end of year will not be nearly as chaotic. If you are not using accounting software, now is the time to consider it. I love the convenience and quickness of available reports. Downloading all my bank and credit card information is a breeze! 

Lastly, be aware of potential phishing emails that will arise out of this breach. They will want to you click on a link to verify a credit card or a transaction or did you ask for new credit or blah blah blah.  NEVER EVER click on a link in an email.  NEVER EVER. The link may lead you to what looks like a valid site but it is not. ALWAYS validate the source and if you do not know, do not do anything. Call the creditor's telephone number on the back of your credit card or on your statement if you are concerned. Consider all those types of emails invalid. Again, particularly vulnerable are our senior citizens. Have a conversation with yours about this breach and online security as well.

Truth be known, some of these steps we should have been doing all along.  This was a wake up call as we have become complacent in protecting our credit information. If you have any questions, please feel free to email.