Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fraud in Social Media: Facing the Growing Threat


Published on

Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud in a High Crime Climate. Recordings of these Webinars are available for purchase from our Website
This Webinar focused on the subject in the title
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

Fraud in Social Media: Facing the Growing Threat

  1. 1. Fraud in Social Media: Facing the Growing Threat September 25, 2013 Special Guest Presenters: Peter Goldmann FraudResourceNet - White-Collar Crime 101 LLC –FraudAware Copyright © 2013 FraudResourceNet™ LLC About Peter Goldmann, MSc., CFE  President and Founder of White Collar Crime 101 Publisher of White-Collar Crime Fighter Developer of FraudAware® Anti-Fraud Training Monthly Columnist, The Fraud Examiner, ACFE Newsletter  Member of Editorial Advisory Board, ACFE  Author of “Fraud in the Markets” Explains how fraud fueled the financial crisis. Copyright © 2013 FraudResourceNet™ LLC
  2. 2. About Jim Kaplan, MSc, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors  Auditor, Web Site Guru, Internet for Auditors Pioneer Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Copyright © 2013 FraudResourceNet™ LLC Webinar Housekeeping  This webinar and its material are the property of AuditNet® and FraudAware®. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided access to that recording within 5 business days after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.  Please complete the evaluation questionnaire to help us continuously improve our Webinars.  You must answer the polling questions to qualify for CPE per NASBA.  Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.  If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout. Copyright © 2013 FraudResourceNet™ LLC
  3. 3. Disclaimers    The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC Copyright © 2013 FraudResourceNet™ LLC 4 Today’s Agenda       Introduction Fraud Statistics Auditors Role – Risk Control and Audit Social media fraud against individuals Social media fraud against organizations How E-fraudsters exploit Facebook and other social media sites to commit fraud  How to monitor social media sites for signs of criminal actions against your Organization  How to reduce your risk of fraud victimization via social media  Your Questions Copyright © 2013 FraudResourceNet™ LLC
  4. 4. Fraud: The Big Picture      According to major accounting firms, professional fraud examiners and law enforcement: Fraud costs the world $3.5 TRILLION per year. (5%) (ACFE Average cost for each incident of fraud is $160K (ACFE) People who have been victims of ID theft are just as likely to be lax in securing their personal information online. Study results from identity theft victims and nonvictims are identical.(Ponemon) 91% of online adults use Social Media regularly Social Media use has increased 356% in the US since 2006 (Source: 216 Social Media and Internet Statistics (September 2012), Copyright © 2013 FraudResourceNet™ LLC Internal Audit’s Role       Understand how social media is being used within the organization Review social media policies Conduct a social media risk assessment Ensure that controls are in place to address social media risks Records retention issue Audit Reports  Social Media Review by Multnomah County August 2011  GAO SOCIAL MEDIA - Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate Social media is now embedded in our personal and business culture and auditors need to know the what the risks and controls are, how to audit this new communication tool and also how to adapt it for use within the audit environment. Jim Kaplan, AuditNet® Copyright © 2013 FraudResourceNet™ LLC
  5. 5. Guidance and Publications Copyright © 2013 FraudResourceNet™ LLC Social Media Risk Control and Audit Here a few examples of more books, tools and resources for auditors: • IIA Auditing Social Media • AuditNet Social Media Risk Assessment Workbook • AuditNet® Guide to Social Networking Security • Identity Theft Audit Program Copyright © 2013 FraudResourceNet™ LLC
  6. 6. Social Media Risks The Biggest Social Media Risk: Not Paying  Attention to Social Media, according to  major corporate executives March 20, 2012 Social Media and Cloud Computing Top Internal Auditors' Technology  Hot List, According to New Protiviti Research Social media and cloud computing are top concerns – Internal audit executives and professionals recognize they must have superior knowledge and understanding of these areas and their inherent risks, and how their organizations are leveraging as well as controlling them, in order to perform their jobs at a high level and add value to the organizations they serve. Protiviti 2012 Internal Audit Capabilities and Needs Survey Copyright © 2013 FraudResourceNet™ LLC Social Media Risks As the use of social media continues to grow, so too does the risk of fraud involving social media Social Media and its associated risk – Grant Thornton and FERF Prioritized concerns from a survey conducted by Grant Thornton and FERF 1. Disclosure of proprietary information 2. Negative comments about the company 3. Exposure of personally identifiable information 4. Fraud 5. Out of date information Copyright © 2013 FraudResourceNet™ LLC
  7. 7. Social Media Risks  Risks  Employees or non-employees creating a social media page representing your company without management/IT consent or approval  Trade secrets or other business secrets being inadvertently or even deliberately shared  Dissatisfied customers or disgruntled employees voicing their opinions freely  Viruses, spyware and network vulnerabilities occurring due to the interactivity and open nature of social media architecture Copyright © 2013 FraudResourceNet™ LLC Social Media Controls  Controls  The extent to which social media will be officially sanctioned by the organization  Who is allowed to use the social media sites  How users gain approval to use the social media sites  Standards/policy of social media use inside and outside of the workplace  Brand monitoring and legal involvement  How to report false pages Copyright © 2013 FraudResourceNet™ LLC
  8. 8. Social Media Audit Objectives and Scope  Objective—The objective of a social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media policies and processes.  Scope—The review will focus on governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address:  Strategy and governance—policies and frameworks  People—training and awareness  Processes  Technology  Selection of the social media projects and initiatives will be based on risks introduced to the enterprise by these systems. Copyright © 2013 FraudResourceNet™ LLC Social Media Audit Program Sample Steps  Social Media Audit Program — Should be a comprehensively written program to detect, implement, and monitor compliance with the laws and regulations that impact the various components of social media. It should provide written procedures to ensure compliance.  Identification of inappropriateness with social media channels and non-compliance with the Social Media Policy — The company should clearly identify what is acceptable and what is not acceptable, based on a risk assessment and the outlined rules and specifications of the Social Media Audit Program. Continued… Copyright © 2013 FraudResourceNet™ LLC
  9. 9. Social Media Audit Program Sample Steps  Prior examination/audit findings — If weaknesses were previously cited in the company’s social media examination or audit that may impact the company’s social media program, has management taken appropriate steps to institute corrective actions?  Training program(s) — Training should be tailored to address all employees. Incident response — A formal review should be made of all alleged and/or actual incidents and how the company handled the incident.  Internal audit and annual reports — Management should regularly report on its responsiveness to cited weaknesses in the social media program. Copyright © 2013 FraudResourceNet™ LLC Social Media: The Fraud Threat  Social Media - based on Web 2.0 and fosters the notion that people who consume media, access the Internet, and use the Web no longer passively absorb the flow of content from provider to viewer; rather, they are active contributors, helping customize media and technology for their own purposes. One of social media’s greatest threats comes from employees who put work-related information onto social media sites—intentionally or unintentionally  It’s all about ID theft, ID fraud, social engineering, espionage, cyber-crime and financial fraud against INDIVIDUALS and ORGANIZATIONS Copyright © 2013 FraudResourceNet™ LLC
  10. 10. Fraud Against Individuals  Wife of Sir John Sawers, Head of MI6, UK equivalent of CIA posted sensitive information to her Facebook page, including address of the couple’s London apartment and locations of their children and Sir John’s parents. Problem: Potential national security & blackmail risk. “John Doe” received a message from a Facebook friend which had a link to a funny video. He clicked on it. The link did not bring up a video. The friend’s profile had been hacked, and now malicious software was being downloaded onto John’s computer as a result of him clicking on the link. This software was designed to open a way for an identity thief to take personal information from John’s system. It also sent a similar E-mail to everybody he was connected with on his profile, asking them to “view the video”. Copyright © 2013 FraudResourceNet™ LLC Financial Identity Theft Against Individuals  ID theft against individuals. Fraudsters use Facebook to EASILY crack your password. Most online accounts use “qualifying questions” or Knowledge Based Authentication questions and answers to verify your identity if you “forget” your password. These questions usually involve personal information, such as your kids’, other relatives’, or pets’ names or birthdays.  When fraudsters find this information on your Facebook page, they can reset your passwords and steal your identity. Key message: Limit what you post, and lock down your privacy settings. Copyright © 2013 FraudResourceNet™ LLC
  11. 11. ID Theft Weapon: Social Engineering  Social engineering: Techniques used to manipulate people into performing actions or divulging confidential information. Uses various forms of psychological trickery via numerous channels—now increasingly with social media -- to get victim to provide sensitive information or computer system access… Copyright © 2013 FraudResourceNet™ LLC ID Theft Weapon: Pretexting Pretexting: Using personal information acquired under false pretenses to commit fraud. How it’s done: Creating and using an invented scenario (the pretext) to persuade a social media target to release information or perform an action … usually done over the telephone. More than a lie -- as it most often involves some prior research or set-up and the use of pieces of known information from a social media site (DOB, Social Security Number, last bill amount, etc) to establish legitimacy in mind of the target… Copyright © 2013 FraudResourceNet™ LLC
  12. 12. ID Theft Weapon: Pretexting       Pretexter/fraudsters may pose as employee from victim’s: Bank Utility Merchant /Organization Employer (co-worker) Government agency Landlord Key objective: Pretexters sell your information to people who use it to get credit in your name, steal your assets, or to investigate or blackmail or sue you. Copyright © 2013 FraudResourceNet™ LLC Polling Question 1 Social media fraud is ________________ risky for individuals than it is organizations A. Less B. More C. Equally Copyright © 2013 FraudResourceNet™ LLC
  13. 13. Social Media Phishing & Hijacking Copyright © 2013 FraudResourceNet™ LLC More Social Media Phishing & Hijacking  Account hijacking. Phishers imitate the Facebook Email template, tricking victims into believing they have received a legitimate Facebook message or notification. Once you enter your username and password into the fake Facebook web site, criminals can take over your account, pose as you, post unwanted ads, ask your friends for money, information, etc. Self defense: Always log into your Facebook account manually, rather than going through a link in an E-mail. Copyright © 2013 FraudResourceNet™ LLC
  14. 14. Social Media Identity Fraud  Brand-Jacking IKEA: Scams. Set up a phony Facebook page and market it to a few people, who then send it to their friends, who send it to their friends to become FB “fans” in exchange for a $1,000 gift card that never came. 40,000 victims sent their personal information – became potential ID theft/fraud victims. As they say: If it sounds too good to be true, it probably is. Copyright © 2013 FraudResourceNet™ LLC Fraud Against Organizations: It’s All About Trust Survey of 500 managers and employees with access to sensitive customer information found the following: 66% said co-workers, not hackers, pose greatest risk to consumer privacy; only 10% said hackers are greatest threat. 62% reported incidents at work that put customer data at risk for identity theft. 46% said it would be “easy,” “very easy” or “extremely easy” for employees to steal sensitive data from corporate database. SOCIAL MEDIA SITES ARE BEING USED INCREASINGLY TO COMMIT THESE CRIMES Copyright © 2013 FraudResourceNet™ LLC
  15. 15. Polling Question 2 Pretexting is (Choose the best answer) a) Gaining unauthorized access to secure computer networks b) Acquiring personal information under false pretenses c) Impersonating you to gain financial benefit illegally d) Stealing sensitive data from secured networks e) All of the above Copyright © 2013 FraudResourceNet™ LLC How To Hack A Company With Facebook-1  Pose as an employee, setting up a Facebook group, and inviting or “friending” other employees to join. Membership will grow exponentially each day.  Gather intelligence from “co-workers” about the organization.  Monitor all social networking sites for employees of target company --MySpace, LinkedIn, Plaxo, and  Find those who openly discuss what they do for a living  Key: By creating a group, you have access to profiles or fellow employees who have no reason to distrust you. Gathering sensitive information is easy. Source: Steve Stasiukonis of Secure Network Technologies Copyright © 2013 FraudResourceNet™ LLC
  16. 16. How To Hack A Company With Facebook-2  Use the identity of a Facebook-friended employee to gain access to a company building:  Create a fake identity of the employee who is not known to the office to be breached, but still in the company’s system  With a little creativity, a fake business card, fake company ID card from info gathered from our Facebook group, the fraudster was “in”. Given an office and full access.  Once inside, can plug into the company network, create a wireless hub to access from the outside and/or plant keyloggers or other malware onto office PCs. Source: Steve Stasiukonis of Secure Network Technologies Copyright © 2013 FraudResourceNet™ LLC Social Media and Corporate Espionage “The gadgets and gizmos of the spy movies have not gone away. But today's corporate spies are more likely to trawl through Facebook pages and Twitter feeds for snippets of information they can build into valuable intelligence on a target organization.” ‘’The Wall Street Journal”, Oct. 18, 2011 Example:  Social engineering/espionage: Through social networks it was learned that a financial executive was a divorcee. Perpetrators created dummy female profile on Facebook, “friended” him and cultivated an online relationship that ended in him sharing confidential information about the company with "her". Copyright © 2013 FraudResourceNet™ LLC
  17. 17. Why Impersonate?         Steal clients or potential clients by posing as vendor and claiming to be going out oan business Conduct phishing attacks Intentionally pose as someone (usually senior manager) of your organization, to bad-mouth competition. Create risk of your employer becoming target of litigation Use your identity to harass someone you know. They may pose as a government entity to steal data and commit new account fraud. Pose as rival C-level executive on Facebook, LinkedIn, or Twitter, to gather marketing intelligence. Once they are “linked” or “friended,” they have access to those individuals’ contacts and inner circle. Disgruntled employees use social media to create pseudonyms to vent frustration about their boss or company. Can result in PR nightmare. Create blog or link to a tongue-in-cheek Web site that might be funny, but will not be funny to Copyright © 2013 FraudResourceNet™ LLC you. How to Prevent Impersonation  Set up accounts with your full name and those of your company, officers, spouse and kids on the most trafficked social media sites, blogs, domains or Web based E-mail accounts. If your name is already taken, include your middle initial, a period or a hyphen. Decide whether or not to plug in your picture and basic bio, but leave out your age or birthday.  Set up a free Google Alerts for your name/company to get an E-mail every time your name pops up online. Copyright © 2013 FraudResourceNet™ LLC
  18. 18. How to Prevent Impersonation Broaden your company’s online reputation. Blogging is best. Objective: Try to get Google to bring your given/company/officers names to top of search in best possible light. This is a combination of online reputation management and search engine optimization (SEO) for your brand. If you identify someone using your photo or bio in the social media, be very persistent in contacting the site’s administrators. THIS IS FRAUD! They too have reputations to manage and if they see someone using your photo or likeness they will often delete stolen profiles. Enlist services such as Mark Monitor or other brand protection and trademark management firms. Copyright © 2013 FraudResourceNet™ LLC Polling Question #3 To hack into a company using Facebook, you need the usernames and passwords of its secure networks… a) True b) False Copyright © 2013 FraudResourceNet™ LLC
  19. 19. Manage Employee Use: Banning  Consider NOT outright banning employee use of Social Media at work. This often creates resentment and incentive to find ways around the rules (via use of unprohibited sites, etc)  Example: Marines recently banned soldiers from using social media sites such as MySpace, Facebook and Twitter.  Reasons: 1) Fear that these sites’ lack of security may allow malware to infiltrate government computers. 2) Concern about leaked military data.  Problem: Soldiers used online dating sites that weren’t prohibited. Hackers exposed personal information on military subscribers of an online dating site. Forced DOD to command military personnel not to use their military information on commercial social media sites. Lesson: Smart usage policy works better than prohibition Copyright © 2013 FraudResourceNet™ LLC Manage Employee Use: Policies Essential: Policy that regulates employee access and guidelines for appropriate behavior. Audit and IT often best positioned to develop –and monitor– policy.  Teach effective use: Provide training on proper use and especially what not do to.  Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.  Limit social network use: There are hundreds of social networks serving numerous uses from music to movies, from friending to “hooking up”. Some are appropriate and others even less secure. Screen and enforce “off-limit” rules. Include in company policy (including privacy). Review Social Media Guidelines from other companies Copyright © 2013 FraudResourceNet™ LLC
  20. 20. Manage Employee Use: Policies  Train IT personnel: Effective policies begin from the top down. IT must be up to speed. May need to coordinate with Internal Audit to monitor social media use. Critical: Managers and employees never to post workrelated information without authorization, or posting work-related information on personal pages  Maintain updated security: Whether hardware or software, A-V or critical security patches, make sure you are up-todate.  Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings are often invitations to hackers Copyright © 2013 FraudResourceNet™ LLC Social Media As An Investigative Tool  Fraud investigators increasingly use social networks to gather pubic evidence of misconduct. (see below).  Illinois and Maryland prohibit employers from requiring employees to provide social media account passwords. But loopholes may still enable employer access to employee accounts. Caution: Conduct social media investigation only after consulting qualified attorney. Some laws also forbid “friending” if you are doing it for investigative purposes. Law is in flux and can be tricky. Example: Courts have ruled that lawyers or investigators working for them cannot “friend” a suspect already represented by counsel. Copyright © 2013 FraudResourceNet™ LLC
  21. 21. Polling Question #4 Which of the following are potentially serious social media-related threats to most organizations? a) Spreading false information about a product b) Gaining unauthorized access to an executive’s inner circle c) Posing as your company for phishing attacks to steal money d) All of the above Copyright © 2013 FraudResourceNet™ LLC Polling Question 3 Outright banning of social media sites by employees is the most effective way to minimize the many SM risks threatening your organization s A. True B. False Copyright © 2013 FraudResourceNet™ LLC
  22. 22. Questions?  Any Questions? Don’t be Shy! Copyright © 2013 FraudResourceNet™ LLC Coming Up Next Month  1. An Expert’s Advice on Establishing an Organization Wide Fraud Policy October 8  Using Data Analytics to Detect and Deter Procure-to-Pay Fraud October 30 Copyright © 2013 FraudResourceNet™ LLC
  23. 23. Thank You! Website: Jim Kaplan FraudResourceNet™ 800-385-1625 Peter Goldmann FraudResourceNet™ 800-440-2261 Copyright © 2013 FraudResourceNet™ LLC