fraud awareness
DESCRIPTION
Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.TRANSCRIPT
![Page 1: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/1.jpg)
A Global Reach with a Local Perspective
www.decosimo.com
Fraud Awareness-What You and Your Employees Really Need to Know
![Page 2: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/2.jpg)
Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA
Senior Manager [email protected] 423-756-7100
The contents and opinions contained in this presentation are my opinions and do not reflect the representations and opinions of Decosimo.
![Page 3: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/3.jpg)
• Analytic process used to deny an adversary information
• Risk assessment tool
Military term meaning
Operational Security
• Examines day-to-day activities • Controls information
Universal concepts
• Equally applicable to individuals and businesses in general
• Identifies security risks Applied in any environment
![Page 4: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/4.jpg)
A strict set of rules and
procedures
An expensive and time-
consuming process
Used only by the
government or military
![Page 5: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/5.jpg)
Loss of customer trust and business
Possible law suits
Legal issues • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Federal Trade Commission Act • Health Insurance Portability and Accountability Act (HIPPA) • Family Educational Rights and Privacy Act • Drivers Privacy Protection Act • Privacy Laws • State Laws
![Page 6: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/6.jpg)
“Consumer report
information”
Examples
• Personal and credit characteristics
• Character • General reputation • Must be prepared by a
consumer reporting agency
• Consumer reports in background checks of employees
• Customer credit histories
![Page 7: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/7.jpg)
• Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information
• Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance
![Page 8: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/8.jpg)
• Free credit report once every 12 months • Limitation on printing credit card numbers • Red Flag Rule
• Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit
and credit cards • Regulations apply to all businesses that have “covered
accounts” • Defined as any account for which there is a
foreseeable risk of identity theft
Fair and Accurate Credit Transactions Amendment
![Page 9: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/9.jpg)
• Fraud alerts required • Summary of rights of identity
theft victims • Blocking of information
resulting from identity theft • Coordination of identity theft
complaint investigations
![Page 10: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/10.jpg)
Applies to “financial institutions”
• Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agencies
Requires businesses to have reasonable policies and procedures to ensure security and confidentiality of customer information
![Page 11: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/11.jpg)
Prohibits deceptive or unfair trade practices
Businesses must handle consumer information in a way that is consistent with their promises to their customers
Must avoid data security practices that create an unreasonable risk of harm to
consumer data
![Page 12: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/12.jpg)
Regulates the use and disclosure of protected health information
Generally limits release of information to the minimum reasonably needed for the purpose of
disclosure
Enables patients to find out how their information may be used and what disclosures have been
made
Note: Medical record data is currently worth more on the black market compared to social security
numbers, credit card information, etc.
![Page 13: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/13.jpg)
Medical records - $50 Social Security Numbers - $3 Credit card information - $1.50 Date of birth - $3 Mother’s maiden name - $6 Depending upon account balance – bank account
numbers - $100 - $500 From veriphyr.com
THE GOING RATE
![Page 14: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/14.jpg)
Bottom Line – Companies must develop and maintain reasonable procedures to
protect sensitive information
![Page 15: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/15.jpg)
Know the threat
Know what to protect
Know how to protect
![Page 16: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/16.jpg)
Adversary – the Bad Guy
Terrorist groups
Criminals
Organized crime
Hackers/Crackers
Insider threats – generally more costly and often overlooked
![Page 17: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/17.jpg)
“Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?”
“Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.”
from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute
![Page 18: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/18.jpg)
Possible economic gains
Possible political gains
Advantage in global markets
Self-Interest
Revenge
External pressure
![Page 19: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/19.jpg)
This is quite simple – sensitive information
• Personnel information • Customer information • Intellectual property • Company-generated internal reports • Financial information • Medical information • ----and the list goes on--------
If you are not sure – then be conservative – “loose lips sink ships”
![Page 20: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/20.jpg)
• Know what personal information you have in your files and on computers
• Keep only what you need for your business
• Protect the information that you want to keep
• Properly dispose of what you no longer need
• Create a plan to respond to security incidents
• Periodic employee awareness training • If you don’t have time or expertise in-
house, use a trusted advisor to assess the current posture of the business and develop a sound security plan
![Page 21: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/21.jpg)
Understand common social engineering techniques Social engineering defined as the manipulation of the
natural human tendency to trust The art and science of getting people to do what you want
them to do “ A social engineer is a hacker who uses brains instead of
computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001
![Page 22: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/22.jpg)
Information gathering
Developing a relationship
Execution
Exploitation
![Page 23: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/23.jpg)
• Looking over one’s shoulder
Shoulder surfing
• Checking out the trash
Dumpster diving
• Surveys
Mail-outs
![Page 24: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/24.jpg)
• Curiosity • Deliberately leaving item for discovery and use
Baiting
• Convincing victims to supply sensitive information
• Fairly basic • Very widely used • Phisher often purchases a domain that is
designed to imitate an official resource
Phishing
![Page 25: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/25.jpg)
• Direct call requesting “security verification • Email with instructions to call a telephone number to
verify account information before granting access • Fake interactive techniques such as “press 1” • Call and try to convince purchase or install of
software
Vishing
• Gaining access to a restricted area by following someone
• Preys on common courtesy
Tailgating
![Page 26: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/26.jpg)
• Something for something • Often used against office workers • Attacker pretends to b a “tech support employee
returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads
“Quid pro quo”
• Common technique used to convince couriers into believing a delivery is to be received elsewhere
“Diversion theft”
![Page 27: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/27.jpg)
Impersonation
Name dropping
Aggression
Conformity
Friendliness
![Page 28: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/28.jpg)
• Repairman • Helpdesk tech • Trusted third party
Impersonation
• Using names of people from your company to make you believe they know you and gain your trust
Name Dropping
• Intimidation by threatening to escalate to a manager or executive if you do not provide requested information
Aggression
![Page 29: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/29.jpg)
Conformity
• “Everyone else has provided the information so it’s fine for you to provide the same.”
• Moves responsibility away from the target
• Avoids the feeling of guilt
Friendliness
• Contacts over a period of time with the intent of building up a rapport so that when the attacker asks for sensitive information, trust has already been developed.
• Communication on a personal level removes the realization of pressure being applied to supply information
![Page 30: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/30.jpg)
Increased compliance if:
• Attacker avoids conflict by using a consultative approach
• Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one.
• Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message
• Attacker has a quick mind and is able to compromise
RECOGNIZE THE SIGNS
![Page 31: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/31.jpg)
![Page 32: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/32.jpg)
Unsolicited requests for sensitive information
Content appears genuine
Disguised hyperlinks and sender address
Consists of a clickable image
Generic greetings
Use various tricks to entice recipients to click • Customer account details need to be updated due to a software or security
upgrade • Customer account may be terminated if account details are not provided within a
specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and
the user must provide information • Routine or random security procedures requiring the user to verify his or her
account by providing requested information
![Page 33: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/33.jpg)
Spelling and bad grammar
Links in emails
Threats
Spoofing popular websites or companies
![Page 34: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/34.jpg)
![Page 35: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/35.jpg)
![Page 36: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/36.jpg)
![Page 37: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/37.jpg)
![Page 38: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/38.jpg)
![Page 39: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/39.jpg)
![Page 40: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/40.jpg)
![Page 41: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/41.jpg)
Why am I being asked for this information?
Is it usual to be asked for this sort of information in
this format?
Is the request coming from a known source?
What consequences might come from
misusing the information that I
have been asked to provide?
Is there pressure to take action
now?
![Page 42: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/42.jpg)
Federal Trade Commission, BCB Business Center www.ftc.gov
OSPA www.opsecprofessionals.org
Cornell University IT: Phish Bowl www.it.cornell.edu/security/safety/phishbowl.cfm
Protect your business by understanding common social engineering techniques, Small Business Blog http://googlesmb.blogspot.com/2012/04/protect-your-
business-by-understanding.html Microsoft
www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
SOURCES
![Page 43: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/43.jpg)
Grammar, Spacing, Capitalization
Embedded link
Period, no space, no capitalization on start of new sentence
Capitalization
Threat-immediate action required
![Page 44: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/44.jpg)
Embedded link
Threat-immediate action required
Spelling
Violation of a company policy also a violation of law?
![Page 45: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/45.jpg)
Grammar-” Windows”
Embedded link
Grammar – “link below”
Grammar-Windows Defender. Yes, it is a legit software program.
Threat-immediate action required
![Page 46: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/46.jpg)
LinkedIn does not send reminders
Grammar
Embedded link
![Page 47: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/47.jpg)
Great job on website impersonation!
1)Imposed threat requiring immediate action 2)No Section 765 in bylaws 3) AICPA does not regulate CPA status
grammar
Embedded link
![Page 48: Fraud Awareness](https://reader034.vdocuments.us/reader034/viewer/2022042602/5586376bd8b42acc138b48f7/html5/thumbnails/48.jpg)
Generic greeting
Zip file with embedded malware
Ticket number does not exist