Scammers rip off desperate school-loan debtors, plus analyzing sensitive data leakage

If you’re struggling with college debt, imagine receiving this phone call. The friendly person on the other end of the line (we’ll call him Bart) says he works for “The Student Loan Forgiveness Center,” which he claims is affiliated with the U.S. federal government. Bart tells you that he’s reviewed your loan profile, and he can help reduce your balance by $20,000 under “Biden Loan Forgiveness.” All you must do, Bart says, is pay a “processing fee” of $375 and begin a new loan repayment plan starting with six monthly payments of $250. Of course, all that money will end up in the fraudsters’ pockets and won’t be applied to your loan write-off.

That’s some of the scammer language that phone representatives working for Express Enrollment LLC (also doing business as SLFD Processing) used to steal $8.8 million in junk fees from school debtors in exchange for nonexistent student loan services. In March, a U.S. federal district court permanently banned the ringleaders of the firm from the debt-relief industry and required them to turn over assets as part of a settlement with the Federal Trade Commission (FTC). (See “Federal Trade Commission v. Intercontinental Solutions LLC,” U.S. District Court Central District of California, March 15, 2024 and Aug. 14, 2023; and “FTC Action Leads to Permanent Ban for Scammers Who Charged Students Seeking Debt Relief with Junk Fees,” FTC, Feb. 6, 2024.)

Panic-button pushing

Thousands of U.S. citizens are burdened with enormous college loan debts that many will be paying off for the rest of their lives. Fraudsters, of course, see opportunities to target their cash and personally identifiable information (PII).

The FTC warns about scammers calling to pressure you into signing up for supposed student-loan forgiveness programs by saying they’re from Federal Student Aid (FSA) or the U.S. Department of Education. They’ll push your panic button by saying the program is available for a short time, so you’ll need to act fast. And if you’re already enrolled at the FSA, they might know your balance or account number. They’ll probably charge you an upfront fee, which you’ll never get back and ask for monthly payments to reduce your loan obligations.

According to the FTC, the only place to get help managing your federal student loans is StudentAid.gov. FSA (and your federal loan servicer) won’t ever pressure you to sign up for anything. The FTC provides this advice:

• Don’t rely on government seals or logos. Scammers use official-looking names, seals and logos to make them look legit.
• Don’t buy promises of special access. There’s no special access to repayment plans or loan forgiveness programs. No one can get you into loan forgiveness programs that you don’t qualify for or wipe out your loans. Use your FSA account dashboard to see which programs you might be eligible for.
• Never pay an upfront fee. It’s illegal for companies to charge you before they help you reduce or get rid of your student-loan debt. And if you must pay upfront, you might not get any help — or your money back. Get free help managing your federal loans at StudentAid.gov/repay. If your loans are private, go straight to your loan servicer for help.
• Never share your FSA ID login information. Only scammers say they need it to help you. If a scammer gets your FSA ID, they could cut you off from your loan servicer — or even steal your identity. (See “Scammers follow the news about student loan forgiveness,” by Terri Miller, FTC, April 16, 2024.)

Check out FSA’s resources for avoiding student loan scams. And if you spot a student loan scam, tell the FTC at ReportFraud.ftc.gov.

Dangers of sharing sensitive data internally

Metomic, a data security software firm, raised concerns in its recent research report about how financial service institutions manage important sensitive data, especially when they share it with others. The report emphasizes the importance of keeping data safe from malicious intruders and companies complying with restrictions set by financial industries, such as the Payment Card Industry (PCI). The report also is an analysis of Metomic’s proprietary data to understand how financial service companies navigate “data sprawl,” the risks of “stale data” and the importance of regulatory compliance. (See “The State of Data Security in Financial Services.”)

According to the report, these are the most important data types for financial service companies:

• Files containing PII.
• Publicly shared files with PCI and banking data.
• Financial statements, investment portfolios, market data, etc.
• Employees’ salaries, wages, bonuses and compensation-related details.
• Special request rules pertaining to the management of risky data.

Through risk audits conducted by Metomic, the results showed that certain departments are more likely to share sensitive data rich in PII and PCI data:

Accounting: Handles company bank details, addresses and purchase invoices that could contain PCI and payment data.

Legal: Manages sensitive contracts and legal documents, which are often loaded with PII.

Human resources: Deals with employee personal and salary data, a type of PII.

Procurement: Responsible for vendor and payment information, another potential source of PCI and payment data.

Customer success: Works with client data and service records, which may include PII and PCI.

Sharing documents and other information internally — with other departments or externally with other parties — risks the possibility of data leaks. To mitigate interdepartmental risks, Metomic recommends that companies should pinpoint “where data vulnerabilities lie and (implement) department-specific security training. By focusing on how to handle sensitive data securely, financial services firms can strengthen their defense against data mishandling and maintain compliance with relevant data protection regulations.”

Metomic says the data that departments, such as accounting, legal, human resources, procurement and customer success, often need to share is sensitive. “Take, for instance, the legal department sharing a contract with another department. It is important to have a system to manage who has access to that document, for how long they have access and where that document is stored. Failure to have such measures in place potentially threatens data breaches — the consequences of which can have a catastrophic impact on a firm’s reputation.”

In risk audits conducted across multiple industries, Metomic found that “2% of files were publicly shared, 18% were available domain-wide, 22% were shared with external domains, and 88% were stored in private user drives.” Having such a wide range of accessibility increases the risk of data loss, especially for publicly shared files. To help mitigate the risk of unauthorized data access and the potential of a data breach, Metomic recommends that companies devise stringent access controls.

In its analysis of data sprawl (an organization’s growing volumes of data and the difficulties this growth creates in managing and monitoring data), Metomic found a 1.3% monthly growth of sensitive data across all platforms for all industries. If organizations don’t securely manage this data sprawl they’ll increase the possibility of increased data loss to malicious intruders and compromises of regulatory laws that can lead to fines.

Metomic says “it’s important to consider how, where, and by whom this data is managed. Moreover, keeping up with rules set by regulations such as PCI Data Security Standards becomes a greater challenge as the amount of stored sensitive data grows.” To manage these risks, organizations need to have in place relevant data security strategies.

Metomic’s analysis of stale data, which it defines as data that hasn’t been updated in the past 90 days, indicated that “on average, 86% of data has not been updated in over 90 days, 70% in over a year, and 48% in over two years.” This inactivity compounds security and compliance risks and raises the possibility of major data losses. To help mitigate such risks, companies should continually update their file inventories to keep them current.

Although the focus of the Metomic report was on financial service companies, the findings are relevant to other industries. Protection of data is paramount to all organizations. Identity theft and data breaches are running at record levels with no end in sight. With the advent of AI, fraudsters are creating new scams and refining old ones, which will exacerbate fraudulent trends.

Individuals, of course, are the weakest links in systems. It’s extremely important for organizations to have adequate controls to help prevent internal and external threats to sensitive information and other resources. Also, organizations should provide relevant ongoing training programs to keep employees educated about current trends in fraudulent activities. Employees can share what they learn with their family and friends.

I’m here to help.

Please use this information in your outreach programs and among your family members, friends and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at Central Washington University. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization, and a member of the White Collar Crime Research Consortium Advisory Council. He’s also the vice president of the ACFE’s Pacific Northwest Chapter and serves on the ACFE Advisory Council and the Editorial Advisory Committee, and he serves on the ACFE’s inaugural CFE Exam Content Development Committee. He received the ACFE’s “Outstanding Contribution to Accounting” award in 2005 and the “Instructor of the Year” award in 2006. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.