Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.
1. A Global Reach with a Local Perspective
www.decosimo.com
Fraud Awareness-What You and Your
Employees Really Need to Know
2. Pam Mantone, CPA, CFF, CFE,
CITP, FCPA, CGMA
Senior Manager
pammantone@decosimo.com
423-756-7100
The contents and opinions contained in this presentation are my opinions and do not reflect the
representations and opinions of Decosimo.
3. Military term • Analytic process used to deny an
meaning adversary information
Operational
Security • Risk assessment tool
Universal • Examines day-to-day activities
concepts • Controls information
• Equally applicable to individuals
Applied in any and businesses in general
environment
• Identifies security risks
4. An expensive
A strict set of
and time-
rules and
consuming
procedures
process
Used only by
the
government or
military
5. Loss of customer trust and business
Possible law suits
Legal issues
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Federal Trade Commission Act
• Health Insurance Portability and Accountability Act (HIPPA)
• Family Educational Rights and Privacy Act
• Drivers Privacy Protection Act
• Privacy Laws
• State Laws
6. • Personal and credit
characteristics
“Consumer • Character
report • General reputation
• Must be prepared by a
information” consumer reporting
agency
• Consumer reports in
background checks of
Examples employees
• Customer credit
histories
7. • Requires businesses who have
information covered by the FCRA
to take reasonable measures
when disposing the information
• Businesses that collect consumer
credit information, credit reports,
or background employee histories
should ensure compliance
8. Fair and Accurate Credit Transactions
Amendment
• Free credit report once every 12 months
• Limitation on printing credit card numbers
• Red Flag Rule
• Identity theft program
• Must respond to notices of discrepancies
• Assess validity of change of address on issuers of debit
and credit cards
• Regulations apply to all businesses that have “covered
accounts”
• Defined as any account for which there is a
foreseeable risk of identity theft
9. • Fraud alerts required
• Summary of rights of identity
theft victims
• Blocking of information
resulting from identity theft
• Coordination of identity theft
complaint investigations
10. Applies to “financial institutions”
• Broadly defined as any business engaged in a wide range of
financial activities
• Car dealers
• Tax preparers
• Courier services in some cases
• Financial institutions not regulated by other agencies
Requires businesses to have reasonable
policies and procedures to ensure security and
confidentiality of customer information
11. Prohibits deceptive or unfair trade
practices
Businesses must handle consumer
information in a way that is consistent
with their promises to their customers
Must avoid data security practices that
create an unreasonable risk of harm to
consumer data
12. Regulates the use and disclosure of protected
health information
Generally limits release of information to the
minimum reasonably needed for the purpose of
disclosure
Enables patients to find out how their information
may be used and what disclosures have been
made
Note: Medical record data is currently worth more
on the black market compared to social security
numbers, credit card information, etc.
13. THE GOING RATE
Medical records - $50
Social Security Numbers - $3
Credit card information - $1.50
Date of birth - $3
Mother’s maiden name - $6
Depending upon account balance – bank account
numbers - $100 - $500
From veriphyr.com
14. Bottom Line – Companies
must develop and maintain
reasonable procedures to
protect sensitive information
15. Know the Know what
threat to protect
Know how
to protect
16. Adversary – the Bad Guy
Terrorist groups
Criminals
Organized crime
Hackers/Crackers
Insider threats – generally more costly and often
overlooked
17. “Q: What is the percentage of insider vs external attacks?
Can Dawn share empirical evidence that the number of
security incidents related to insiders is increasing or is the
evidence anecdotal?”
“Dawn: We ask those questions in our survey every year.
We have been doing our survey for seven years and every
year consistently it has shown insiders to outsiders at
around 1/3 insiders and 2/3 outsiders, but don’t forget,
most (67%) say that insider attacks are more costly. This
year the numbers actual changed for the first time. Insider
attacks dropped down to approximately 27%.”
from Combat Insider Threat: Proven Strategies from CERT;
Dawn Cappeli, Technical Manager of CERT’S Enterprise
Threat and Vulnerability Management Team at Carnegie
Mellon University’s Software Engineering Institute
19. This is quite simple – sensitive information
• Personnel information
• Customer information
• Intellectual property
• Company-generated internal reports
• Financial information
• Medical information
• ----and the list goes on--------
If you are not sure – then be conservative –
“loose lips sink ships”
20. • Know what personal information you
have in your files and on computers
• Keep only what you need for your
business
• Protect the information that you want to
keep
• Properly dispose of what you no longer
need
• Create a plan to respond to security
incidents
• Periodic employee awareness training
• If you don’t have time or expertise in-
house, use a trusted advisor to assess
the current posture of the business and
develop a sound security plan
21. Understand common social engineering techniques
Social engineering defined as the manipulation of the
natural human tendency to trust
The art and science of getting people to do what you want
them to do
“ A social engineer is a hacker who uses brains instead of
computer brawn. Hackers call and pretend to be customers
who have lost their passwords or show up at a site and
simply wait for someone to hold a door open for them.
Other forms of social engineering are not so obvious.
Hackers have been known to create phony websites,
sweepstakes or questionnaires that ask users to enter a
password.” – Karen J. Bannan, Internet World. January 1,
2001
23. Shoulder surfing
• Looking over one’s shoulder
Dumpster diving
• Checking out the trash
Mail-outs
• Surveys
24. Baiting
• Curiosity
• Deliberately leaving item for discovery and use
Phishing
• Convincing victims to supply sensitive
information
• Fairly basic
• Very widely used
• Phisher often purchases a domain that is
designed to imitate an official resource
25. Vishing
• Direct call requesting “security verification
• Email with instructions to call a telephone number to
verify account information before granting access
• Fake interactive techniques such as “press 1”
• Call and try to convince purchase or install of
software
Tailgating
• Gaining access to a restricted area by following
someone
• Preys on common courtesy
26. “Quid pro quo”
• Something for something
• Often used against office workers
• Attacker pretends to b a “tech support employee
returning a call until he or she finds someone in
genuine need of support and extracts other
information or requests software downloads
“Diversion theft”
• Common technique used to convince couriers into
believing a delivery is to be received elsewhere
28. • Repairman
Impersonation • Helpdesk tech
• Trusted third party
Name • Using names of people from your
company to make you believe they
Dropping know you and gain your trust
• Intimidation by threatening to escalate
Aggression to a manager or executive if you do
not provide requested information
29. Conformity Friendliness
• “Everyone else has • Contacts over a period of
provided the information time with the intent of
so it’s fine for you to building up a rapport so that
provide the same.” when the attacker asks for
• Moves responsibility sensitive information, trust
away from the target has already been developed.
• Avoids the feeling of • Communication on a
guilt personal level removes the
realization of pressure being
applied to supply information
30. RECOGNIZE THE SIGNS
Increased compliance if:
• Attacker avoids conflict by using a consultative
approach
• Attacker develops and builds a relationship through
previous dealings so victim will probably comply with
a large request when having previously complied with
a smaller one.
• Attacker is able to appeal to the victim’s senses thus
building a better relationship by appearing to be
“human” rather than a voice or an email message
• Attacker has a quick mind and is able to compromise
31.
32. Unsolicited requests for sensitive information
Content appears genuine
Disguised hyperlinks and sender address
Consists of a clickable image
Generic greetings
Use various tricks to entice recipients to click
• Customer account details need to be updated due to a software or security
upgrade
• Customer account may be terminated if account details are not provided within a
specific time frame
• Suspect or fraudulent activity involving the user’s account has been detected and
the user must provide information
• Routine or random security procedures requiring the user to verify his or her
account by providing requested information
33. Spelling and bad grammar
Links in emails
Threats
Spoofing popular websites or
companies
34.
35.
36.
37.
38.
39.
40.
41. Why am I being
asked for this
information?
Is there pressure
to take action
now? Is it usual to be
asked for this sort
of information in
this format?
What consequences
might come from
misusing the
information that I Is the request
have been asked to coming from a
provide? known source?
42. SOURCES
Federal Trade Commission, BCB Business Center
www.ftc.gov
OSPA
www.opsecprofessionals.org
Cornell University IT: Phish Bowl
www.it.cornell.edu/security/safety/phishbowl.cfm
Protect your business by understanding common social
engineering techniques, Small Business Blog
http://googlesmb.blogspot.com/2012/04/protect-your-
business-by-understanding.html
Microsoft
www.microsoft.com/security/online-privacy/phishing-
symptoms.aspx
43. Period, no space,
no capitalization
on start of new
sentence
Grammar,
Spacing,
Capitalization
Embedded link
Capitalization
Threat-immediate action required
47. Great job on
website
impersonation!
1)Imposed
threat
requiring
immediate
action
2)No Section
765 in bylaws
Embedded link 3) AICPA does
not regulate
CPA status
grammar
48. Zip file with embedded malware
Generic greeting
Ticket number does not exist