Fraud Awareness


Published on

Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fraud Awareness

  1. 1. A Global Reach with a Local Perspective www.decosimo.comFraud Awareness-What You and Your Employees Really Need to Know
  2. 2. Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA Senior Manager 423-756-7100The contents and opinions contained in this presentation are my opinions and do not reflect therepresentations and opinions of Decosimo.
  3. 3. Military term • Analytic process used to deny an meaning adversary informationOperational Security • Risk assessment tool Universal • Examines day-to-day activities concepts • Controls information • Equally applicable to individualsApplied in any and businesses in general environment • Identifies security risks
  4. 4. An expensiveA strict set of and time- rules and consuming procedures process Used only by the government or military
  5. 5. Loss of customer trust and businessPossible law suitsLegal issues• Gramm-Leach-Bliley Act• Fair Credit Reporting Act• Federal Trade Commission Act• Health Insurance Portability and Accountability Act (HIPPA)• Family Educational Rights and Privacy Act• Drivers Privacy Protection Act• Privacy Laws• State Laws
  6. 6. • Personal and credit characteristics “Consumer • Character report • General reputation • Must be prepared by ainformation” consumer reporting agency • Consumer reports in background checks of Examples employees • Customer credit histories
  7. 7. • Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information• Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance
  8. 8. Fair and Accurate Credit TransactionsAmendment• Free credit report once every 12 months• Limitation on printing credit card numbers• Red Flag Rule • Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit and credit cards • Regulations apply to all businesses that have “covered accounts” • Defined as any account for which there is a foreseeable risk of identity theft
  9. 9. • Fraud alerts required• Summary of rights of identity theft victims• Blocking of information resulting from identity theft• Coordination of identity theft complaint investigations
  10. 10. Applies to “financial institutions”• Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agenciesRequires businesses to have reasonablepolicies and procedures to ensure security andconfidentiality of customer information
  11. 11. Prohibits deceptive or unfair trade practices Businesses must handle consumerinformation in a way that is consistentwith their promises to their customersMust avoid data security practices thatcreate an unreasonable risk of harm to consumer data
  12. 12. Regulates the use and disclosure of protected health information Generally limits release of information to the minimum reasonably needed for the purpose of disclosureEnables patients to find out how their information may be used and what disclosures have been madeNote: Medical record data is currently worth more on the black market compared to social security numbers, credit card information, etc.
  13. 13. THE GOING RATEMedical records - $50Social Security Numbers - $3Credit card information - $1.50Date of birth - $3Mother’s maiden name - $6Depending upon account balance – bank account numbers - $100 - $500 From
  14. 14. Bottom Line – Companies must develop and maintain reasonable procedures toprotect sensitive information
  15. 15. Know the Know what threat to protect Know how to protect
  16. 16. Adversary – the Bad GuyTerrorist groupsCriminalsOrganized crimeHackers/CrackersInsider threats – generally more costly and oftenoverlooked
  17. 17.  “Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?” “Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.” from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute
  18. 18. Possible economic gainsPossible political gainsAdvantage in global marketsSelf-InterestRevengeExternal pressure
  19. 19. This is quite simple – sensitive information• Personnel information• Customer information• Intellectual property• Company-generated internal reports• Financial information• Medical information• ----and the list goes on--------If you are not sure – then be conservative –“loose lips sink ships”
  20. 20. • Know what personal information you have in your files and on computers• Keep only what you need for your business• Protect the information that you want to keep• Properly dispose of what you no longer need• Create a plan to respond to security incidents• Periodic employee awareness training• If you don’t have time or expertise in- house, use a trusted advisor to assess the current posture of the business and develop a sound security plan
  21. 21.  Understand common social engineering techniques Social engineering defined as the manipulation of the natural human tendency to trust The art and science of getting people to do what you want them to do “ A social engineer is a hacker who uses brains instead of computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001
  22. 22. Information gathering Developing a relationship Execution Exploitation
  23. 23. Shoulder surfing• Looking over one’s shoulderDumpster diving• Checking out the trashMail-outs• Surveys
  24. 24. Baiting• Curiosity• Deliberately leaving item for discovery and usePhishing• Convincing victims to supply sensitive information• Fairly basic• Very widely used• Phisher often purchases a domain that is designed to imitate an official resource
  25. 25. Vishing• Direct call requesting “security verification• Email with instructions to call a telephone number to verify account information before granting access• Fake interactive techniques such as “press 1”• Call and try to convince purchase or install of softwareTailgating• Gaining access to a restricted area by following someone• Preys on common courtesy
  26. 26. “Quid pro quo”• Something for something• Often used against office workers• Attacker pretends to b a “tech support employee returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads“Diversion theft”• Common technique used to convince couriers into believing a delivery is to be received elsewhere
  27. 27. ImpersonationName dropping Aggression Conformity Friendliness
  28. 28. • RepairmanImpersonation • Helpdesk tech • Trusted third party Name • Using names of people from your company to make you believe they Dropping know you and gain your trust • Intimidation by threatening to escalate Aggression to a manager or executive if you do not provide requested information
  29. 29. Conformity Friendliness• “Everyone else has • Contacts over a period of provided the information time with the intent of so it’s fine for you to building up a rapport so that provide the same.” when the attacker asks for• Moves responsibility sensitive information, trust away from the target has already been developed.• Avoids the feeling of • Communication on a guilt personal level removes the realization of pressure being applied to supply information
  30. 30. RECOGNIZE THE SIGNS Increased compliance if:• Attacker avoids conflict by using a consultative approach• Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one.• Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message• Attacker has a quick mind and is able to compromise
  31. 31. Unsolicited requests for sensitive informationContent appears genuineDisguised hyperlinks and sender addressConsists of a clickable imageGeneric greetingsUse various tricks to entice recipients to click • Customer account details need to be updated due to a software or security upgrade • Customer account may be terminated if account details are not provided within a specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and the user must provide information • Routine or random security procedures requiring the user to verify his or her account by providing requested information
  32. 32. Spelling and bad grammar Links in emails ThreatsSpoofing popular websites or companies
  33. 33. Why am I being asked for this information?Is there pressure to take action now? Is it usual to be asked for this sort of information in this format?What consequences might come from misusing the information that I Is the requesthave been asked to coming from a provide? known source?
  34. 34. SOURCES Federal Trade Commission, BCB Business Center  OSPA  Cornell University IT: Phish Bowl  Protect your business by understanding common social engineering techniques, Small Business Blog  business-by-understanding.html Microsoft  symptoms.aspx
  35. 35. Period, no space, no capitalization on start of new sentence Grammar, Spacing, CapitalizationEmbedded link Capitalization Threat-immediate action required
  36. 36. Threat-immediate action required Violation of a company policy also a violation of law? SpellingEmbedded link
  37. 37. Grammar-” Windows” Grammar – Threat-immediate action “link below” required Embedded link Grammar-Windows Defender. Yes, it is a legit software program.
  38. 38. LinkedIn does not send reminders Embedded linkGrammar
  39. 39. Great job on website impersonation! 1)Imposed threat requiring immediate action 2)No Section 765 in bylawsEmbedded link 3) AICPA does not regulate CPA statusgrammar
  40. 40. Zip file with embedded malwareGeneric greeting Ticket number does not exist