A Global Reach with a Local Perspective

www.decosimo.com

Fraud Awareness-What You and Your Employees Really Need to Know

Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA

Senior Manager pammantone@decosimo.com 423-756-7100

The contents and opinions contained in this presentation are my opinions and do not reflect the representations and opinions of Decosimo.

• Analytic process used to deny an adversary information

• Risk assessment tool

Military term meaning

Operational Security

• Examines day-to-day activities • Controls information

Universal concepts

• Equally applicable to individuals and businesses in general

• Identifies security risks Applied in any environment

A strict set of rules and

procedures

An expensive and time-

consuming process

Used only by the

government or military

Loss of customer trust and business

Possible law suits

Legal issues • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Federal Trade Commission Act • Health Insurance Portability and Accountability Act (HIPPA) • Family Educational Rights and Privacy Act • Drivers Privacy Protection Act • Privacy Laws • State Laws

“Consumer report

information”

Examples

• Personal and credit characteristics

• Character • General reputation • Must be prepared by a

consumer reporting agency

• Consumer reports in background checks of employees

• Customer credit histories

• Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information

• Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance

• Free credit report once every 12 months • Limitation on printing credit card numbers • Red Flag Rule

• Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit

and credit cards • Regulations apply to all businesses that have “covered

accounts” • Defined as any account for which there is a

foreseeable risk of identity theft

Fair and Accurate Credit Transactions Amendment

• Fraud alerts required • Summary of rights of identity

theft victims • Blocking of information

resulting from identity theft • Coordination of identity theft

complaint investigations

Applies to “financial institutions”

• Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agencies

Requires businesses to have reasonable policies and procedures to ensure security and confidentiality of customer information

Prohibits deceptive or unfair trade practices

Businesses must handle consumer information in a way that is consistent with their promises to their customers

Must avoid data security practices that create an unreasonable risk of harm to

consumer data

Regulates the use and disclosure of protected health information

Generally limits release of information to the minimum reasonably needed for the purpose of

disclosure

Enables patients to find out how their information may be used and what disclosures have been

made

Note: Medical record data is currently worth more on the black market compared to social security

numbers, credit card information, etc.

Medical records - $50 Social Security Numbers - $3 Credit card information - $1.50 Date of birth - $3 Mother’s maiden name - $6 Depending upon account balance – bank account

numbers - $100 - $500 From veriphyr.com

THE GOING RATE

Bottom Line – Companies must develop and maintain reasonable procedures to

protect sensitive information

Know the threat

Know what to protect

Know how to protect

Adversary – the Bad Guy

Terrorist groups

Criminals

Organized crime

Hackers/Crackers

Insider threats – generally more costly and often overlooked

“Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?”

“Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.”

from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute

Possible economic gains

Possible political gains

Advantage in global markets

Self-Interest

Revenge

External pressure

This is quite simple – sensitive information

• Personnel information • Customer information • Intellectual property • Company-generated internal reports • Financial information • Medical information • ----and the list goes on--------

If you are not sure – then be conservative – “loose lips sink ships”

• Know what personal information you have in your files and on computers

• Keep only what you need for your business

• Protect the information that you want to keep

• Properly dispose of what you no longer need

• Create a plan to respond to security incidents

• Periodic employee awareness training • If you don’t have time or expertise in-

house, use a trusted advisor to assess the current posture of the business and develop a sound security plan

Understand common social engineering techniques Social engineering defined as the manipulation of the

natural human tendency to trust The art and science of getting people to do what you want

them to do “ A social engineer is a hacker who uses brains instead of

computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001

Information gathering

Developing a relationship

Execution

Exploitation

• Looking over one’s shoulder

Shoulder surfing

• Checking out the trash

Dumpster diving

• Surveys

Mail-outs

• Curiosity • Deliberately leaving item for discovery and use

Baiting

• Convincing victims to supply sensitive information

• Fairly basic • Very widely used • Phisher often purchases a domain that is

designed to imitate an official resource

Phishing

• Direct call requesting “security verification • Email with instructions to call a telephone number to

verify account information before granting access • Fake interactive techniques such as “press 1” • Call and try to convince purchase or install of

software

Vishing

• Gaining access to a restricted area by following someone

• Preys on common courtesy

Tailgating

• Something for something • Often used against office workers • Attacker pretends to b a “tech support employee

returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads

“Quid pro quo”

• Common technique used to convince couriers into believing a delivery is to be received elsewhere

“Diversion theft”

Impersonation

Name dropping

Aggression

Conformity

Friendliness

• Repairman • Helpdesk tech • Trusted third party

Impersonation

• Using names of people from your company to make you believe they know you and gain your trust

Name Dropping

• Intimidation by threatening to escalate to a manager or executive if you do not provide requested information

Aggression

Conformity

• “Everyone else has provided the information so it’s fine for you to provide the same.”

• Moves responsibility away from the target

• Avoids the feeling of guilt

Friendliness

• Contacts over a period of time with the intent of building up a rapport so that when the attacker asks for sensitive information, trust has already been developed.

• Communication on a personal level removes the realization of pressure being applied to supply information

Increased compliance if:

• Attacker avoids conflict by using a consultative approach

• Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one.

• Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message

• Attacker has a quick mind and is able to compromise

RECOGNIZE THE SIGNS

Unsolicited requests for sensitive information

Content appears genuine

Disguised hyperlinks and sender address

Consists of a clickable image

Generic greetings

Use various tricks to entice recipients to click • Customer account details need to be updated due to a software or security

upgrade • Customer account may be terminated if account details are not provided within a

specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and

the user must provide information • Routine or random security procedures requiring the user to verify his or her

account by providing requested information

Spelling and bad grammar

Links in emails

Threats

Spoofing popular websites or companies

Why am I being asked for this information?

Is it usual to be asked for this sort of information in

this format?

Is the request coming from a known source?

What consequences might come from

misusing the information that I

have been asked to provide?

Is there pressure to take action

now?

Federal Trade Commission, BCB Business Center www.ftc.gov

OSPA www.opsecprofessionals.org

Cornell University IT: Phish Bowl www.it.cornell.edu/security/safety/phishbowl.cfm

Protect your business by understanding common social engineering techniques, Small Business Blog http://googlesmb.blogspot.com/2012/04/protect-your-

business-by-understanding.html Microsoft

www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

SOURCES

Grammar, Spacing, Capitalization

Embedded link

Period, no space, no capitalization on start of new sentence

Capitalization

Threat-immediate action required

Embedded link

Threat-immediate action required

Spelling

Violation of a company policy also a violation of law?

Grammar-” Windows”

Embedded link

Grammar – “link below”

Grammar-Windows Defender. Yes, it is a legit software program.

Threat-immediate action required

LinkedIn does not send reminders

Grammar

Embedded link

Great job on website impersonation!

1)Imposed threat requiring immediate action 2)No Section 765 in bylaws 3) AICPA does not regulate CPA status

grammar

Embedded link

Generic greeting

Zip file with embedded malware

Ticket number does not exist