Tag Archives: Uber

How to Avoid High-Risk Hires with Background Checks

With fraud on the rise, we asked Candice Tal, a licensed private investigator and CEO of Infortal Worldwide, permission to publish this excerpt of A Case of Mistaken Identity, Infortal’s comprehensive guide to investigating your potential hires more thoroughly.

Statistics regarding deep-dive background checks reveal disturbing facts: 20% of executives have serious no-hire issues (hidden & undisclosed information), and 35% of 3rd parties are found to have corruption related issues. Read on.

*

Executive background checks are standard, but sometimes if not done thoroughly, can lead to cases of mistaken identity.  Routine background checks are important, but are inadequate to detect all critical information necessary to protect a company’s board of directors from fiduciary exposure, and potential shareholder lawsuits if adverse information is discovered after the executive or key employee is hired.

There are many public records that can provide important information to help companies have improved options for their executive hiring decisions. Criminal records may yield false positive and false negative results, yet skilled investigators typically avoid these basic issues.

False positives in background checks occur when the background results turn up false information on an individual, such as a felony conviction. This may occur for a variety of reasons, including a database search with a return of information for someone with the same name and/or location.

False negatives occur when a criminal record that should have been found in an executive background check does not happen.

The results of either of these can be detrimental or even devastating to a company. An ideal candidate may end up not being hired because of a poorly executed background check or an unsavory candidate might get the corner office.

Modern Imposters

Examples of what can happen are plentiful. These are a few major scandals as a result of simply not verifying education credentials:

Yahoo CEO Scott Thompson was fired in 2012 after 4 months when it was found that he lied on his resume. He claimed to have degrees in accounting and computer science from Stonehill College, but only had an accounting degree. He did not have the background qualifications that he alleged to have. His termination cost Yahoo over $7 million.

In 2014, Wal-Mart’s vice-president of communications and chief-spokesman David Tovar resigned after it was found that he never had the degree he claimed to have received from the University of Delaware.

A woman in China, Lee Lam, used fake credentials and references to land a CEO position which she held for 10 months and received approximately $11,000/month in compensation for her less than satisfactory job performance.

In 2018, ride-share companies Uber, Lyft, and Via, agreed to pay the city of Chicago a total of $10.4 million for their failure to properly do background checks on their employees. According to Forbes: “Uber’s Los Angeles-area drivers included people driving under false names and those convicted of sex offenses, kidnapping and murder, the prosecutors said…[while] prosecutors settled a similar suit in December against Lyft, an Uber rival, for $250,000.”

Were these mistakes made because an executive background check was not made? Or were these failed hires made because a poorly done routine background check was made? In the case of Uber, Lyft, and Via it appears their false negative hires were due to a less than effective background check. For the others, we don’t know if they performed a background check, but if so, they failed.

All Background Check Firms are Not Created Equal

The importance of choosing the right investigative firm cannot be overstated when you are doing routine employment background checks. In the case of Lyft, Chicago required the company drop their investigative firm, when it was found they had failed to identify a convicted terrorist who had been hired as a driver for the ride-share company. Lyft was also required to do another background check on all its drivers and adhere to stricter background check measures in the future. The criminal hires, bad press, and financial cost all could have been avoided, if they had made a different choice in their choice of background screening firms.

Routine background checks are commonly run on new executive hires. However, routine employment background checks do not look at enough public records data.  So how can executive background checks lead to false positives and false negatives? Most routine background checks usually consist of very limited public record searches. While this may seem sound, there is no singular data base that holds all the information needed to do a thorough background investigation. These typical background checks are run through a single or multiple multi-jurisdictional database that contains an aggregated collection of criminal records data.  Criminal record databases often only include felony convictions, rarely misdemeanor convictions. Therefore, most companies do not realize they are not receiving all misdemeanor convictions; many of which may be serious, and may have started as felonies that were plea-bargained down to a misdemeanor.

Often Miss as Much as 75% of All Criminal Convictions

These background checks are often inexpensive and have a quick turnaround, and should not be used as the only background screening tool.

“Statewide” and “nationwide” criminal searches, done in routine background checks, often miss as much as 75% of all criminal convictions. There is no single database that contains all information needed to conduct a thorough executive background check.

Not only that, there are times that records still need to be accessed in person to safeguard that the correct information is reported about that specific person, not someone else of the same name, which may result in a case of mistaken identity.

Incorrect search terms can also lead to false positives and false negatives during executive background investigations. For example, since a person’s social security number does not usually appear in criminal files, criminal records must be searched using date of birth.

Other issues include varying quality and availability of data and information being returned on persons with the same or similar name being mistaken for the searched candidate. Furthermore, use of national databases as a standalone source for background checks may not follow the Fair Credit Reporting Act (FCRA).

Conducting Thorough Executive Background Checks

By contrast, a deep-dive executive background check or executive due diligence, looks at over 30 components of public record data, takes an in-depth review of news sources, and conducts a deep internet search.

A thorough executive background check takes an in-depth look at: reputation, misrepresented education and overstated work history, undisclosed business involvement, conflicts of interest,  civil litigation issues, federal and interstate criminal history, real estate holdings (which can show signs of money laundering), financial and legal issues, relationships with other companies and board advisory positions, behavioral history (for example litigiousness), and undisclosed or adverse issues to name a few areas. Through detailed investigative analysis of numerous data points, it is often possible to identify con artists who are deliberately concealing past or present adverse behaviors.

These deep dive executive background checks are necessarily more costly than routine background checks. They also take more time involving extensive investigative analysis, but the information gathered is immensely valuable and can save a company substantially in the long run. A high-quality executive background check can uncover vital information which a routine background check would fail to find.

Possible Findings Include Serious Negative Issues

Possible findings include: IP theft, hidden aliases, signs of misconduct, significant numbers of name changes, murder, manslaughter, embezzlement, interstate bankruptcy, litigious behavior, signs of malfeasance misconduct (with or without criminal conviction), media negatives, social media negatives, undisclosed business and board level involvement, undisclosed business ownership, bribery and racketeering, financial pressures, money-laundering, con-artists, and other serious negative issues.

20% of executives have serious no-hire issues (hidden & undisclosed information). 35% of 3rd parties are found to have corruption-related issues.

A well-done executive background check will also include reference interviewing. These interviews are conducted with 6 to 8 individuals and typically take from 30 to 40 minutes each. In the hands of a highly trained interviewer, these interviews reveal a number of important pieces of information, including issues of malfeasance in prior roles, or persistent character and behavior patterns.

Times to conduct an Executive Background Check

·         Hiring a new executive

·         Selecting new board members

·         Screening corporate board of directors

·         Acquiring a new business subsidiary (Mergers & Acquisitions due diligence)

·         Contracting with third party business parties and agents globally

·         As a routine on their executives, and board members

·         Regulatory compliance to meet requirements of the Foreign Corrupt Practices Act (FCPA)

And What About Investors?

Investors should perform executive due diligence on the executive and board members of a company they want to invest in. If you are willing to invest your money on a company’s future profitability, the additional investment needed to perform a deep dive executive background check should be included to prevent potential negative ROI.  There have been many instances where the investor does not have the stalwart background or wealth they may claim.

Examples of Bad Hires

The Enron scandal: The founder, CEO, and Chairman were found guilty of corporate abuse and accounting fraud. Other charges against executives included money laundering, securities fraud, wire fraud, mail fraud, money laundering, conspiracy, and insider trading. Enron’s shareholders lost $74 billion during the four years leading up to the company’s bankruptcy. The employees lost billions in pensions.

Stanford Financial Group of Companies: Cost: $8 billion; owner and CEO; involved in major fraud and Ponzi scheme; violated US securities laws.

Fry’s Electronics: Cost: $65.6 million; Vice President of merchandising and operations; used vendor fraud and kickbacks in purchasing electronics inventory for store, including a dummy store he set up.

Clients of Bernie Madoff : Cost: Billions of dollars; Investment advisor; involved in widespread frauds that squandered the investments of thousands of investors.

Peregrine Financial: Cost: $200 million; CEO; embezzled and reported false income statements.

Tenens Corp., d.b.a. Essex Street Associates: Cost: $61 million; Chief Operating Officer; transferred funds from the trusts of heirs of industrialist Frederick Ayers, whose accounts he was managing, to his own personal accounts, and submitted false financial statements to not raise suspicions.

NYC Laborers Sandhogs Union Local 147: Cost: $42.6 million; Employee Benefits Manager; embezzled through employee benefits plan, mostly money laundering.

Pacific Seafood Group: Cost:  $900 million estimated; Vice President of employee leadership and development; embezzlement, wire fraud, filing a false tax return. He used a company credit card and his authority to issue corporate checks to secretly divert company funds to make personal purchases, including electronics, jewelry, firearms, vacations, and prostitution services

Koss Inc. : Cost: $30 million; Vice President of finance; devised plan to commit wire fraud in order to keep up with compulsive shopping disorder.

First Security Bank of Malta: Cost: $3.7 million; Vice President of operations, created fraudulent credit cards at bank to cover personal debts.

Dane Cook: Cost: Millions of dollars; business manager and brother, used positions to steal through larceny, forgery, and embezzlement.

Woodruff Arts Center: Cost: $1.48 million; Accounts Receivable employee, created fictitious company with an assigned vendor number, and turned in invoices for it regularly.

Ongoing and routine executive background checks could have caught any number of instances of malfeasance in these cases and saved the company in money, reputation, loss of profitability, and associated costs.

How to Choose the Right Background Check Firm

Executive background checks should always be performed by an expert, unbiased, external firm specializing in due diligence checks. The firm should have long-standing expertise in the investigative field, global reach and resources, the ability to conduct deep-dive Tier III executive due diligence checks, and use top-tier technology. They should also be knowledgeable of risk types in your industry, be able to rank risks according to your business, and have the ability to identify transaction risks for your company & industry.

Other areas of expertise should include: experience with M&A due-diligence investigations, skill in identifying transaction risks for your company and industry, an understating of risk types prevalent in the target high risk market, talent in stratagems to recognize and prevent likely issues, and the ability to conduct thorough and effective due diligence. Lastly, the selected investigative firm should be your partner in assuring lasting security to your company in knowledgeable hiring and employee retention. They should be effective at communicating strategy and risk to both your domestic and in-country teams, and give personalized on-going support.

Make No Mistakes

There are no compromises to be made in protecting a company and its investments. Doing the best by your shareholders, employees, and profits means investing both the time and cost to thoroughly vet future hires and current employees with recurring and well-conducted executive due diligence. This should be done on board members as well. An effective executive background check can make the difference between hiring wisely and a case of mistaken identity. It also protects a company from losing out on a great new employee if a bad executive background check reveals a false positive and the candidate is passed over due to faulty information.

Candice Tal, CEO of Infortal Worldwide

Infortal Worldwide is a global security and risk management company that enables clients across all industries to mitigate their business risks, and protect employees and assets globally. It has conducted over 2,000,000 investigations for some of the largest corporations in the world using an international worldwide network of 800 professional investigators in over 160 countries fluent in local language, resident culture, and regional politics.

Candice Tal, CEO, Infortal Worldwide

 
 
Joel Wallenstrom , Wickr CEO - Reputation Communications Interview

Like you, we hear a lot about hacking of private and organizational emails, texts and other privacy breaches, as well as foreign actors eavesdropping on the phones of major U.S. corporations. Jeff Bezos is just one example of a V.I.P who was recently in the news after his personal texts became an international news story. Experian’s infamous 2015 breach, in which millions of customers’ private data became public, is another. Government and political leaks are a whole other category. When these confidential personal or corporate communications become public, we wonder why they were not sent out on private channels.

We turned to Joel Wallenstrom, CEO of Wickr, which provides end-to-end encrypted platforms for individual, corporate, government and enterprise users. We asked him to help educate our readers about their options—and why they are at more risk of a breach than they realize.

Even supposedly “secure” platforms are actually not. Snapchat was recently in the news because employees spied on clients’ private messages. Gmail is reportedly exposed to many third parties. How does Wickr address this problem?

Many people don’t realize that providers of collaboration tools like email, text, videoconferencing and file management services underwrite the cost of delivery by getting access to your data, selling it, and/or monetizing it. This is their profit source and the basis for the huge valuations for companies like Slack, Uber and Zoom. Third-party developers of such apps often can access your messaging, location, preferences, habits, and more.  If you are conducting business on an app like WeChat, for instance, the Chinese government is able to read your messages. New popular collaboration tools like Slack are built to give the services provider access to all your communications.  This creates a path to your sensitive files, communications and data.

 Many executives don’t realize that enterprise security, risk and compliance professionals often prefer non-encrypted email platforms because it allows them to identify bad actors within a company and to track potentially suspicious behavior.  This is called telemetry, which essentially means they are collecting everything so that they can see everything. But this gives those who utilize it a great deal of power.  In the recent case of Snapchat, their security team abused this power, appropriately named “God Mode,” to access customer data.  So, when you use mainstream systems, realize you and your team are not the only ones with complete access to them. Your security team, the service provider, and adversaries smart enough to ride their coattails also have access.

Wickr is different. We are the only service provider that has no ability to see clients’ messages, files, calls, videoconferences, and other data. If Wickr is ever breached, the data sent on our system is safe. We provide “clean pipes” for data and enable clients to completely wipe their phones and systems in accordance with their retention and deletion policies.  Further, we provide the ability to store data in their secure archives for as long as clients need.  Because we don’t have access to users’ data and therefore cannot sell or monetize it, our revenue comes from a fee to our corporate customers. We maintain a free service for individuals and small groups.

 Why do so many prominent people in business and elsewhere continue to feel confident about sending the most intimate information via text?

Because it’s easy—and because 98% of people in business don’t understand encryption or how it works.  The phone companies and big tech companies have distributed their technologies en masse, and encryption historically has not been a part of them.  We’ve seen small changes with Apple embracing privacy as a way to differentiate their products and services.  Slack and Zoom are new products that people love to use because they are easy—but they are not secure.  Data privacy is becoming something that people will pay for, or at least influence their purchase decision.  It’s now up to those of us in the privacy industry to make products that are easy to use like Slack and Zoom. It’s a big responsibility and one we take very seriously at Wickr.

 Are there still major organizations that continue to use old platforms for internal and external emails? We hear there are plenty and that it is a cost-cutting decision.

The better question is whether there are major organizations not using old platforms. The biggest change I’ve seen has not been to the underlying technologies, but rather how those technologies are managed.  Email retention policies are a good example.  After the John Podesta incident, many Chief Information Security Officers (CISOs) instituted email retention policies so that emails didn’t simply stick around forever.  But even that commonsensical move proves to be difficult to implement in large organizations, and chief information security officers often feel burned.  Therefore, when the C-Suite asks the security team to adopt really secure and really private enterprise collaboration products like Wickr Pro, the CISO delays, looking for the support of legal and compliance and IT.  This delay simply pushes sensitive communications to consumer products on their own devices that are not managed by the enterprise.  Products like WeChat, WhatsApp and Telegram are dangerous venues for sensitive corporate communications. We are left with a mix of executives sending sensitive business communications on their phones on personal apps managed by China or Facebook, and then sending insecure emails and documents when they need to use a work issued machine like a laptop.  It’s the worst of both worlds.

 What are the most common concerns you hear from CEOs and risk executives regarding adapting to secure communications?

There are three primary concerns: first, they worry that the technology will be too expensive; second, that it will not work at scale; and third, that encryption will somehow aggravate their regulators.  The last point is very important as there are industries that require retention of certain communications for compliance purposes.  There are strong and flexible end-to-end encryption products that conform to any data retention and data deletion policies.  On the contrary, when employees use consumer apps to conduct business, they are unable to conform to any rules or regulations set forth by their organization.  As I mentioned before, it’s up to the privacy industry to make things easy to use and manage.  This is not an easy task, which is why you see most apps simply being sold in app stores and providing no service or integrations with enterprise software management tools.  This is the challenge we took on with Wickr Pro.  We want organizations to have a point of view on data protection and give them powerful tools to protect and control their data.

Wickr offers highly secure, out-of-band communication channels that deploy to provide the necessary capabilities in times of crisis. When were these developed and what type of crises are they used for?

Wickr was originally deployed for very select uses for journalists and NGOs working overseas.  The technology was configured for users whose communications were so sensitive that interception was a matter of life and death.  That product still exists, but we have been more focused on building Wickr Pro atop this platform to create more flexible and general-purpose products.  We think that small groups and large organizations can benefit from the same level of protection needed by warfighters and NGOs.  We’ve simply given people more control over how the product is used.  For example, rather than require that all messages are destroyed after 7 days, an organization might configure WickrPro to mimic their email retention policy and have messages delete after 90 days.  Further, Wickr Pro does not require anonymity, so large organizations can easily deploy at scale using single sign on (SSO). The strength of our cryptography remains— we’ve just made it easy to use.

Wickr’s ephemeral messaging feature allows administrators and users to set self-destruction timers for messages as short as a few seconds. What types of professional situations are those most used for?

The feature set goes far beyond setting a self-destruct timer for an individual message.  Teams can be set up in a security group that has its own settings.  The executive team, for example, can be its own group so that they can send messages to Wickr users outside their company, such as to their law firm or a business partner.  Another group can be set up for interns where nothing is stored for more than a week and they can only communicate internally. I’ve seen executives set self-destruction timers, which we call “Burn on Read” in WickrPro, for messages as short as a few hours when they are sending pictures of whiteboard notes from a Board of Directors (BOD) meeting.  That way, the pictures do not remain on their devices after the notes have been documented by their executive assistants.  I’ve also observed campaign staffers use settings as short as seconds in a group message during a candidate speech given in the 2018 elections. In those same elections, polling data and opposition research reports would be transmitted in secure Wickr Pro rooms that ensured the data was deleted from end user devices after a week when the next round of data was distributed.  With flexible controls, different use cases can be enforced and even orchestrated.  There is nothing exactly the same across all WickrPro customer deployments, except that Wickr cannot touch their data.

*

Joel Wallenstrom has led top white hat hacker teams responding to some of the most high-profile incidents in the past 20 years. Under his leadership, Wickr has pivoted the company from solely offering a free consumer product to a robust enterprise compliance ready, secure collaboration platform used by the Fortune 500 and top federal organizations. Prior to joining Wickr, Joel co-founded iSEC Partners, one of the world’s leading information security research teams, later acquired by the NCC Group. Joel also served as the Director for Strategic Alliances @stake, one of the very first computer security companies, which was acquired by L0pht Heavy Industries and was itself later purchased by Symantec.

*

This is part of our continuing series of interviews with experts whose work relates to online reputation management.