fraud protections, cyber-theft and controls
DESCRIPTION
Fraud Protections, Cyber-Theft and Controls. By: David T. Schwindt, CPA RS PRA. David T. Schwindt. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/1.jpg)
Fraud Protections, Cyber-Theft and Controls
By: David T. Schwindt, CPA RS PRA
![Page 2: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/2.jpg)
2
David T. Schwindt David T. Schwindt, CPA, a native Oregonian, has over twenty five years experience
in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindt’s tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals.
Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist – RS, licensed by Community Associations Institute and a Professional Reserve Analyst – PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council.
Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.
![Page 3: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/3.jpg)
Cyber-theft
Are we at risk?
YES!!
3
![Page 4: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/4.jpg)
Who Should be concerned?• Board Members• Management Companies• Affiliates
– CPAs– Bookkeepers– Insurance Agents– Bankers– Attorney
• Treasurers who have control over reserve funds
4
![Page 5: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/5.jpg)
5
Understanding the Adversary• Known fraud rings are mostly Eastern European (Ukrainian, Russian,
Romanian, Estonian) as well as Asian• Complete service-based economy with specialists in
– ATMs– ACH and wire payment systems– Check processing– Credit card processing
• Online libraries, education, marketplace and recruitment– Malware kits sell for as little as $5,000– Some kits even come with tech support
• Attacks involve social engineering and technical aspects
![Page 6: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/6.jpg)
6
The Goal of Criminals
• Steal cash• Steal information that can be converted
to cash
![Page 7: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/7.jpg)
7
Dissecting a Zeus Attack
Account Take Over
Dissecting an Attack
1. Target Victims
2. Install Malware
3. Online Banking
4. Collect & Transmit
Data
5. Initiate Funds
Transfer
Criminals target victims by way of phishing or social engineering techniques
The victims unknowingly install malwareon their computers, often including key loggingand screen shot capabilities
The victims visit their online banking website and log on per the standard process
The malware collects and transmits data back to the criminals through a back door connection
The criminals leverage the victim’s online banking credentials toinitiate a funds transfer from the victim’s account.
![Page 8: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/8.jpg)
8
Phishing• Criminals “phish” for victims using emails, pop-up’s and social
engineering• Unsolicited phishing emails may
– Ask for personal or account information– Direct the employee to click on a malicious link– Contain attachments that are infected with malware– Contain publicly available information to look legitimate
• Phishing emails can be very convincing– From UPS: “There is a problem with your shipment.”– From your bank: “There is a problem with your bank account.”– From the Better Business Bureau: “A complaint has been filed against you.”– From a Court: “You’ve been served a subpoena/selected for jury duty.”– From NACHA or the Federal Reserve: “Your ACH or wire transaction has been
rejected.”– From a job applicant: “My resume is attached.”
![Page 9: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/9.jpg)
9
Sample Phishing EmailNACHA Phishing Alert (01/19/2010) – Email Claiming to be from NACHA
= = = = = Sample Email = = = = =
Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Please Find Attached Transaction Report
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Paul Arnold
Electronic Payments Association Manager
= = = = = = = = = = = = = = = = = = = =
![Page 10: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/10.jpg)
10
Malicious Software (Malware)• Downloaded to PC after employee opens infected
attachments in an email or visits a nefarious website• Newer malware can be acquired simply by viewing
HTML emails• Allows criminals to “see” and track employee’s
activities internally and on the Internet, including visits to online banking sites
• Criminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate
![Page 11: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/11.jpg)
If you are hacked and your money is gone, who will reimburse you?
• Bank?• Management Company?• Insurance Company?
– Fidelity Insurance?– Computer Fraud Insurance?
11
![Page 12: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/12.jpg)
Safeguards• Passwords
– Complex– Change passwords regularly– Do not share– Do not store on computer
• Stand Alone Computer– No web browsing– No emails– Password
12
![Page 13: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/13.jpg)
• Dual Authorizations , online transactions should be coordinated with the Bank
• Financial/IT Audits– Implement recommendations– Yearly– Audits vs Reviews
• Education– Board Members– Management Company Personnel
13
![Page 14: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/14.jpg)
• Written Protocols– Controls– Ongoing Education– In the event of an attack
• Contingency Plans• Daily reviews of all online transactions
– Banks require immediate notification
• Firewalls, Anti-virus, IT Security Software, and Protocols
14
![Page 15: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/15.jpg)
Who is ultimately responsible for ensuring that strong controls are
in place to prevent cyber-theft?A.Association management
companyB.Independent AuditorC.Insurance AgentD.Board of DirectorsE.Banker
15
Answer: D. Board of Directors
![Page 16: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/16.jpg)
How does the Board of Directors fulfill this
responsibility?• Engaging professionals
– CPA– Management Company– Insurance Agent– Banker– IT Consultant
• Documenting protocols
16
![Page 17: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/17.jpg)
17
Summary• Conduct periodic risk assessments• Educate Board, management company, and committee
members as to the threat, defenses and risks• Use a stand-alone PC for online banking; prohibit email, web
surfing, etc.• Use dual control, dual authorization, activity limits, and receive
alerts• Review accounts and transactions regularly• Recognize the signs of malware on the PC• Suspect malware? Stop, unplug the PC and contact your FI
immediately.• Comply with the PCI Data Security Standards• Computer fraud and Fidelity Insurance
![Page 18: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/18.jpg)
18
A Classic Risk Management Quote
“When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident…or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”
-Edward J. Smith, 1907
(Captain, RMS Titanic, 1912)
![Page 19: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/19.jpg)
Cyber Theft
Presented by Kris Gjylameti
![Page 20: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/20.jpg)
Cyber Crime – Growing Trend
• Cyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study.
• Cyber-crime in 2009336,655 complaints received$560M lost (not including unreported incidents)
• Cyber-crime in 2008275,284 complaints received$265M lost (not including unreported incidents)
![Page 21: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/21.jpg)
Sample Corporate Account Takeovers and Losses
• Pennsylvania School District - $450,000• New York School District - $500,000• Experi-Metal - $550,000• PATCO - $358,000• Hillary Machinery - $229,000• Illinois Town - $70,000• Marian College - $189,000• Sand Springs School - $80,000• Sycamore County Schools - $300,000• Village View Escrow - $465,000• Catholic Diocese of Des Moines - $600,000• Town of Pittsford, NY - $139,000• Steuben Arcs - $158,000• St. Isidore’s Catholic Church - $87,000• Two Trucking Companies - $115,000• MECA - $217,000
![Page 22: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/22.jpg)
FDIC - Trivia
Do you think that the FDIC will insure your money from a cyber theft event?
• YES
• NO
![Page 23: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/23.jpg)
Primary Targets – Companies
• Cyber criminals are no longer attacking banks, they are targeting business
• Primary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are
the perfect target – Associations with large deposit amounts!!!
![Page 24: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/24.jpg)
Is this you?
![Page 25: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/25.jpg)
Accept that these threats are real and it could happen to you!
• The key is awareness and action on that awareness
• If you notice behavior by your system, staff, affiliates or other personnel that just doesn’t seem right, question it
Awareness
![Page 26: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/26.jpg)
• Do not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you
• Security information WILL NEVER be solicited by email
• Only browse on internet for business related needs
Prevention Methods
![Page 27: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/27.jpg)
• Does your bank give board members online banking transaction capabilities?
• Do they ask if the board has proper internal controls?
• Dual Controls in online banking
• Multiple user approval features and approval levels
Questions to ask your Banker
![Page 28: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/28.jpg)
• User level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see.
• Email notifications – Have your balances changed?
Questions to ask your Banker
![Page 29: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/29.jpg)
• Out of Band verification for ACH and Wire transactions when funds are leaving your account.
• Does your bank provide a layered security?
Questions to ask your Banker
![Page 30: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/30.jpg)
Control: Out-of-Band Authentication
Enhanced Multi-Factor Authentication1. User logs in with their Username andPassword
• Something you know
![Page 31: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/31.jpg)
• 2. User is prompted to select channel for• delivery of One Time Password (OTP)
• • Something you have *
Control: Out-of-Band Authentication
Because of multi-factor authentication, fraudster can not independently loginto a user account.• Fraudster would need to know username/password AND have the users phone. *
![Page 32: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/32.jpg)
• Require secondary approval of transactionsor key changes with OTP
Control: Transaction Verification
![Page 33: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/33.jpg)
• Immediate fraud identification, reporting and escalation is required.
• Commercial Clients have a duty to secure their information.
• Losses due to commercial client negligence can possibly result in a loss to the client.
Consumer v.s. Commercial Banking fraud
![Page 34: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/34.jpg)
• Bank should call to verify whether a transaction is authentic:
• The call should go to someone other than the person who initiated the transaction
• Call should be confirmed by a “PIN”
Control: Callbacks
![Page 35: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/35.jpg)
• Reporting periods for are based on the method of fraud and other circumstances. Check with your bank and ask for their specific reporting criteria.
• Millions can be lost in minutes so don’t delay! Contact your bank and make them aware of the cyber theft.
• Immediate reporting is critical to the success of recovering and mitigating losses when fraud occurs due to the timeframes set by the Federal Reserve, UCC or NACHA
Consumer v.s. Commercial Banking fraud
![Page 36: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/36.jpg)
• Reg E – Provides Consumer Protection.
• Consumers enjoy much more protection from cyber theft or banking fraud.
• There is less of a burden for consumers and more on Commercial Businesses
Consumer Protection
![Page 37: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/37.jpg)
• Monitor your account and audit your NACHA files for fraudulent activity.
• Collectively participate in your own - Information Security
• There is varying case laws with commercial client breaches – each situation is unique
Commercial Clients
![Page 38: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/38.jpg)
MOST IMPORTANTLY, if you think you have clicked, open or downloaded a virus or software program, notify your supervisor
and/or IT staff immediately
The longer you wait, the more damage can occur!!!
Prevention Methods continued
![Page 39: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/39.jpg)
• FDIC - website (www.fdic.gov) offers a wealth of information on this and related topics
• FDIC - has produced an excellent video “Don’t be an Online Victim” which can be found on YouTube
Additional Resources
![Page 40: Fraud Protections, Cyber-Theft and Controls](https://reader035.vdocuments.us/reader035/viewer/2022062217/56812a9b550346895d8e5690/html5/thumbnails/40.jpg)
“The world isn’t run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of
data. “Sneakers (1992)
Kris Gjylameti