Combatting Fraud & Social Engineering: Security Planning

This comprehensive security planning session dives into key elements of fraud, identifying fraud categories, legal considerations, red flags, and prevention techniques for social engineering. Learn about internal fraud, occupational fraud, phishing, and more, with insights on recovery from fraud incidents and combating organizational losses. Gain essential knowledge to safeguard assets, revenue, and opportunities from fraudulent activities.

• Security
• Fraud Prevention
• Social Engineering
• Occupational Fraud
• Financial Security

laru_ori Follow

Uploaded on Feb 28, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Combatting Fraud & Social Engineering Security Planning Susan Lincke

2. Security Planning: An Applied Approach | 2/28/2025| 2 Objectives: The student shall be able to: What are the key elements of fraud, and what techniques can be used to counteract these key elements? What are the three categories of fraud and what crimes do they include? Define skimming, larceny, embezzlement, lapping, shell company, payroll manipulation, ghost employees. What are the legal considerations of fraud? Who commits fraud, and who commits the most expensive fraud? What are some red flags of potential fraud? How does social engineering occur, and how can it be prevented? Define the four roles of segregation of duties. Describe the purpose of the 3 stages of a fraud investigation.

3. Security Planning: An Applied Approach | 2/28/2025| 3 Fraud Internal Fraud Social Engineering: Phishing, etc. Internal Fraud = Occupational Fraud (primarily internal, employee) Social engineering: criminal pretends to be someone who needs help or will help you get out of trouble Artificial intelligence primarily used to counter organizational fraud Social engineers are generally not company employees Social Engineering includes phishing, business email compromise, smishing, vishing Two possible aims: Main means for criminals to get foot in the door: malware planted Establish ongoing relationship to extract more money or information

4. Security Planning: An Applied Approach | 2/28/2025| 4 The Problem Amount recovered following an Incident of fraud Organizations lose 5% of revenue annually due to internal fraud Average scheme lasts 12 months Average fraud: $1,783,000 Median fraud: $117,000 Smaller companies (< 100 employees) suffer higher losses due to inadequate controls $150,000 vs. $100,000 16 month vs 12 month fraud duration Fraud Recovery 60% 50% 40% 30% 20% 10% 0% Recovered all losses Recovered nothing Partial recovery U.S. Europe South Asia Sub-Sahara Africa ACFE Occupational Fraud 2022: Report to the Nations

5. Security Planning: An Applied Approach | 2/28/2025 | 5 Internal or Occupational Fraud Definition Violates the employee s fiduciary responsibility to employer Is done secretly and is concealed Is done to achieve a direct or indirect benefit Costs the organization assets, revenue, or opportunity

6. Security Planning: An Applied Approach | 2/28/2025 | 6 Fraud Categories Categories % Cases, $ Average Examples Asset Misappropri ation 86% Theft of checks, cash, money orders, inventory, equipment, supplies, info $100,000 Bribe to accept contractor bid or Kickback, Bid rigging. Extortion: threat of harm if demand not met; False Billing: Providing lower quality, overcharging Conflict of interest: Purchasing or sales schemes Corporate espionage: Sell secrets Illegal Gratuities Bribery & Corruption 50% $150,000 Revenue Over(under)statement: False sales Over(under)stating Expenses, Liabilities: Delayed or capitalization of expenses; not recording owed amounts Improper Asset Valuation: No write down of uncollectable accounts, obsolete inventory, Misapplication of Accounting Rules: Improper disclosures, timing differences. Financial Statement Fraud 9% $593,000

7. Security Planning: An Applied Approach | 2/28/2025 | 7 Asset Misappropriation Vocabulary Skimming: Taking funds before they are recorded into company records Cash Larceny: Taking funds (e.g., check) that company recorded as going to someone else Embezzlement: Abusing a business privilege for personal gain Lapping: Theft is covered with another person s check (and so on) Check Tampering: Forged or altered check for gain Shell Company: Payments made to fake company Payroll Manipulation: Ghost employees, falsified hours, understated leave/vacation time False Shipping Orders or Missing/Defective Receiving Record: Inventory theft

8. Security Planning: An Applied Approach | 2/28/2025 | 8 Fraud is an International Problem International Fraud Fraud Allocation by Type (some types) Financial State- ment Median Fraud Corrup- tion 57% 44% Non cash 200,000 Billing 180,000 Asia-Pacific West Europe North Africa, Mideast Latin America East Europe, Russia U.S., Canada South Asia 11% 10% 17% 24% 20% 19% 160,000 140,000 120,000 100,000 59% 59% 8% 17% 17% 15% 16% 13% 80,000 60,000 40,000 64% 37% 71% 9% 8% 15% 23% 18% 15% 26% 24% 18% 20,000 0 Sub-Sahara Africa 62% 9% 19% 19% ACFE: Occupational Fraud 2022: Report to the Nations

9. Security Planning: An Applied Approach | 2/28/2025 | 9 Legal Considerations of Fraud Intentionally false representation Not an error Lying or concealing actions Pattern of unethical behavior Personal material benefit Organizational or victim loss

10. Security Planning: An Applied Approach | 2/28/2025 | 10 Key Elements of Fraud Motivation: Need or perceived need Opportunity: Access to assets, information, computers, people Rationalization: Justification for action Moti- vation 3 Key Elements Oppor- tunity Rational- ization

11. Security Planning: An Applied Approach | 2/28/2025 | 11 How Internal Fraud is Discovered 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Tips provided by employees 55%, customers 18%, anon.16%, vendors 10%. ACFE Occupational Fraud 2022: Report to the Nations

12. Security Planning: An Applied Approach | 2/28/2025 | 12 Tip Hotlines are highly effective Tip source Tip Statstics 42% of fraud detected by tip Most successful method: 3x higher than next best method phone tip web tip More than half of tips reported by employees email tip 0 10 20 30 40 50 Tip source With Hotline Without Hotline Median Loss $100,000 $200,000 Time to discovery 12 months 18 months ACFE Occupational Fraud 2022: Report to the Nations

13. Security Planning: An Applied Approach | 2/28/2025 | 13 Collusion Collusion: Two or more employees or employee & vendor defraud together Average duration: 12 months Median $ Loss 250000 200000 150000 100000 50000 0 1 person 2 persons 3+ persons ACFE Occupational Fraud 2022: Report to the Nations

14. Security Planning: An Applied Approach | 2/28/2025 | 14 Who Does Fraud? People in a position of power or with access steal larger amounts Manager, owner, and/or executive involved in 72% of incidents men 73% at median $125,000 vs women 27% at median $100,000 (varies by region: U.S.: 62-38%; Europe: 80-20%; South Asia: 95-5%) Long term employees cause larger median loss, more likely to collude, and take longer to catch, but less likely <=5 year: $90,000; 6-10 years $137,000; >10 years $250,000 Median fraud Executive fraud Median manager fraud: Median line employee fraud: Median Fraud Duration $337K 18 months $125K 16 months $50K 8 months 94% have no criminal convictions related to fraud ACFE Occupational Fraud 2022: Report to the Nations

15. Security Planning: An Applied Approach | 2/28/2025 | 15 Where is Fraud Found? Select industries: Top 3 fraud areas Manufacturing: Corruption: 59%, Billing: 26%, Noncash: 23% Information: Corruption: 58%, Noncash: 33%, Billing: 15% Gov t, public admin: Corruption: 57%, Billing: 21%, Noncash, payroll: 16% Technology: Corruption: 54%, Noncash: 30%, Billing: 21% Food service/Hospitality: Corruption: 54%, Noncash: 29%, Cash on hand: 21% Healthcare: Corruption: 50%, Billing: 20%, Noncash: 18% Education: Corruption: 49%, Billing: 26%, Noncash: 19% Banking: Corruption: 46%, Check/payment tamper, cash on hand: 14% Retail: Corruption: 43%, Noncash: 24%, Billing: 19% Four departments result in 50% of fraud: Operations 15% Accounting 12% Sales 11% Executive or upper management 11% ACFE Occupational Fraud 2022: Report to the Nations

16. Security Planning: An Applied Approach | 2/28/2025 | 16 Discussion Points What types of fraud could computer programmers or system administrators commit? For each type of fraud, what methods may help to prevent such fraud?

17. Security Planning: An Applied Approach | 2/28/2025 | 17 Example 1: Financial Statement Fraud Executives, Wall Street have high expectations: employees needed to meet the standards. To meet these standards, it may be necessary to play the game, and financial statement fraud may be accepted. Methods of such fraud may include: manual adjustments to accounts or improper accounting procedures

18. Security Planning: An Applied Approach | 2/28/2025 | 18 Example 2: Corruption The Director of a subsidiary always purchases goods from 2 large organizations, who provide rebates for large purchase quantities. The director negotiated contracts and pocketed the rebates to an off-shore bank account. Local vendors are upset that their bids are ignored.

19. Security Planning: An Applied Approach | 2/28/2025 | 19 Example 3: Asset Misappropriation A manager took money from one account, and when payment was due, paid via another account. When that was due, she paid via a third account, etc. This lapping went on for years and was finally caught when a sickness resulted in her being absent from work for an extended period.

20. Detecting & Preventing Fraud How to Recognize Fraud How to Prevent Fraud Info. Systems Applications

21. Security Planning: An Applied Approach | 2/28/2025 | 21 Fraud & Audit Audits are not designed to detect fraud Goal: Determine whether the financial statement is free from material misstatements. Auditors test only a small fraction of transactions Auditors must: Be aware of the potential of fraud Discuss how fraud could occur Delve into suspicious observations and report them

22. Security Planning: An Applied Approach | 2/28/2025 | 22 Red Flags Red Flags of Fraud Living beyond means (2020: 42%) 50% 45% Financial difficulties (2020: 26%) 40% Close association with vendors, customers 35% 30% Control issues, no sharing duties 25% 20% Divorce, family problems 15% Wheeler-dealer attitude 10% Dissatisfaction with job: complaints of pay, no authority 5% 0% Living beyond means Chummy assoc. w. vend/cust Financial difficulties Wheeler-dealer attitude Excessive pressure: organization or family Report to the Nations on Occupational Fraud and Abuse: 2018 Global Fraud Study. ACFE. Addiction Irritability, defensiveness

23. Security Planning: An Applied Approach | 2/28/2025 | 23 Work Habits of Fraudsters One or more: Justifying poor work habits Desperately trying to meet performance goals Over-protective of certain documents (poor sharing or avoids documentation) Refusal to swap job duties Consistently at work in off-time (early or late) or never absent Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

24. Security Planning: An Applied Approach | 2/28/2025 | 24 Concealment Methods Create fraudulent evidence Alter evidence Delete or destroy evidence Concealed evidence (physical & electronic) 38% Concealed evidence (physical and/or electronic) 78% 57% 52% 37% Duration of Fraud until Discovery 12 mos. 18 mos. Cash on hand Register disbursements Corruption Payroll Billing Expense reimbursements Financial statement fraud Check/payment tampering

25. Security Planning: An Applied Approach | 2/28/2025 | 25 Potential Transaction Red Flags Unusual transactions: Unusual timing, too frequent or infrequent Unusual amount: too much or too little Unusual participant: involves unknown or closely- related party Voided checks or receipts, with no explanation Insufficient supervision Pattern of adjustments to accounts Different addresses for same vendor, or vendors with similar names

26. Security Planning: An Applied Approach | 2/28/2025 | 26 Fraud Control Types Time of Fraud Before Fraud: ***BEST*** After Fraud Preventive Controls**: Preventing fraud includes: Segregation of Duties Ethical Culture & Policies Internal controls: Mgmt review Mgmt-signed Documents Fraud training Audits: Internal & eternal* Fraud risk assessment Employee Support Programs Background checks Detective Controls: Finding fraud when it occurs includes: Anonymous hotline* Surprise audits* Proactive data* monitoring Complaint or fraud investigation Mandatory vacations Rewards for whistleblowers Corrective Controls: Punishment* Amend controls Fidelity Insurance Employee Bonding * Also other category

27. Security Planning: An Applied Approach | 2/28/2025 | 27 Techniques to Discourage Fraud Realistic job expectations Employee support programs Adequate pay Training in job duties Motivation Trained in fraud: mgmt. & employees Mgmt. certifies financial statements Policy enforcement Code of conduct Sr. Mgmt models ethical behavior to customers, vendors, employees, share holders Key Elements Oppor- tunity Rational- ization Segregation of duties Proactive data analysis Internal audit dept. Mgmt review External audit Job rotation/mandatory vacation Physical security of assets Background checks

28. Security Planning: An Applied Approach | 2/28/2025 | 28 Fraud Controls Preventive Detective Corrective Termination or internal discipline Segregation of Duties Hotline Criminal prosecution or civil case Audit, Mgmt reports Fraud Policy Fraud Training (mgmt., employee) Artificial Intelligence

29. Security Planning: An Applied Approach | 2/28/2025 | 29 Segregation of Duties Management Distribution Sales Quality Assurance

30. Security Planning: An Applied Approach | 2/28/2025 | 30 Compensating Controls When Segregation of Duties not possible, use: Audit Trails Transaction Logs: Record of all transactions in a batch Reconciliation: Ensure transaction batches are not modified during processing Exception reporting: Track rejected and/or exceptional (non-standard) transactions Supervisory or Independent Reviews

31. Security Planning: An Applied Approach | 2/28/2025 | 31 Software to Detect Fraud: Data Monitoring and Analysis Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs. Detect unusual anomalies such as unusual amounts or patterns Compare vendor addresses and phone numbers with employee data Use Range or Limit Validation to detect fraudulent transactions Logged computer activity, login or password attempts, data access attempts, and geographical location data access. ACFE report shows % fraud by industry

32. Security Planning: An Applied Approach | 2/28/2025 | 32 Red flags software can detect Out-of-sequence checks Large number of voids or refunds made by employee or customer Manually prepared checks from large company Payments sent to nonstandard (unofficial) address Unexplained changes in vendor activity Vendors with similar names or addresses Unapproved vendor or new vendor with high activity

33. Security Planning: An Applied Approach | 2/28/2025 | 33 Encourage Security in IT Departments Physical security Segregation of duties Employee monitoring Surprise audits Job rotation Examination of Documentation Quality Assurance Programmer Analyst Business Analyst

34. Security Planning: An Applied Approach | 2/28/2025 | 34 Business Application Checks Checks locked up; access restricted Physical inventory of checks at least every quarter New accounts payable vendors existence and address double- checked by management Returned checks sent to PO Box and evaluated by someone independent of Accts Payable

35. Security Planning: An Applied Approach | 2/28/2025 | 35 Question What is the MOST effective means of preventing fraud? 1. Effective internal controls 2. Fraud training program 3. Fraud hotline 4. Punishment when fraud is discovered

36. Security Planning: An Applied Approach | 2/28/2025 | 36 Question A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that: The vendor was a phony company Purchases from the vendor did not result in inventory received The initials for the vendor matched an employee in the accounting dept. Management does not authorize new vendors with a separate web search and/or phone call. 1. 2. 3. 4.

37. Security Planning: An Applied Approach | 2/28/2025 | 37 Question What is: Origination, Authorization, Distribution, Verification? 1. Four stages of software release 2. Recommended authority allocations for access control 3. Stages for development of a Biometric Identity Management System (BIMS) 4. Categories for Segregation of Duties

38. External Fraud Social Engineering Pretexting: Business Email Compromise Check & Receipt Fraud A Fraud Investigation

39. Security Planning: An Applied Approach | 2/28/2025 | 39 Social Engineering Social Engineering Pretexting Phishing Dialogue, obtain info, influence Used in 93% breaches Gain foothold Financial motive 95% Email: 96% SE cases Malware >67% E.g. CEO impersonation, Tax return fraud 4% people take phish Financial 59% Spying 41%

40. Security Planning: An Applied Approach | 2/28/2025 | 40 Common Phishing Attack Sequence Email recipient clicks on an executable attachment or link, causes Phish Downloader downloads malware, potentially including backdoor or command and control malware to open door to hacking and further malware Downloader Ransomware: results in breach and an opportunity to Ransomware

41. Security Planning: An Applied Approach | 2/28/2025 | 41 Definitions Pretexting: Business Email Compromise: Scammed email requests organization wire transfer payment with business/supplier Email Account Compromise: Scammed email requests individual send payment to fraudulent organization Phishing: Short term relationship: fraudulent email requesting opening of an attachment, following a link; may request personal, financial, or login credentials. Vishing: Fraudulent voice message or phone call Smishing: Fraudulent text message

42. Security Planning: An Applied Approach | 2/28/2025 | 42 Business Email Compromise (BEC) - Scenario Get access to business email credentials OR Create account with similar name Email Access Impersonate person in power or supplier Establish video meeting (with picture) Impersonate Ask for money transfer to account Criminal forwards money to cryptocurrency wallet Request Money

43. Security Planning: An Applied Approach | 2/28/2025 | 43 BEC Incident Response Contact victim business to request reversal, Hold Harmless Letter, or Letter of Indemnity Notify File a complaint with government (U.S.: www.ic3.gov) Recovery is possible (U.S.: IC3 s Recovery Asset Team 74% success) Report Monitor BEC trends (e.g., www.ic3.gov) Verify email addresses and orders independently Awareness

44. Security Planning: An Applied Approach | 2/28/2025 | 44 Social Engineering Scam Scenario Romance/Confidence Scam: (In 2021 24,300 victims, losses > $956 million) Quickly establish romantic relationship, ask for money (emergency or investment), plan to but never meet. A niece or nephew is in trouble, needs help Sextortion: Will publish sensitive information is their demand is not met Tech Support Fraud ($347.7 million) Criminal pretends to be customer service or tech support to help Cryptocurrency: (2021: $1.6 billion) Cryptocurrency ATM is minimally regulated Cryptocurrency owners give up control of account for support or safeguarding Investment scams use cryptocurrency

45. Security Planning: An Applied Approach | 2/28/2025 | 45 Red Flags Rule Red Flag Category Suspicious Documents Example Red Flag Cases Identification or application looks forged or altered. Info is inconsistent btwn ID, what client says, and their records. Picture or signature differs. Info matches other clients Info. looks suspicious: phone number is answering service; SSN is on Death Master File; info. inconsistent with credit report. Incomplete application and client fails to submit additional info Client cannot provide authenticating info beyond name address phone A major change in spending or payment habits. A change in address, followed by unusual requests: e.g., multiple credit cards. Initial use of credit card shows unusual activity: first payment only; purchase of products easily converted to cash: electronics, jewelry. Inactive accounts become suddenly active. Mail is undeliverable but transactions continue. Changes to a credit report, inconsistent with client s history. Indication of fraud, credit freeze or other abuse. Changes in recent credit transactions: increase in inquiries or new accounts. Personal Identifying Information Account Activity Warnings from a Credit Agency Tip indicates an account has been opened inappropriately or used fraudulently. Red Flags Rule Other Sources

46. Security Planning: An Applied Approach | 2/28/2025 | 46 Social Engineering I Email: The first 500 people to register at our Web site will win free tickets to Please provide company email address and choose a password You received a message from Facebook. Follow this link log in. Social engineering: Getting people to do something they would not ordinarily do for a stranger Social engineering is nearly 100% effective

47. Security Planning: An Applied Approach | 2/28/2025 | 47 Social Engineering II Telephone call from IT : Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix We need to test a new utility to change your password

48. Security Planning: An Applied Approach | 2/28/2025 | 48 Social Engineering III Phone call 1: I had a great experience at your store. Can you tell me manager s name, address? Phone call 2: This is John from X. I got a call from Alice at your site wanting me to fax a sig-card. She left a fax number but I can t read it can you tell me? What is the code? You should be telling me the code That s ok, it can wait. I am leaving but Alice won t get her information The code is Phone call or fax 3: I need Code is

49. Security Planning: An Applied Approach | 2/28/2025 | 49 Social Engineering Techniques Learns insider vocabulary and/or personnel names Pretends legit insider: I am <VP, IT, other branch, other dept>. Can you ? Pretends real transaction: Helping: I am in trouble <or> you need help due to <My,Your> computer is <virused, broke, busy, don t have one>. Can you <do, tell me> ? Deception: Hides real question among others. Establishes relationship: Uses friendliness to gain trust for future tasks

50. Security Planning: An Applied Approach | 2/28/2025 | 50 Combating Social Engineering Verification Procedure Verify requester is who they claim to be Verify the requester is currently employed in the position claimed. Verify role is authorized for request Record transaction Organization security Data classification defines treatment Policies define guidelines for employee behavior Employees trained in roles, need-to-know, and policies

Load More ...