Fraud - Extras Springer
advertisement
Combatting Fraud Security Planning Susan Lincke Security Planning: An Applied Approach | 3/12/2016 | 2 Objectives: The student shall be able to: What are the key elements of fraud, and what techniques can be used to counteract these key elements? What are the three categories of fraud and what crimes do they include? Define skimming, larceny, embezzlement, lapping, shell company, payroll manipulation, ghost employees. What are the legal considerations of fraud? Who commits fraud, and who commits the most expensive fraud? What are some red flags of potential fraud? How does social engineering occur, and how can it be prevented? Define the four roles of segregation of duties. Describe the purpose of the 3 stages of a fraud investigation. Security Planning: An Applied Approach | 3/12/2016 | 3 The Problem Amount recovered following an Incident of fraud Organizations lose 5% of revenue annually due to internal fraud Average scheme lasts 18 months, costs $140,000 20% costs exceed $1M Smaller companies suffer greater average $ losses due to inadequate controls ACFE 2012, 2014 “Report to the Nations on Occupational Fraud and Abuse” Security Planning: An Applied Approach | 3/12/2016 | 4 Internal or Occupational Fraud Definition Violates the employee’s fiduciary responsibility to employer Is done secretly and is concealed Is done to achieve a direct or indirect benefit Costs the organization assets, revenue, or opportunity Security Planning: An Applied Approach | 3/12/2016 | 5 Fraud Categories Categories % of Cases, $ Average Examples Asset Misappropriation 85% $130,000 Theft of checks, cash, money orders, inventory, equipment, supplies, info 37% $200,000 Bribe to accept contractor bid or Kickback, Collusion, Bid rigging. Extortion: threat of harm if demand not met; False Billing: Providing lower quality, overcharging Conflict of interest in power decision Corporate espionage: Sell secrets Bribery & Corruption Financial Statement Fraud 9% $1 million ($4 million in 2010) Revenue Overstatement: False sales Understating Expenses: Delayed or capitalization of expenses Overstating Assets: No write down of uncollectable accounts, obsolete inventory, … Understating Liabilities: Not recording owed amounts Misapplication of Accounting Rules, etc. Security Planning: An Applied Approach | 3/12/2016 | 6 Legal Considerations of Fraud Intentionally false representation Not an error Lying or concealing actions Pattern of unethical behavior Personal material benefit Organizational or victim loss Security Planning: An Applied Approach | 3/12/2016 | 7 Key Elements of Fraud Motivation: Need or perceived need Opportunity: Access to assets, information, computers, people Rationalization: Justification for action Motivation 3 Key Elements Opportunity Rationalization Security Planning: An Applied Approach | 3/12/2016 | 8 How Fraud is Discovered Tips provided by employees 49%, customers 21.6%, anon.14.6%, vendors 9.6%. ACFE “2014 Report to the Nations on Occupational Fraud and Abuse” Security Planning: An Applied Approach | 3/12/2016 | 9 Collusion Collusion: Two or more employees or employee & vendor defraud together 2012 Global Fraud Study Assoc. of Fraud Examiners Security Planning: An Applied Approach | 3/12/2016 | 10 Who Does Fraud? Most $$$ internal frauds committed by longer-tenured, older, and more educated staff Executives commit most expensive fraud: $500K • Median manager fraud: $130K • Median line employee fraud: $75K Most hit: Banks/financial industries: 16.7% • Government/public administration: 10.3 • Manufacturing: 10.1% 95% have no criminal convictions related to fraud To steal a lot of money, you must have a position of power and access: • highly degreed > HS grad • older > younger people 2012, 2014 Global Fraud Study Assoc. of Fraud Examiners Security Planning: An Applied Approach | 3/12/2016 | 11 Discussion Points What types of fraud could computer programmers or system administrators commit? For each type of fraud, what methods may help to prevent such fraud? Security Planning: An Applied Approach | 3/12/2016 | 12 Example 1: Financial Statement Fraud Executives, Wall Street have high expectations: employees needed to meet the standards. To meet these standards, it may be necessary to play the game, and financial statement fraud may be accepted. Methods of such fraud may include: manual adjustments to accounts or improper accounting procedures Security Planning: An Applied Approach | 3/12/2016 | 13 Example 2: Corruption The Director of a subsidiary always purchases goods from 2 large organizations, who provide rebates for large purchase quantities. The director negotiated contracts and pocketed the rebates to an off-shore bank account. Local vendors are upset that their bids are ignored. Security Planning: An Applied Approach | 3/12/2016 | 14 Example 3: Asset Misappropriation A manager took money from one account, and when payment was due, paid via another account. When that was due, she paid via a third account, etc. This lapping went on for years and was finally caught when a sickness resulted in her being absent from work for an extended period. Security Planning: An Applied Approach | 3/12/2016 | 15 Asset Misappropriation Vocabulary Skimming: Taking funds before they are recorded into company records Cash Larceny: Taking funds (e.g., check) that company recorded as going to someone else Embezzlement: Abusing a business privilege for personal gain Lapping: Theft is covered with another person’s check (and so on) Check Tampering: Forged or altered check for gain Shell Company: Payments made to fake company Payroll Manipulation: Ghost employees, falsified hours, understated leave/vacation time False Shipping Orders or Missing/Defective Receiving Record: Inventory theft Detecting & Preventing Fraud How to Recognize Fraud How to Prevent Fraud Info. Systems Applications Security Planning: An Applied Approach | 3/12/2016 | 17 Fraud & Audit Audits are not designed to detect fraud Goal: Determine whether the financial statement is free from material misstatements. Auditors test only a small fraction of transactions Auditors must: • Be aware of the potential of fraud • Discuss how fraud could occur • Delve into suspicious observations and report them Security Planning: An Applied Approach | 3/12/2016 | 18 Red Flags Significant change in lifestyle: New wealth Addiction: Gambling, drug addiction, infidelity Criminal background Chronic legal problems Dishonest behavior in general Beat the system: Break rules commonly Dissatisfaction with job Report to the Nations on Occupational Fraud and Abuse: 2014 Global Fraud Study. ACFE. Security Planning: An Applied Approach | 3/12/2016 | 19 Work Habits of Fraudsters One or more: Justifying poor work habits Desperately trying to meet performance goals Over-protective of certain documents (poor sharing or avoids documentation) Refusal to swap job duties Consistently at work in off-time (early or late) or never absent Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Security Planning: An Applied Approach | 3/12/2016 | 20 Potential Transaction Red Flags Unusual transactions: Unusual timing, too frequent or infrequent Unusual amount: too much or too little Unusual participant: involves unknown or closelyrelated party Voided checks or receipts, with no explanation Insufficient supervision Pattern of adjustments to accounts Different addresses for same vendor, or vendors with similar names Security Planning: An Applied Approach | 3/12/2016 | 21 Fraud Control Types After Fraud Corrective Controls: Punishment-> Amend controls Fidelity Insurance Employee Bonding Time of Fraud Detective Controls: Finding fraud when it occurs includes: Anonymous hotline*-> Surprise audits*-> Monitoring activities-> Complaint or fraud investigation Mandatory vacations Before Fraud: ***BEST*** Preventive Controls**: Preventing fraud includes: Segregation of Duties Ethical Culture Internal controls: Physical & data security Authorization (Passwords, etc) Signed Documents Fraud education Employee Support Programs Background checks Security Planning: An Applied Approach | 3/12/2016 | 22 Techniques to Discourage Fraud Realistic job expectations Adequate pay Motivation Training in job duties Key Elements Segregation of duties Opportunity Checks and balances Job rotation Physical security of assets Background checks Mandatory vacations Examination of required documentation Trained in policies and procedures Rationalization Policy enforcement Sr. Mgmt models ethical behavior to customers, vendors, employees, share holders Security Planning: An Applied Approach | 3/12/2016 | 23 Segregation of Duties Authorization Distribution Approves Acts on Origination Double-checks Verification Security Planning: An Applied Approach | 3/12/2016 | 24 Compensating Controls When Segregation of Duties not possible, use: Audit Trails Transaction Logs: Record of all transactions in a batch Reconciliation: Ensure transaction batches are not modified during processing Exception reporting: Track rejected and/or exceptional (nonstandard) transactions Supervisory or Independent Reviews Separation of duties: authorization, distribution, verification Security Planning: An Applied Approach | 3/12/2016 | 25 Software to Detect Fraud Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs. Detect unusual anomalies such as unusual amounts or patterns Compare vendor addresses and phone numbers with employee data Use Range or Limit Validation to detect fraudulent transactions Logged computer activity, login or password attempts, data access attempts, and geographical location data access. Security Planning: An Applied Approach | 3/12/2016 | 26 Red flags software can detect Out-of-sequence checks Large number of voids or refunds made by employee or customer Manually prepared checks from large company Payments sent to nonstandard (unofficial) address Unexplained changes in vendor activity Vendors with similar names or addresses Unapproved vendor or new vendor with high activity Security Planning: An Applied Approach | 3/12/2016 | 27 Encourage Security in IT Departments Physical security Segregation of duties Employee monitoring Surprise audits Job rotation Examination of Documentation Quality Assurance Programmer Analyst Business Analyst Security Planning: An Applied Approach | 3/12/2016 | 28 Business Application Checks Checks locked up; access restricted Physical inventory of checks at least every quarter New accounts payable vendors’ existence and address doublechecked by management Returned checks sent to PO Box and evaluated by someone independent of Accts Payable Security Planning: An Applied Approach | 3/12/2016 | 29 Question What is the MOST effective means of preventing fraud? 1. Effective internal controls 2. Fraud training program 3. Fraud hotline 4. Punishment when fraud is discovered Security Planning: An Applied Approach | 3/12/2016 | 30 Question 1. 2. 3. 4. A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that: The vendor was a phony company Purchases from the vendor did not result in inventory received The initials for the vendor matched an employee in the accounting dept. Management did not authorize new vendors with a separate phone call Security Planning: An Applied Approach | 3/12/2016 | 31 Question What is: Origination, Authorization, Distribution, Verification? 1. Four stages of software release 2. Recommended authority allocations for access control 3. Stages for development of a Biometric Identity Management System (BIMS) 4. Categories for Segregation of Duties External Fraud Social Engineering Check & Receipt Fraud A Fraud Investigation Security Planning: An Applied Approach | 3/12/2016 | 33 Red Flags Rule Red Flag Category Suspicious Documents Personal Identifying Information Account Activity Example Red Flag Cases Warnings from a Credit Agency Other Sources Identification or application looks forged or altered. Info is inconsistent btwn ID, what client says, and their records. Picture or signature differs. Info matches other clients Info. looks suspicious: phone number is answering service; SSN is on Death Master File; info. inconsistent with credit report. Incomplete application and client fails to submit additional info Client cannot provide authenticating info beyond name address phone A major change in spending or payment habits. A change in address, followed by unusual requests: e.g., multiple credit cards. Initial use of credit card shows unusual activity: first payment only; purchase of products easily converted to cash: electronics, jewelry. Inactive accounts become suddenly active. Mail is undeliverable but transactions continue. Changes to a credit report, inconsistent with client’s history. Indication of fraud, credit freeze or other abuse. Changes in recent credit transactions: increase in inquiries or new accounts. Tip indicates an account has been opened inappropriately or used fraudulently. Red Flags Rule Security Planning: An Applied Approach | 3/12/2016 | 34 Social Engineering I Email: The first 500 people to register at our Web site will win free tickets to … Please provide company email address and choose a password You received a message from Facebook. Follow this link … log in. Social engineering: Getting people to do something they would not ordinarily do for a stranger Social engineering is nearly 100% effective Security Planning: An Applied Approach | 3/12/2016 | 35 Social Engineering II Telephone call from ‘IT’: Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix… We need to test a new utility to change your password… Security Planning: An Applied Approach | 3/12/2016 | 36 Social Engineering III Phone call 1: “I had a great experience at your store. Can you tell me manager’s name, address?” Phone call 2: “This is John from X. I got a call from Alice at your site wanting me to fax a sig-card. She left a fax number but I can’t read it can you tell me? What is the code? “You should be telling me the code…” “That’s ok, it can wait. I am leaving but Alice won’t get her information…” “The code is … “ Phone call or fax 3: “I need … Code is …” Security Planning: An Applied Approach | 3/12/2016 | 37 Social Engineering Techniques Learns insider vocabulary and/or personnel names Pretends legit insider: “I am <VP, IT, other branch, other dept>. Can you …?” Pretends real transaction: Helping: I am in trouble <or> you need help due to … • <My,Your> computer is <virused, broke, busy, don’t have one>. Can you <do, tell me> …? Deception: Hides real question among others. Establishes relationship: Uses friendliness to gain trust for future tasks Security Planning: An Applied Approach | 3/12/2016 | 38 Combating Social Engineering Verification Procedure Verify requester is who they claim to be Verify the requester is currently employed in the position claimed. Verify role is authorized for request Record transaction Organization security Data classification defines treatment Policies define guidelines for employee behavior Employees trained in roles, need-to-know, and policies Security Planning: An Applied Approach | 3/12/2016 | 39 Fraud Scams Get a receipt from the trash, ‘return’ a product Copy gift certificate and cash in at multiple locations Markdown sale prices reimbursed with receipt – copied and collected at multiple locations Fake UPC numbers to pay low prices then return at higher price. If receipt total is sufficient, scam may work. Security Planning: An Applied Approach | 3/12/2016 | 40 Preventing Scams Receipts must have security marks on them (e.g., two-colored ink on special paper, or better: thermochromatic ink) Line-item detail on receipts and sales records in company database Garbage bins which may receive receipts should be protected from access (e.g., bank garbage bins) Register gift certificates – unique numbers Shredders should be used for any sensitive information Protect against shoulder surfing or device attachment for card readers Security Planning: An Applied Approach | 3/12/2016 | 41 Check Fraud Examples Altered Checks: Chemicals are used to erase the payee or amount, then reprinted OR check is appended to. • An Argentinian modified a ticket-overpayment refund check from Miami, changing a $2 check to $1.45 Million Counterfeit Checks or Identity Assumption • Someone in your checkout line views your check, or does yard work for you • Fishes in a business’s in-mailbox or home’s out-mail for a check • Checks can be purchased on-line or mail order Telemarketing Fraud: • “You’ve won a prize” or “Would you like to open a VISA?” “Now give me your account information.” Hot Check: “Insufficient Funds” 90% of ‘insufficient funds’ checks are numbered between 101 and 200 Account opening year may be printed on check Security Planning: An Applied Approach | 3/12/2016 | 42 Be Careful Printing Checks! Paychecks & Accounts Payable should not be printed on blank check paper Laser printer is non-impact (ink does not go into paper but sits on top) • Easy to remove printing • ‘Laser Lock’ or ‘Toner Lock’ seals laser printing Matrix printer puts ink into the paper • Chemical ‘washing’ removes the print Good Practices • • • • Use larger printing: 12 font Reverse toner in software: white on black Control check stock and guard checks Check your bank statements – you have 30 days Security Planning: An Applied Approach | 3/12/2016 | 43 Check Security Features Watermark: Subtle design viewable at 45-degree angle toward light. Cannot be photo-copied Void Pantograph: Background pattern of checks. When photo-copied, the background patter disappears or prints ‘VOID’ Chemical Voids: When check is treated with eradicator chemical, the word VOID appears Microprinting: When magnified, the signature or check border appears to be written words. The resolution is too fine for a photo-copier 3-Dim. Reflective Holostripe: Metallic stripe contains at least one hologram, similar to credit card. Security ink: React to eradication chemicals, distorting check Thermochromic Ink: Ink reacts to heat and moisture by fading and reappearing Security Planning: An Applied Approach | 3/12/2016 | 44 Processing Money Orders Money order information provides info on a ready checking account Non-negotiable incoming wire account prevents out-going checks I would like to send you a money order. What is your account number? THANK YOU SO MUCH!!! Security Planning: An Applied Approach | 3/12/2016 | 45 A Fraud Investigation Step 1: Initial Inquiry Investigate what is happening: • What is happening from a financial and/or operational aspect? • Do security controls exist and are they always practiced? • Does the employee show any of the red flags of fraud? Data mining analyzes financial transactions to find suspicious patterns or transactions • e.g., match employee and accounts payable contact information. Initial Inquiry: Investigate processes, suspicious transactions Develop & Confirm Hypothesis: Determine methods & personnel involved Collect Evidence: Prepare for trial; Answer all questions Security Planning: An Applied Approach | 3/12/2016 | 46 A Fraud Investigation (Cont’d) Step 2: Develop and confirm hypothesis Step 3: Collect evidence. Collect evidence for trial. Analyze the evidence. Hypothesize on possible methods of fraud and who is Prove the three requirements of fraud: evidence of organizational loss, involved. personal gain, and deception. The goal is to develop an accurate Establish answers to full set of story of what happened. Develop: questions: • timeline of what happened when, • Who decided to make the unethical • pictures of evidence, or illicit changes? • a diagram showing evidence • Did affected personnel know the relationships: which evidence is correct methods? associated with which people and • How far up the management chain other evidence did this knowledge go, and could auditors have been complicit? Security Planning: An Applied Approach | 3/12/2016 | 47 Forensic Tools for Fraud Computer forensic tools can • uncovering secret files • decoding encrypted files • investigating external media and deleted and retained email • E.g., find images of checks in computer or printer memory. Look at different versions of documents, transactions or emails: • Analyze emails from both sender and receiver side; is there a difference in emails purged? • Fraudsters change dates, amounts and/or names of transactions or checks; when are changes introduced? These tools may also be used during earlier stages of the investigation. Security Planning: An Applied Approach | 3/12/2016 | 48 Summary Fraud on average takes 5% of all income but can bankrupt organizations. 3 Key Elements: Motivation, Opportunity, Rationalization Internal Fraud = Employee Fraud • Asset misappropriation, corruption, financial statement fraud • Controls: Preventive, Detective, Corrective • Key: Segregation of Duties External Fraud = Outsider Fraud Red Flags Rule applies to any organization that provides credit • Specifies suspicious transactions to be wary of Social engineering fraud: fraudster pretends to be an insider • Multiple calls build information Other frauds: Receipt scams, checks, money orders, etc.
