SlideShare uma empresa Scribd logo

Fraud Awareness

P
Pamela Mantone

Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.

1 de 48
Baixar para ler offline
A Global Reach with a Local Perspective www.decosimo.com Fraud Awareness-What You and Your Employees Really Need to Know
Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA Senior Manager pammantone@decosimo.com 423-756-7100 The contents and opinions contained in this presentation are my opinions and do not reflect the representations and opinions of Decosimo.
Military term • Analytic process used to deny an meaning adversary information Operational Security • Risk assessment tool Universal • Examines day-to-day activities concepts • Controls information • Equally applicable to individuals Applied in any and businesses in general environment • Identifies security risks
An expensive A strict set of and time- rules and consuming procedures process Used only by the government or military
Loss of customer trust and business Possible law suits Legal issues • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Federal Trade Commission Act • Health Insurance Portability and Accountability Act (HIPPA) • Family Educational Rights and Privacy Act • Drivers Privacy Protection Act • Privacy Laws • State Laws
• Personal and credit characteristics “Consumer • Character report • General reputation • Must be prepared by a information” consumer reporting agency • Consumer reports in background checks of Examples employees • Customer credit histories
• Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information • Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance
Fair and Accurate Credit Transactions Amendment • Free credit report once every 12 months • Limitation on printing credit card numbers • Red Flag Rule • Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit and credit cards • Regulations apply to all businesses that have “covered accounts” • Defined as any account for which there is a foreseeable risk of identity theft
• Fraud alerts required • Summary of rights of identity theft victims • Blocking of information resulting from identity theft • Coordination of identity theft complaint investigations
Applies to “financial institutions” • Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agencies Requires businesses to have reasonable policies and procedures to ensure security and confidentiality of customer information
Prohibits deceptive or unfair trade practices Businesses must handle consumer information in a way that is consistent with their promises to their customers Must avoid data security practices that create an unreasonable risk of harm to consumer data
Regulates the use and disclosure of protected health information Generally limits release of information to the minimum reasonably needed for the purpose of disclosure Enables patients to find out how their information may be used and what disclosures have been made Note: Medical record data is currently worth more on the black market compared to social security numbers, credit card information, etc.
THE GOING RATE Medical records - $50 Social Security Numbers - $3 Credit card information - $1.50 Date of birth - $3 Mother’s maiden name - $6 Depending upon account balance – bank account numbers - $100 - $500 From veriphyr.com
Bottom Line – Companies must develop and maintain reasonable procedures to protect sensitive information
Know the Know what threat to protect Know how to protect
Adversary – the Bad Guy Terrorist groups Criminals Organized crime Hackers/Crackers Insider threats – generally more costly and often overlooked
 “Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?”  “Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.”  from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute
Possible economic gains Possible political gains Advantage in global markets Self-Interest Revenge External pressure
This is quite simple – sensitive information • Personnel information • Customer information • Intellectual property • Company-generated internal reports • Financial information • Medical information • ----and the list goes on-------- If you are not sure – then be conservative – “loose lips sink ships”
• Know what personal information you have in your files and on computers • Keep only what you need for your business • Protect the information that you want to keep • Properly dispose of what you no longer need • Create a plan to respond to security incidents • Periodic employee awareness training • If you don’t have time or expertise in- house, use a trusted advisor to assess the current posture of the business and develop a sound security plan
 Understand common social engineering techniques  Social engineering defined as the manipulation of the natural human tendency to trust  The art and science of getting people to do what you want them to do  “ A social engineer is a hacker who uses brains instead of computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001
Information gathering Developing a relationship Execution Exploitation
Shoulder surfing • Looking over one’s shoulder Dumpster diving • Checking out the trash Mail-outs • Surveys
Baiting • Curiosity • Deliberately leaving item for discovery and use Phishing • Convincing victims to supply sensitive information • Fairly basic • Very widely used • Phisher often purchases a domain that is designed to imitate an official resource
Vishing • Direct call requesting “security verification • Email with instructions to call a telephone number to verify account information before granting access • Fake interactive techniques such as “press 1” • Call and try to convince purchase or install of software Tailgating • Gaining access to a restricted area by following someone • Preys on common courtesy
“Quid pro quo” • Something for something • Often used against office workers • Attacker pretends to b a “tech support employee returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads “Diversion theft” • Common technique used to convince couriers into believing a delivery is to be received elsewhere
Impersonation Name dropping Aggression Conformity Friendliness
• Repairman Impersonation • Helpdesk tech • Trusted third party Name • Using names of people from your company to make you believe they Dropping know you and gain your trust • Intimidation by threatening to escalate Aggression to a manager or executive if you do not provide requested information
Conformity Friendliness • “Everyone else has • Contacts over a period of provided the information time with the intent of so it’s fine for you to building up a rapport so that provide the same.” when the attacker asks for • Moves responsibility sensitive information, trust away from the target has already been developed. • Avoids the feeling of • Communication on a guilt personal level removes the realization of pressure being applied to supply information
RECOGNIZE THE SIGNS Increased compliance if: • Attacker avoids conflict by using a consultative approach • Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one. • Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message • Attacker has a quick mind and is able to compromise
Unsolicited requests for sensitive information Content appears genuine Disguised hyperlinks and sender address Consists of a clickable image Generic greetings Use various tricks to entice recipients to click • Customer account details need to be updated due to a software or security upgrade • Customer account may be terminated if account details are not provided within a specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and the user must provide information • Routine or random security procedures requiring the user to verify his or her account by providing requested information
Spelling and bad grammar Links in emails Threats Spoofing popular websites or companies
Why am I being asked for this information? Is there pressure to take action now? Is it usual to be asked for this sort of information in this format? What consequences might come from misusing the information that I Is the request have been asked to coming from a provide? known source?
SOURCES  Federal Trade Commission, BCB Business Center  www.ftc.gov  OSPA  www.opsecprofessionals.org  Cornell University IT: Phish Bowl  www.it.cornell.edu/security/safety/phishbowl.cfm  Protect your business by understanding common social engineering techniques, Small Business Blog  http://googlesmb.blogspot.com/2012/04/protect-your- business-by-understanding.html  Microsoft  www.microsoft.com/security/online-privacy/phishing- symptoms.aspx
Period, no space, no capitalization on start of new sentence Grammar, Spacing, Capitalization Embedded link Capitalization Threat-immediate action required
Threat-immediate action required Violation of a company policy also a violation of law? Spelling Embedded link
Grammar-” Windows” Grammar – Threat-immediate action “link below” required Embedded link Grammar-Windows Defender. Yes, it is a legit software program.
LinkedIn does not send reminders Embedded link Grammar
Great job on website impersonation! 1)Imposed threat requiring immediate action 2)No Section 765 in bylaws Embedded link 3) AICPA does not regulate CPA status grammar
Zip file with embedded malware Generic greeting Ticket number does not exist

Recomendados

Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Yogi Schulz
 
Fight Fraud with Employee Fraud Training
Fight Fraud with Employee Fraud TrainingFight Fraud with Employee Fraud Training
Fight Fraud with Employee Fraud Training
Case IQ
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1
Sevisa Isufaj
 
Fraud Awareness For Managers
Fraud Awareness For ManagersFraud Awareness For Managers
Fraud Awareness For Managers
rickycfe
 
Essentials of a Highly Effective Employee Fraud Awareness Program
Essentials of a Highly Effective Employee Fraud Awareness ProgramEssentials of a Highly Effective Employee Fraud Awareness Program
Essentials of a Highly Effective Employee Fraud Awareness Program
FraudBusters
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Who Commits Fraud
Who Commits Fraud Who Commits Fraud
Who Commits Fraud
Gelman, Rosenberg & Freedman CPAs
 

Recomendados

Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Yogi Schulz
 
Fight Fraud with Employee Fraud Training
Fight Fraud with Employee Fraud TrainingFight Fraud with Employee Fraud Training
Fight Fraud with Employee Fraud Training
Case IQ
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1
Sevisa Isufaj
 
Fraud Awareness For Managers
Fraud Awareness For ManagersFraud Awareness For Managers
Fraud Awareness For Managers
rickycfe
 
Essentials of a Highly Effective Employee Fraud Awareness Program
Essentials of a Highly Effective Employee Fraud Awareness ProgramEssentials of a Highly Effective Employee Fraud Awareness Program
Essentials of a Highly Effective Employee Fraud Awareness Program
FraudBusters
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Who Commits Fraud
Who Commits Fraud Who Commits Fraud
Who Commits Fraud
Gelman, Rosenberg & Freedman CPAs
 
Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill AcuffFraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
DecosimoCPAs
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
Case IQ
 
Fraud Prevention
Fraud PreventionFraud Prevention
Fraud Prevention
Gerald Johnson
 
Fraud Risk Management | Fraud Risk Assessment - EY India
Fraud Risk Management | Fraud Risk Assessment - EY IndiaFraud Risk Management | Fraud Risk Assessment - EY India
Fraud Risk Management | Fraud Risk Assessment - EY India
Ernst & Young
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
Fraud risk management and interrogation techniques part ii
Fraud risk management and interrogation techniques part iiFraud risk management and interrogation techniques part ii
Fraud risk management and interrogation techniques part ii
EMAC Consulting Group
 
Preventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplacePreventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the Workplace
DecosimoCPAs
 
Employee Fraud Prevention and Remedies
Employee Fraud Prevention and RemediesEmployee Fraud Prevention and Remedies
Employee Fraud Prevention and Remedies
SSDlaw
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
Blackbaud
 
Presentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial ControlsPresentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial Controls
Sarai Johnson
 
Fraud risk management
Fraud risk managementFraud risk management
Fraud risk management
EMAC Consulting Group
 
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and FraudstersFraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
Gross, Mendelsohn & Associates
 
7 Keys to Fraud Prevention, Detection and Reporting
7 Keys to Fraud Prevention, Detection and Reporting7 Keys to Fraud Prevention, Detection and Reporting
7 Keys to Fraud Prevention, Detection and Reporting
Brown Smith Wallace
 
Chapter 6 Check Fraud Final
Chapter 6 Check Fraud FinalChapter 6 Check Fraud Final
Chapter 6 Check Fraud Final
LucyndaGrider
 
Fraud: Understanding Fraud and Our Responsibilities
Fraud: Understanding Fraud and Our ResponsibilitiesFraud: Understanding Fraud and Our Responsibilities
Fraud: Understanding Fraud and Our Responsibilities
Jason Lundell
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
Ron Steinkamp
 
Presentation on fraud prevention, detection & control
Presentation on fraud prevention, detection & controlPresentation on fraud prevention, detection & control
Presentation on fraud prevention, detection & control
Dominic Sroda Korkoryi
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
EMAC Consulting Group
 
Fraud And Internal Controls Linked In April 2011
Fraud And Internal Controls Linked In April 2011Fraud And Internal Controls Linked In April 2011
Fraud And Internal Controls Linked In April 2011
John Hall, CPA - Keynote Speaker Consultant
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
WeaverCPAs
 
Introduction to Fraud
Introduction to FraudIntroduction to Fraud
Introduction to Fraud
Mayowa Oni
 
How to eFile Income Tax Returns in India
How to eFile Income Tax Returns in IndiaHow to eFile Income Tax Returns in India
How to eFile Income Tax Returns in India
eLagaan India
 

Mais conteúdo relacionado

Mais procurados

Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
Blackbaud
 
Presentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial ControlsPresentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial Controls
Sarai Johnson
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
Ron Steinkamp
 

Mais procurados (20)

Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill AcuffFraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
Fraud and Internal Controls: A Forensic Accountant's Perspective - Bill Acuff
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
Fraud Prevention
Fraud PreventionFraud Prevention
Fraud Prevention
 
Fraud Risk Management | Fraud Risk Assessment - EY India
Fraud Risk Management | Fraud Risk Assessment - EY IndiaFraud Risk Management | Fraud Risk Assessment - EY India
Fraud Risk Management | Fraud Risk Assessment - EY India
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
 
Fraud risk management and interrogation techniques part ii
Fraud risk management and interrogation techniques part iiFraud risk management and interrogation techniques part ii
Fraud risk management and interrogation techniques part ii
 
Preventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplacePreventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the Workplace
 
Employee Fraud Prevention and Remedies
Employee Fraud Prevention and RemediesEmployee Fraud Prevention and Remedies
Employee Fraud Prevention and Remedies
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
 
Presentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial ControlsPresentation Fraud Prevention and Financial Controls
Presentation Fraud Prevention and Financial Controls
 
Fraud risk management
Fraud risk managementFraud risk management
Fraud risk management
 
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and FraudstersFraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
Fraud Prevention for Nonprofits: Avoiding Fraud Schemes and Fraudsters
 
7 Keys to Fraud Prevention, Detection and Reporting
7 Keys to Fraud Prevention, Detection and Reporting7 Keys to Fraud Prevention, Detection and Reporting
7 Keys to Fraud Prevention, Detection and Reporting
 
Chapter 6 Check Fraud Final
Chapter 6 Check Fraud FinalChapter 6 Check Fraud Final
Chapter 6 Check Fraud Final
 
Fraud: Understanding Fraud and Our Responsibilities
Fraud: Understanding Fraud and Our ResponsibilitiesFraud: Understanding Fraud and Our Responsibilities
Fraud: Understanding Fraud and Our Responsibilities
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
 
Presentation on fraud prevention, detection & control
Presentation on fraud prevention, detection & controlPresentation on fraud prevention, detection & control
Presentation on fraud prevention, detection & control
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
 
Fraud And Internal Controls Linked In April 2011
Fraud And Internal Controls Linked In April 2011Fraud And Internal Controls Linked In April 2011
Fraud And Internal Controls Linked In April 2011
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
 

Destaque

Introduction to Fraud
Introduction to FraudIntroduction to Fraud
Introduction to Fraud
Mayowa Oni
 
Phx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePhx Fraud And Abuse Training Module
Phx Fraud And Abuse Training Module
PHXONLINE
 
Mergers & amalgamations
Mergers & amalgamationsMergers & amalgamations
Mergers & amalgamations
Altacit Global
 
Ch 01 nature of financial management
Ch 01 nature of financial managementCh 01 nature of financial management
Ch 01 nature of financial management
Arun Goyal
 
Demerger
DemergerDemerger
Demerger
aapatil
 
Compromise ,reconstruction or amalgamation
Compromise ,reconstruction or amalgamationCompromise ,reconstruction or amalgamation
Compromise ,reconstruction or amalgamation
Yudhvir Saini
 
presentation on scam
presentation on scampresentation on scam
presentation on scam
mustafa2426
 
duties and rights of auditor
duties and rights of auditorduties and rights of auditor
duties and rights of auditor
Sonali Kukreja
 
Fm ch-1 nature of financial management
Fm ch-1 nature of financial managementFm ch-1 nature of financial management
Fm ch-1 nature of financial management
Sumit Malhotra
 

Destaque (20)

Introduction to Fraud
Introduction to FraudIntroduction to Fraud
Introduction to Fraud
 
How to eFile Income Tax Returns in India
How to eFile Income Tax Returns in IndiaHow to eFile Income Tax Returns in India
How to eFile Income Tax Returns in India
 
The Importance of a Digital Audit - Trends Talk 2013
The Importance of a Digital Audit - Trends Talk 2013The Importance of a Digital Audit - Trends Talk 2013
The Importance of a Digital Audit - Trends Talk 2013
 
Phx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePhx Fraud And Abuse Training Module
Phx Fraud And Abuse Training Module
 
Demerger of Bajaj Auto
Demerger of Bajaj AutoDemerger of Bajaj Auto
Demerger of Bajaj Auto
 
Mergers & amalgamations
Mergers & amalgamationsMergers & amalgamations
Mergers & amalgamations
 
nature of financial management
nature of financial managementnature of financial management
nature of financial management
 
E-Filing of Income Tax
E-Filing of Income TaxE-Filing of Income Tax
E-Filing of Income Tax
 
Ch 01 nature of financial management
Ch 01 nature of financial managementCh 01 nature of financial management
Ch 01 nature of financial management
 
COMPROMISE , ARRANGEMENT & AMALGAMATION
COMPROMISE , ARRANGEMENT & AMALGAMATIONCOMPROMISE , ARRANGEMENT & AMALGAMATION
COMPROMISE , ARRANGEMENT & AMALGAMATION
 
Demerger ppt
Demerger pptDemerger ppt
Demerger ppt
 
Demerger
DemergerDemerger
Demerger
 
e-governance in India
e-governance in Indiae-governance in India
e-governance in India
 
Compromise ,reconstruction or amalgamation
Compromise ,reconstruction or amalgamationCompromise ,reconstruction or amalgamation
Compromise ,reconstruction or amalgamation
 
Merger and-amalgamation
Merger and-amalgamationMerger and-amalgamation
Merger and-amalgamation
 
E governance
E governanceE governance
E governance
 
presentation on scam
presentation on scampresentation on scam
presentation on scam
 
E-Filing of Income Tax Returns
E-Filing of Income Tax ReturnsE-Filing of Income Tax Returns
E-Filing of Income Tax Returns
 
duties and rights of auditor
duties and rights of auditorduties and rights of auditor
duties and rights of auditor
 
Fm ch-1 nature of financial management
Fm ch-1 nature of financial managementFm ch-1 nature of financial management
Fm ch-1 nature of financial management
 

Semelhante a Fraud Awareness

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
Security Basics for Law Firms
Security Basics for Law FirmsSecurity Basics for Law Firms
Security Basics for Law Firms
Clio - Cloud-Based Legal Technology
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
tomciolkosz
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 

Semelhante a Fraud Awareness (20)

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Tips to Protect Your Organization from Data Breaches and Identity Theft
Tips to Protect Your Organization from Data Breaches and Identity TheftTips to Protect Your Organization from Data Breaches and Identity Theft
Tips to Protect Your Organization from Data Breaches and Identity Theft
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Security Basics for Law Firms
Security Basics for Law FirmsSecurity Basics for Law Firms
Security Basics for Law Firms
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptx
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2
 

Fraud Awareness

  • 1. A Global Reach with a Local Perspective www.decosimo.com Fraud Awareness-What You and Your Employees Really Need to Know
  • 2. Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA Senior Manager pammantone@decosimo.com 423-756-7100 The contents and opinions contained in this presentation are my opinions and do not reflect the representations and opinions of Decosimo.
  • 3. Military term • Analytic process used to deny an meaning adversary information Operational Security • Risk assessment tool Universal • Examines day-to-day activities concepts • Controls information • Equally applicable to individuals Applied in any and businesses in general environment • Identifies security risks
  • 4. An expensive A strict set of and time- rules and consuming procedures process Used only by the government or military
  • 5. Loss of customer trust and business Possible law suits Legal issues • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Federal Trade Commission Act • Health Insurance Portability and Accountability Act (HIPPA) • Family Educational Rights and Privacy Act • Drivers Privacy Protection Act • Privacy Laws • State Laws
  • 6. • Personal and credit characteristics “Consumer • Character report • General reputation • Must be prepared by a information” consumer reporting agency • Consumer reports in background checks of Examples employees • Customer credit histories
  • 7. • Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information • Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance
  • 8. Fair and Accurate Credit Transactions Amendment • Free credit report once every 12 months • Limitation on printing credit card numbers • Red Flag Rule • Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit and credit cards • Regulations apply to all businesses that have “covered accounts” • Defined as any account for which there is a foreseeable risk of identity theft
  • 9. • Fraud alerts required • Summary of rights of identity theft victims • Blocking of information resulting from identity theft • Coordination of identity theft complaint investigations
  • 10. Applies to “financial institutions” • Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agencies Requires businesses to have reasonable policies and procedures to ensure security and confidentiality of customer information
  • 11. Prohibits deceptive or unfair trade practices Businesses must handle consumer information in a way that is consistent with their promises to their customers Must avoid data security practices that create an unreasonable risk of harm to consumer data
  • 12. Regulates the use and disclosure of protected health information Generally limits release of information to the minimum reasonably needed for the purpose of disclosure Enables patients to find out how their information may be used and what disclosures have been made Note: Medical record data is currently worth more on the black market compared to social security numbers, credit card information, etc.
  • 13. THE GOING RATE Medical records - $50 Social Security Numbers - $3 Credit card information - $1.50 Date of birth - $3 Mother’s maiden name - $6 Depending upon account balance – bank account numbers - $100 - $500 From veriphyr.com
  • 14. Bottom Line – Companies must develop and maintain reasonable procedures to protect sensitive information
  • 15. Know the Know what threat to protect Know how to protect
  • 16. Adversary – the Bad Guy Terrorist groups Criminals Organized crime Hackers/Crackers Insider threats – generally more costly and often overlooked
  • 17.  “Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?”  “Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.”  from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute
  • 18. Possible economic gains Possible political gains Advantage in global markets Self-Interest Revenge External pressure
  • 19. This is quite simple – sensitive information • Personnel information • Customer information • Intellectual property • Company-generated internal reports • Financial information • Medical information • ----and the list goes on-------- If you are not sure – then be conservative – “loose lips sink ships”
  • 20. • Know what personal information you have in your files and on computers • Keep only what you need for your business • Protect the information that you want to keep • Properly dispose of what you no longer need • Create a plan to respond to security incidents • Periodic employee awareness training • If you don’t have time or expertise in- house, use a trusted advisor to assess the current posture of the business and develop a sound security plan
  • 21.  Understand common social engineering techniques  Social engineering defined as the manipulation of the natural human tendency to trust  The art and science of getting people to do what you want them to do  “ A social engineer is a hacker who uses brains instead of computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001
  • 22. Information gathering Developing a relationship Execution Exploitation
  • 23. Shoulder surfing • Looking over one’s shoulder Dumpster diving • Checking out the trash Mail-outs • Surveys
  • 24. Baiting • Curiosity • Deliberately leaving item for discovery and use Phishing • Convincing victims to supply sensitive information • Fairly basic • Very widely used • Phisher often purchases a domain that is designed to imitate an official resource
  • 25. Vishing • Direct call requesting “security verification • Email with instructions to call a telephone number to verify account information before granting access • Fake interactive techniques such as “press 1” • Call and try to convince purchase or install of software Tailgating • Gaining access to a restricted area by following someone • Preys on common courtesy
  • 26. “Quid pro quo” • Something for something • Often used against office workers • Attacker pretends to b a “tech support employee returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads “Diversion theft” • Common technique used to convince couriers into believing a delivery is to be received elsewhere
  • 27. Impersonation Name dropping Aggression Conformity Friendliness
  • 28. • Repairman Impersonation • Helpdesk tech • Trusted third party Name • Using names of people from your company to make you believe they Dropping know you and gain your trust • Intimidation by threatening to escalate Aggression to a manager or executive if you do not provide requested information
  • 29. Conformity Friendliness • “Everyone else has • Contacts over a period of provided the information time with the intent of so it’s fine for you to building up a rapport so that provide the same.” when the attacker asks for • Moves responsibility sensitive information, trust away from the target has already been developed. • Avoids the feeling of • Communication on a guilt personal level removes the realization of pressure being applied to supply information
  • 30. RECOGNIZE THE SIGNS Increased compliance if: • Attacker avoids conflict by using a consultative approach • Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one. • Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message • Attacker has a quick mind and is able to compromise
  • 31.
  • 32. Unsolicited requests for sensitive information Content appears genuine Disguised hyperlinks and sender address Consists of a clickable image Generic greetings Use various tricks to entice recipients to click • Customer account details need to be updated due to a software or security upgrade • Customer account may be terminated if account details are not provided within a specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and the user must provide information • Routine or random security procedures requiring the user to verify his or her account by providing requested information
  • 33. Spelling and bad grammar Links in emails Threats Spoofing popular websites or companies
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. Why am I being asked for this information? Is there pressure to take action now? Is it usual to be asked for this sort of information in this format? What consequences might come from misusing the information that I Is the request have been asked to coming from a provide? known source?
  • 42. SOURCES  Federal Trade Commission, BCB Business Center  www.ftc.gov  OSPA  www.opsecprofessionals.org  Cornell University IT: Phish Bowl  www.it.cornell.edu/security/safety/phishbowl.cfm  Protect your business by understanding common social engineering techniques, Small Business Blog  http://googlesmb.blogspot.com/2012/04/protect-your- business-by-understanding.html  Microsoft  www.microsoft.com/security/online-privacy/phishing- symptoms.aspx
  • 43. Period, no space, no capitalization on start of new sentence Grammar, Spacing, Capitalization Embedded link Capitalization Threat-immediate action required
  • 44. Threat-immediate action required Violation of a company policy also a violation of law? Spelling Embedded link
  • 45. Grammar-” Windows” Grammar – Threat-immediate action “link below” required Embedded link Grammar-Windows Defender. Yes, it is a legit software program.
  • 46. LinkedIn does not send reminders Embedded link Grammar
  • 47. Great job on website impersonation! 1)Imposed threat requiring immediate action 2)No Section 765 in bylaws Embedded link 3) AICPA does not regulate CPA status grammar
  • 48. Zip file with embedded malware Generic greeting Ticket number does not exist