Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.
Most companies have ethics and compliance policies in place and those policies usually include training for employees. That training typically includes material about policies prohibiting discrimination and harassment, bribery and excessive gift-giving. But it usually does not teach employees how to recognize signs of fraud and how to report them.
Employee fraud awareness training is one of the most important ways your company can protect itself from fraud which, according to the Association of Certified Fraud Examiners, costs the average company five per cent of its revenues every year.
Essentials of a Highly Effective Employee Fraud Awareness ProgramFraudBusters
Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud in a High Crime Climate. Recordings of these Webinars are available for purchase from our Website fraudresourcenet.com
This Webinar focused on the subject in the title
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
Most companies have ethics and compliance policies in place and those policies usually include training for employees. That training typically includes material about policies prohibiting discrimination and harassment, bribery and excessive gift-giving. But it usually does not teach employees how to recognize signs of fraud and how to report them.
Employee fraud awareness training is one of the most important ways your company can protect itself from fraud which, according to the Association of Certified Fraud Examiners, costs the average company five per cent of its revenues every year.
Essentials of a Highly Effective Employee Fraud Awareness ProgramFraudBusters
Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud in a High Crime Climate. Recordings of these Webinars are available for purchase from our Website fraudresourcenet.com
This Webinar focused on the subject in the title
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
Companies have enough to worry about from outsiders when it comes to cybersecurity. From stealthy hackers infiltrating their networks to criminal cyber-gangs stealing their data and government surveillance of their systems, security teams must be on their toes at all times. But the insider threat can be just as dangerous and sometimes harder to detect.
According to the 2015 Insider Threat Spotlight Report, 62 per cent of security professionals are seeing a rise in insider attacks. While many of these are malicious attacks, they can also be unintentional breaches. The consequences, no matter the motivation, can be equally devastating.
Fraud Risk Management | Fraud Risk Assessment - EY IndiaErnst & Young
Check out the edition of fraud risk management & fraud risk assessment understanding the client's organizational structure & business environment. For more details, visit http://bit.ly/1RtohKr.
The slides provides fundamental understanding of concepts, principles and issues in fraud risk management. It is a comprehensive summary of general knowledge and understanding about the fraud risk management.
A review of common fraud areas that occur in closely held businesses, how to prevent them and what your legal remedies are if you are a victim of fraud.
The presentation provides overall insight of operational fraud risk management. It explains the operational fraud risk and mitigation strategies. The role of Internal audit and audit committee is further exemplified
This presentation explains how you can prevent and deter fraud in your nonprofit organization, why some employees commit fraud and how to spot behavioral "red flags," what to do if you discover fraud in your organization, and common fraud schemes to watch for.
On December 5, 2013, Ron Steinkamp, principal, government advisory services at Brown Smith Wallace, presented at the 2013 MIS Training Institute Governance, Risk & Compliance Conference. Ron focused on the following keys to fraud prevention, detection and reporting:
1. Anti-fraud culture
2. Fraud policy
3. Fraud awareness/training
4. Hotline
5. Assess fraud risks
6. Review/investigation
7. Improved controls
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
Companies have enough to worry about from outsiders when it comes to cybersecurity. From stealthy hackers infiltrating their networks to criminal cyber-gangs stealing their data and government surveillance of their systems, security teams must be on their toes at all times. But the insider threat can be just as dangerous and sometimes harder to detect.
According to the 2015 Insider Threat Spotlight Report, 62 per cent of security professionals are seeing a rise in insider attacks. While many of these are malicious attacks, they can also be unintentional breaches. The consequences, no matter the motivation, can be equally devastating.
Fraud Risk Management | Fraud Risk Assessment - EY IndiaErnst & Young
Check out the edition of fraud risk management & fraud risk assessment understanding the client's organizational structure & business environment. For more details, visit http://bit.ly/1RtohKr.
The slides provides fundamental understanding of concepts, principles and issues in fraud risk management. It is a comprehensive summary of general knowledge and understanding about the fraud risk management.
A review of common fraud areas that occur in closely held businesses, how to prevent them and what your legal remedies are if you are a victim of fraud.
The presentation provides overall insight of operational fraud risk management. It explains the operational fraud risk and mitigation strategies. The role of Internal audit and audit committee is further exemplified
This presentation explains how you can prevent and deter fraud in your nonprofit organization, why some employees commit fraud and how to spot behavioral "red flags," what to do if you discover fraud in your organization, and common fraud schemes to watch for.
On December 5, 2013, Ron Steinkamp, principal, government advisory services at Brown Smith Wallace, presented at the 2013 MIS Training Institute Governance, Risk & Compliance Conference. Ron focused on the following keys to fraud prevention, detection and reporting:
1. Anti-fraud culture
2. Fraud policy
3. Fraud awareness/training
4. Hotline
5. Assess fraud risks
6. Review/investigation
7. Improved controls
The Importance of a Digital Audit - Trends Talk 2013James Loveys
What is a Digital Marketing Audit, How it can help your business and 6 key components of a successful digital audit (The 6 components originally by MARK SMICIKLAS)
Section 230 to 233 of Companies Act, 2013
Procedure for Scheme of Compromise, Amalgamation and Arrangement.
Also it covers the newly introduced Sec. 233 of Companies Act, 2013 for FAST TRACK MERGER
This presentation takes one through the basic e-filing procedures under the Income Tax Rules prevailing in India. It explains the concepts in a very simplified manner.
Tips to Protect Your Organization from Data Breaches and Identity TheftCase IQ
Carrie Kerskie explains how to assess your organization for potential risks of data breaches and how to put a data breach and privacy plan in place to help you better protect your organization.
To watch the webinar recording, visit http://i-sight.com/webinar-protecting-your-organization-against-data-breaches-and-identity-theft/
As privacy and security professionals it's true: we simply can't get enough data on the costs of a data breach. This is primarily driven, of course, by our desire to quantify the risks associated with our profession in terms that organizations can understand and measure. Our quest is complicated, however, by the fact that breach cost data is so hard to come by.
This unique webinar will take data breach analysis to the next level. First we'll define our terms and review of some of the best known, publicly available data breach research. But then, we'll dive into a more detailed, exhaustive, quantitative review of breach data. This will include both case studies of a few seminal data breaches and statistical analysis of data breaches in the aggregate.
Our featured speaker for this timely webinar is Patrick Florer, Co-Founder & CTO of Risk Centric Security. Patrick, who is also a Fellow and Chief Research Analyst at the Ponemon Institute, has decades of experience in risk analysis and analytics and is considered an expert in data breach analysis.
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
In this presentation, you will
-Gain an understanding of leading edge risk management practices for Credit Unions.
-Gain insight on the Board and Supervisory Committees’ role in the internal control structure.
Recognize areas of potential weakness in the organization.
Gain an understanding of the regulatory environment and impact on risk management.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
To do effective data governance, analysts should preview the amount of data their organization is collecting and consider if it is all necessary information to run the business or just “nice to have” data. Today companies are collecting a variety of Personally identifiable information (PII), combining it with location information, and using it to both personalize their own services and to sell to advertisers for behavioral marketing. Data brokers are tracking cell phone applications and insurance companies are installing devices to monitor driving habits. At the same time, however, hackers are embedding malicious software in company computers, opening a virtual door for criminals to rifle through an organization’s valuable personal and financial information.
This presentation explores:
•What company data should be tagged as “sensitive” data?
•Who within the company has access to personal data?
•Is the company breaking any privacy laws by storing PII data?
•Is the data secure from both internal and external hackers?
•What happens if there is an external data breech?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
This presentation covers:
Social Engineering
Targets, Costs, Frequency
Real Life Examples
Mitigating Risks
Internal Programs
Data Security & Privacy Liability
Cyber Liability
Cyber Insurance
Financial Impact
Key Coverage Components
Checklist for Assessing your Level of Cyber Risk
Lawyers are required to enact 'reasonable' safeguards when storing client files. They must also deal with an ever-increasing number of new privacy regulations imposed on them and their clients. When handling sensitive client data, lawyers need to balance issues of confidentiality and privacy against building productive workflows. Failure to keep client information secure can lead to a potential waiver of privilege, malpractice claims, and even fines from various government agencies. Law firms need rigorous security, no matter their firm’s size or practice area.
A law firm’s security plan must include three components: user training and access controls, secure technology, and a recovery plan.
Join Clio’s lawyer in residence, Joshua Lenon, as he shows you how to enact a security plan for your law firm with guest Chris Wiesinger of CloudMask, an encryption service provider for cloud-based technologies.
In this free, CLE-accredited presentation1, attendees will learn:
The difference between confidentiality and privacy for law firms
The regulations that apply to all law firms, as well as those for specific practice areas
The security planning tips you can use to assess and protect your law firm
The tools to improve your law firm’s security profile
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Data Breach Response: Before and After the BreachFinancial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
1. A Global Reach with a Local Perspective
www.decosimo.com
Fraud Awareness-What You and Your
Employees Really Need to Know
2. Pam Mantone, CPA, CFF, CFE,
CITP, FCPA, CGMA
Senior Manager
pammantone@decosimo.com
423-756-7100
The contents and opinions contained in this presentation are my opinions and do not reflect the
representations and opinions of Decosimo.
3. Military term • Analytic process used to deny an
meaning adversary information
Operational
Security • Risk assessment tool
Universal • Examines day-to-day activities
concepts • Controls information
• Equally applicable to individuals
Applied in any and businesses in general
environment
• Identifies security risks
4. An expensive
A strict set of
and time-
rules and
consuming
procedures
process
Used only by
the
government or
military
5. Loss of customer trust and business
Possible law suits
Legal issues
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Federal Trade Commission Act
• Health Insurance Portability and Accountability Act (HIPPA)
• Family Educational Rights and Privacy Act
• Drivers Privacy Protection Act
• Privacy Laws
• State Laws
6. • Personal and credit
characteristics
“Consumer • Character
report • General reputation
• Must be prepared by a
information” consumer reporting
agency
• Consumer reports in
background checks of
Examples employees
• Customer credit
histories
7. • Requires businesses who have
information covered by the FCRA
to take reasonable measures
when disposing the information
• Businesses that collect consumer
credit information, credit reports,
or background employee histories
should ensure compliance
8. Fair and Accurate Credit Transactions
Amendment
• Free credit report once every 12 months
• Limitation on printing credit card numbers
• Red Flag Rule
• Identity theft program
• Must respond to notices of discrepancies
• Assess validity of change of address on issuers of debit
and credit cards
• Regulations apply to all businesses that have “covered
accounts”
• Defined as any account for which there is a
foreseeable risk of identity theft
9. • Fraud alerts required
• Summary of rights of identity
theft victims
• Blocking of information
resulting from identity theft
• Coordination of identity theft
complaint investigations
10. Applies to “financial institutions”
• Broadly defined as any business engaged in a wide range of
financial activities
• Car dealers
• Tax preparers
• Courier services in some cases
• Financial institutions not regulated by other agencies
Requires businesses to have reasonable
policies and procedures to ensure security and
confidentiality of customer information
11. Prohibits deceptive or unfair trade
practices
Businesses must handle consumer
information in a way that is consistent
with their promises to their customers
Must avoid data security practices that
create an unreasonable risk of harm to
consumer data
12. Regulates the use and disclosure of protected
health information
Generally limits release of information to the
minimum reasonably needed for the purpose of
disclosure
Enables patients to find out how their information
may be used and what disclosures have been
made
Note: Medical record data is currently worth more
on the black market compared to social security
numbers, credit card information, etc.
13. THE GOING RATE
Medical records - $50
Social Security Numbers - $3
Credit card information - $1.50
Date of birth - $3
Mother’s maiden name - $6
Depending upon account balance – bank account
numbers - $100 - $500
From veriphyr.com
14. Bottom Line – Companies
must develop and maintain
reasonable procedures to
protect sensitive information
15. Know the Know what
threat to protect
Know how
to protect
16. Adversary – the Bad Guy
Terrorist groups
Criminals
Organized crime
Hackers/Crackers
Insider threats – generally more costly and often
overlooked
17. “Q: What is the percentage of insider vs external attacks?
Can Dawn share empirical evidence that the number of
security incidents related to insiders is increasing or is the
evidence anecdotal?”
“Dawn: We ask those questions in our survey every year.
We have been doing our survey for seven years and every
year consistently it has shown insiders to outsiders at
around 1/3 insiders and 2/3 outsiders, but don’t forget,
most (67%) say that insider attacks are more costly. This
year the numbers actual changed for the first time. Insider
attacks dropped down to approximately 27%.”
from Combat Insider Threat: Proven Strategies from CERT;
Dawn Cappeli, Technical Manager of CERT’S Enterprise
Threat and Vulnerability Management Team at Carnegie
Mellon University’s Software Engineering Institute
19. This is quite simple – sensitive information
• Personnel information
• Customer information
• Intellectual property
• Company-generated internal reports
• Financial information
• Medical information
• ----and the list goes on--------
If you are not sure – then be conservative –
“loose lips sink ships”
20. • Know what personal information you
have in your files and on computers
• Keep only what you need for your
business
• Protect the information that you want to
keep
• Properly dispose of what you no longer
need
• Create a plan to respond to security
incidents
• Periodic employee awareness training
• If you don’t have time or expertise in-
house, use a trusted advisor to assess
the current posture of the business and
develop a sound security plan
21. Understand common social engineering techniques
Social engineering defined as the manipulation of the
natural human tendency to trust
The art and science of getting people to do what you want
them to do
“ A social engineer is a hacker who uses brains instead of
computer brawn. Hackers call and pretend to be customers
who have lost their passwords or show up at a site and
simply wait for someone to hold a door open for them.
Other forms of social engineering are not so obvious.
Hackers have been known to create phony websites,
sweepstakes or questionnaires that ask users to enter a
password.” – Karen J. Bannan, Internet World. January 1,
2001
23. Shoulder surfing
• Looking over one’s shoulder
Dumpster diving
• Checking out the trash
Mail-outs
• Surveys
24. Baiting
• Curiosity
• Deliberately leaving item for discovery and use
Phishing
• Convincing victims to supply sensitive
information
• Fairly basic
• Very widely used
• Phisher often purchases a domain that is
designed to imitate an official resource
25. Vishing
• Direct call requesting “security verification
• Email with instructions to call a telephone number to
verify account information before granting access
• Fake interactive techniques such as “press 1”
• Call and try to convince purchase or install of
software
Tailgating
• Gaining access to a restricted area by following
someone
• Preys on common courtesy
26. “Quid pro quo”
• Something for something
• Often used against office workers
• Attacker pretends to b a “tech support employee
returning a call until he or she finds someone in
genuine need of support and extracts other
information or requests software downloads
“Diversion theft”
• Common technique used to convince couriers into
believing a delivery is to be received elsewhere
28. • Repairman
Impersonation • Helpdesk tech
• Trusted third party
Name • Using names of people from your
company to make you believe they
Dropping know you and gain your trust
• Intimidation by threatening to escalate
Aggression to a manager or executive if you do
not provide requested information
29. Conformity Friendliness
• “Everyone else has • Contacts over a period of
provided the information time with the intent of
so it’s fine for you to building up a rapport so that
provide the same.” when the attacker asks for
• Moves responsibility sensitive information, trust
away from the target has already been developed.
• Avoids the feeling of • Communication on a
guilt personal level removes the
realization of pressure being
applied to supply information
30. RECOGNIZE THE SIGNS
Increased compliance if:
• Attacker avoids conflict by using a consultative
approach
• Attacker develops and builds a relationship through
previous dealings so victim will probably comply with
a large request when having previously complied with
a smaller one.
• Attacker is able to appeal to the victim’s senses thus
building a better relationship by appearing to be
“human” rather than a voice or an email message
• Attacker has a quick mind and is able to compromise
31.
32. Unsolicited requests for sensitive information
Content appears genuine
Disguised hyperlinks and sender address
Consists of a clickable image
Generic greetings
Use various tricks to entice recipients to click
• Customer account details need to be updated due to a software or security
upgrade
• Customer account may be terminated if account details are not provided within a
specific time frame
• Suspect or fraudulent activity involving the user’s account has been detected and
the user must provide information
• Routine or random security procedures requiring the user to verify his or her
account by providing requested information
33. Spelling and bad grammar
Links in emails
Threats
Spoofing popular websites or
companies
34.
35.
36.
37.
38.
39.
40.
41. Why am I being
asked for this
information?
Is there pressure
to take action
now? Is it usual to be
asked for this sort
of information in
this format?
What consequences
might come from
misusing the
information that I Is the request
have been asked to coming from a
provide? known source?
42. SOURCES
Federal Trade Commission, BCB Business Center
www.ftc.gov
OSPA
www.opsecprofessionals.org
Cornell University IT: Phish Bowl
www.it.cornell.edu/security/safety/phishbowl.cfm
Protect your business by understanding common social
engineering techniques, Small Business Blog
http://googlesmb.blogspot.com/2012/04/protect-your-
business-by-understanding.html
Microsoft
www.microsoft.com/security/online-privacy/phishing-
symptoms.aspx
43. Period, no space,
no capitalization
on start of new
sentence
Grammar,
Spacing,
Capitalization
Embedded link
Capitalization
Threat-immediate action required
47. Great job on
website
impersonation!
1)Imposed
threat
requiring
immediate
action
2)No Section
765 in bylaws
Embedded link 3) AICPA does
not regulate
CPA status
grammar
48. Zip file with embedded malware
Generic greeting
Ticket number does not exist