FRAUD & CYBER AWARENESS Gavin Dyche – Manager Risk, Public Sector Victoria & Tasmania May 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FRAUD & CYBER AWARENESSGavin Dyche – Manager Risk, Public Sector Victoria & TasmaniaMay 2017
MY EXPERIENCE
AKA -
Strategic & Operational RiskFraud Prevention & ManagementBusiness ContinuityInformation SecurityAuditPhysical SecurityContinuous Improvement & LEANCustomer Service
FRAUD IN THE NEWS
Change of Bank Details Scam
FRAUD IN THE NEWS
MANDATORY REPORTING
IS IT ON YOUR LIST?
5% = Average of *$3m per Victorian Council* Based on 64 Victorian Councils at 2015/2016
5% RULE
CURRENT SCAMS
Some impersonators are easy to spot…..
Others are not!
PHISHING
CONTACTLESS TECHNOLOGY
RANSOMWARE
DARKWEB
$114bn USD
$85bn USD
VALUE OF FRAUD
HAVE YOU BEEN HACKED?
HAVE YOU BEEN HACKED?
SCAM STATISTICS - VICTORIA
Scam Category ReportedLoss
Reports Reports withLoss
<$10k Lost >$10k Lost Conversion %
Investment schemes $5,290,665 384 88 38 50 22.9%
Dating & romance $4,543,037 659 187 128 59 28.4%
Other upfront payment &advanced fee frauds
$3,734,310 3800 197 179 18 5.2%
Other buying/selling scams $852,492 2058 375 355 20 18.2%
Inheritance scams $683,174 535 19 14 5 3.6%
Scratchie scams $251,838 228 10 4 6 4.4%
Computer prediction &sports investment
$235,937 54 18 10 8 33.3%
Fake trader websites $231,550 981 435 432 3 44.3%
Classified scams $184,820 617 82 79 3 13.3%
Job & employment $144,796 566 50 48 2 8.8%
Nigerian scams $107,686 243 26 24 2 10.7%
Prize & Lottery scams $103,696 1368 57 55 2 4.2%
Psychic & clairvoyant $65,070 37 4 2 2 10.8%
Hitman scams $16,199 264 6 6 0 2.3%
Health & medical products $9,193 124 27 27 0 21.8%
Mobile premium services $8,687 476 190 190 0 39.9%
Fake charity scams $5,001 248 18 18 0 7.3%
Grand Total $18 838 055 31 667 2 357 2 127 230 7.4%
Visit www.scamwatch.gov.au for more info
USEFUL RESOURCE
ü Male
ü 41-50 years
ü Qualified Graduate
ü Junior or Middle Management
ü 3-5 years service
ü No previous criminal record
Typical profile of a fraudster 2016 (incl. % changes from 2014)
1%
12%
11%
15%
7%
PROFILE OF FRAUDSTERS
5%
Source: Fighting Fraud in the Public Sector IV PWC
§ Lack of governance/strategy for fraud prevention (Fraud Control Plan)
§ Lack of training and awareness
§ Lack of clear protocol or choice for fraud reporting
§ No ‘Control Effectiveness’ checking regime
§ Minimal reports of potential fraud & corrupt behaviour
§ Railroading operational staff to act outside protocol
§ Culture accepting of fraud & corruption (i.e. cost of what we do)
§ Increased line item budgets with no clear rationale
ORGANISATIONAL RED FLAGSS
DO WE QUESTION THINGS
FRAUD PREVENTION FRAMEWORK
FRAUDCONTROL
PLAN
THE FOUNDATION
WHAT IS HAPPENING / WHERE ARE THE GAPS?
WHAT IS POSSIBLE?
§ We all too readily focus on our perception of what we thinkmay go wrong as opposed to establishing what exactly could gowrong
§ Invariably, what you think or believe is happening may not alignwith reality.
• Fleet coordinator disposed of 274 vehicles over 11 years, 152of which Council received no proceeds.
• Misappropriation occurred over 11 years
• Estimated loss in excess of $1.6m
• Individual passed away shortly into investigation
BALANCING TRUST AND CONTROL
13 Control checks failed to recognise the scam
BALANCING TRUST AND CONTROL
ESSENTIAL 1ST LINE OF DEFENCE
The purpose of a control is to:
Ø Stop a risk from occurringØ Reduce the likelihood and/or consequence
Do you have controls that appear to do neither?
Controls cost the organisation time, resource and money so have tobe effective.
INTERNAL CONTROLS - REMINDER
o Policieso Procedureso Manual delegationso Signature checkso Tone from the topo Training
Weak Controlso System-based segregationo System-based delegationso Data Analytics
Strong Controls
HOW ROBUST ARE YOUR CONTROLS?
Due Diligence / Management Overview
§What are the relevant ‘red flags’ to look out for?
§ Are you relying on others in the approval process?
§ Have you considered ‘usualness’ factors?
§ How long did it take you to perform ‘management overview’?
§When did you last ask questions of items you are ‘authorising’?
If you don’t ask the questions, somebody else will after the incident!
CONTROL EFFECTIVENESS
Check 1
Check 2
Check 3
TRANSACTION
WHEN CONTROLS FAIL
THE NO BRAINER
q There is no substitute for regular face to face training for allemployees
q Consistently a key finding in Fraud and Corruption investigations,Audit reports and reviews
q Online training component can be a good interim measure inbetween biennial face to face training.
FRAUD & CYBER AWARENESS TRAINING
2nd Line of Defence
v Risk Managementv Governancev Compliance--------------------------------------------------------------------------------------------------------
1st Line of Defence
v Operational employeesv Controlsv Policy & Procedurev Fraud Reporting/Protected Disclosure--------------------------------------------------------------------------------------------------------
3rd Line of Defence
v Audit Committeev Internal Auditorsv External Auditors
LINES OF DEFENCE
EXAMPLES OF EXTERNAL FRAUDRISK REGISTERS
o Failure to effectively identify and manage internal fraud riskso Disclosure of confidential information during tender processo Lack of segregation of financial dutieso Inadequate management of IT user profiles and privilegeso Inappropriate use of delegationso Unauthorised purchase and disposal of assetso Lack of monitoring of items under asset register threshold
Fraud & Corruption Risks - Examples
KICKING THE TYRES
Fraud Losses
$0
Bad debt write-offs
$11m
WHEN I KICKED THE TYRES…
Some of the bad-debt in the names of……..
üMs Anita BathüMr Rippen YouoffüMr Hugh Jass
üMr R SwyperüMrs R Slickerü Lord Van Hugendong
WHEN I KICKED THE TYRES…
PEE N LEARN
CYBER CRIME
WHAT IS YOUR RISK?
Ø Easy targetØ Not a ‘loved brand’
Ø Perceived deep pocketsØ Lack of consequence if discovered
Ø Lacking controls compared to private sector
Ø Can go undetected (poor identificationmethodology)
Ø Not a financial institutionØ Data may not be lucrative or highly sensitive
WHY HACK/ ATTACK A COUNCIL
qDropped USBs and Optical Drives in staff carpark
qPhishing emails & Malware on USB
qFollow-up through fake IT support calls
GOVERNMENT HACKING
60% plugged inUSB Drive
90% wherebranded with an
official logo
22% clicked onURL in phishing
40% providedpasswords over
the phone
OUTCOME
q Strong IT Controls (firewall, malware/protection)
q Cyber Risk Assessment – What data is critical? Where is it located?
q Employee vigilance and awareness(i.e. not clicking links, not sharing passwords, reporting, etc.)
q Incident Response Plan (ICT Plan)
q Restrictions /guidelines on portable devices andunsecured/unknown WiFi networks
CYBER CRIME - PROTECTIONS
Ø Ensure all staff have knowledge, training and awareness to protectthemselves and the organisation.
Ø Fraud Risk Assessments can check for gaps and what is happening
Ø Remember the importance of due diligence/ managementoverview and ‘kicking the tyres’.
Ø Talk about fraud & cyber risks – encourage openness
Ø Effective Fraud & Cyber Prevention is about foresight. There areno prizes for hindsight….
IN SUMMARY
If you are yet to experience Fraud, Corruption or Cyber incidentswithin your unit or organisation, is it because:
A. Your controls are fully effective in fraud prevention
B. You have an impeccably honest workforce
C. It’s happening but you just don’t know it yet…
Where are you placing your wager?
AND FINALLY
WE ARE HERE TO HELP
Related Documents
