Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud in a High Crime Climate. Recordings of these Webinars are available for purchase from our Website fraudresourcenet.com This Webinar focused on the subject in the title FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web. FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
This webinar and its material are the property of AuditNet® and FraudAware®. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided access to that recording within 5 business days after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
Please complete the evaluation questionnaire to help us continuously improve our Webinars.
You must answer the polling questions to qualify for CPE per NASBA.
Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.
If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.
The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.
While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website
Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC
Introduction Fraud Statistics Auditors Role – Risk Control and Audit Social media fraud against individuals Social media fraud against organizations How E-fraudsters exploit Facebook and other
social media sites to commit fraud How to monitor social media sites for signs of
criminal actions against your Organization How to reduce your risk of fraud victimization via
According to major accounting firms, professional fraud examiners and law enforcement:
Fraud costs the world $3.5 TRILLION per year. (5%) (ACFE
Average cost for each incident of fraud is $160K (ACFE)
People who have been victims of ID theft are just as likely to be lax in securing their personal information online. Study results from identity theft victims and non-victims are identical.(Ponemon)
91% of online adults use Social Media regularly Social Media use has increased 356% in the US since
2006(Source: 216 Social Media and Internet Statistics (September 2012),
Understand how social media is being used within the organization
Review social media policies
Conduct a social media risk assessment
Ensure that controls are in place to address social media risks
Records retention issue
Audit Reports
Social Media Review by Multnomah County August 2011
GAO SOCIAL MEDIA - Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate http://www.gao.gov/new.items/d11605.pdf
Social media is now embedded in our personal and business culture and auditors need to know the what the risks and controls are, how to audit this new communication tool and also how to adapt it for use within the audit environment.
The Biggest Social Media Risk: Not Paying Attention to Social Media, according to major corporate executives
March 20, 2012
Social Media and Cloud Computing Top Internal Auditors' Technology Hot List, According to New Protiviti Research
Social media and cloud computing are top concerns – Internal audit executives and professionals recognize they must have superior knowledge and understanding of these areas and their inherent risks, and how their organizations are leveraging as well as controlling them, in order to perform their jobs at a high level and add value to the organizations they serve.
Protiviti 2012 Internal Audit Capabilities and Needs Survey
Objective—The objective of a social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media policies and processes.
Scope—The review will focus on governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address: Strategy and governance—policies and frameworks People—training and awareness Processes Technology
Selection of the social media projects and initiatives will be based on risks introduced to the enterprise by these systems.
Social Media Audit Program — Should be a comprehensively written program to detect, implement, and monitor compliance with the laws and regulations that impact the various components of social media. It should provide written procedures to ensure compliance.
Identification of inappropriateness with social media channels and non-compliance with the Social Media Policy — The company should clearly identify what is acceptable and what is not acceptable, based on a risk assessment and the outlined rules and specifications of the Social Media Audit Program.
Prior examination/audit findings — If weaknesses were previously cited in the company’s social media examination or audit that may impact the company’s social media program, has management taken appropriate steps to institute corrective actions?
Training program(s) — Training should be tailored to address all employees. Incident response — A formal review should be made of all alleged and/or actual incidents and how the company handled the incident.
Internal audit and annual reports — Management should regularly report on its responsiveness to cited weaknesses in the social media program.
Social Media - based on Web 2.0 and fosters the notion that people who consume media, access the Internet, and use the Web no longer passively absorb the flow of content from provider to viewer; rather, they are active contributors, helping customize media and technology for their own purposes.
One of social media’s greatest threats comes from employees who put work-related information onto social media sites—intentionally or unintentionally
It’s all about ID theft, ID fraud, social engineering, espionage, cyber-crime and financial fraud against INDIVIDUALS andORGANIZATIONS
Wife of Sir John Sawers, Head of MI6, UK equivalent of CIA posted sensitive information to her Facebook page, including address of the couple’s London apartment and locations of their children and Sir John’s parents. Problem: Potential national security & blackmail risk.“John Doe” received a message from a Facebook friend which had a link to a funny video. He clicked on it. The link did not bring up a video. The friend’s profile had been hacked, and now malicious software was being downloaded onto John’s computer as a result of him clicking on the link. This software was designed to open a way for an identity thief to take personal information from John’s system. It also sent a similar E-mail to everybody he was connected with on his profile, asking them to “view the video”.
ID theft against individuals. Fraudsters use Facebook to EASILY crack your password. Most online accounts use “qualifying questions” or Knowledge Based Authentication questions and answers to verify your identity if you “forget” your password. These questions usually involve personal information, such as your kids’, other relatives’, or pets’ names or birthdays.
When fraudsters find this information on your Facebook page, they can reset your passwords and steal your identity.
Key message: Limit what you post, and lock down your privacy settings.
Social engineering: Techniques used to manipulate people into performing actions or divulging confidential information. Uses various forms of psychological trickery via numerous channels—now increasingly with social media -- to get victim to provide sensitive information or computer system access…
Pretexting: Using personal information acquired under false pretenses to commit fraud.
How it’s done: Creating and using an invented scenario (the pretext) to persuade a social media target to release information or perform an action … usually done over the telephone. More than a lie -- as it most often involves some prior research or set-up and the use of pieces of known information from a social media site (DOB, Social Security Number, last bill amount, etc) to establish legitimacy in mind of the target…
Pretexter/fraudsters may pose as employee from victim’s:
Bank
Utility
Merchant /Organization
Employer (co-worker)
Government agency
Landlord
Key objective: Pretexters sell your information to people who use it to get credit in your name, steal your assets, or to investigate or blackmail or sue you.
Account hijacking. Phishers imitate the Facebook E-mail template, tricking victims into believing they have received a legitimate Facebook message or notification. Once you enter your username and password into the fake Facebook web site, criminals can take over your account, pose as you, post unwanted ads, ask your friends for money, information, etc.
Self defense: Always log into your Facebook account manually, rather than going through a link in an E-mail.
Brand-JackingIKEA: Scams. Set up a phony Facebook page and market it to a few people, who then send it to their friends, who send it to their friends to become FB “fans” in exchange for a $1,000 gift card that never came.
40,000 victims sent their personal information – became potential ID theft/fraud victims.
As they say: If it sounds too good to be true, it probably is.
Use the identity of a Facebook-friended employee to gain access to a company building:
Create a fake identity of the employee who is not known to the office to be breached, but still in the company’s system
With a little creativity, a fake business card, fake company ID card from info gathered from our Facebook group, the fraudster was “in”. Given an office and full access.
Once inside, can plug into the company network, create a wireless hub to access from the outside and/or plant keyloggers or other malware onto office PCs.
Source: Steve Stasiukonis of Secure Network Technologies
“The gadgets and gizmos of the spy movies have not gone away. But today's corporate spies are more likely to trawl through Facebook pages and Twitter feeds for snippets of information they can build into valuable intelligence on a target organization.”
‘’The Wall Street Journal”, Oct. 18, 2011
Example:
Social engineering/espionage: Through social networks it was learned that a financial executive was a divorcee. Perpetrators created dummy female profile on Facebook, “friended” him and cultivated an online relationship that ended in him sharing confidential information about the company with "her".
Steal clients or potential clients by posing as vendor and claiming to be going out oan business
Conduct phishing attacks
Intentionally pose as someone (usually senior manager) of your organization, to bad-mouth competition. Create risk of your employer becoming target of litigation
Use your identity to harass someone you know.
They may pose as a government entity to steal data and commit new account fraud.
Pose as rival C-level executive on Facebook, LinkedIn, or Twitter, to gather marketing intelligence. Once they are “linked” or “friended,” they have access to those individuals’ contacts and inner circle.
Disgruntled employees use social media to create pseudonyms to vent frustration about their boss or company. Can result in PR nightmare.
Create blog or link to a tongue-in-cheek Web site that might be funny, but will not be funny to you.
Set up accounts with your full name and those of your company, officers, spouse and kids on the most trafficked social media sites, blogs, domains or Web based E-mail accounts. If your name is already taken, include your middle initial, a period or a hyphen. Decide whether or not to plug in your picture and basic bio, but leave out your age or birthday.
Set up a free Google Alerts for your name/company to get an E-mail every time your name pops up online.
Broaden your company’s online reputation. Blogging is best.
Objective: Try to get Google to bring your given/company/officers names to top of search in best possible light. This is a combination of online reputation management and search engine optimization (SEO) for your brand.
If you identify someone using your photo or bio in the social media, be very persistent in contacting the site’s administrators. THIS IS FRAUD! They too have reputations to manage and if they see someone using your photo or likeness they will often delete stolen profiles.
Enlist services such as Mark Monitor or other brand protection and trademark management firms.
Consider NOT outright banning employee use of Social Media at work. This often creates resentment and incentive to find ways around the rules (via use of unprohibited sites, etc)
Example: Marines recently banned soldiers from using social media sites such as MySpace, Facebook and Twitter.
Reasons:
1) Fear that these sites’ lack of security may allow malware to infiltrate government computers. 2) Concern about leaked military data.
Problem: Soldiers used online dating sites that weren’t prohibited. Hackers exposed personal information on military subscribers of an online dating site. Forced DOD to command military personnel not to use their military information on commercial social media sites.
Lesson: Smart usage policy works better than prohibition
Essential: Policy that regulates employee access and guidelines for appropriate behavior. Audit and IT often best positioned to develop –and monitor– policy. Teach effective use: Provide training on proper use and especially what not do to. Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny. Limit social network use: There are hundreds of social networks serving numerous uses from music to movies, from friending to “hooking up”. Some are appropriate and others even less secure. Screen and enforce “off-limit” rules. Include in company policy (including privacy).Review Social Media Guidelines from other companies
Train IT personnel: Effective policies begin from the top down. IT must be up to speed. May need to coordinate with Internal Audit to monitor social media use.
Critical: Managers and employees never to post work-related information without authorization, or posting work-related information on personal pages
Maintain updated security: Whether hardware or software, A-V or critical security patches, make sure you are up-to-date.
Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings are often invitations to hackers
Fraud investigators increasingly use social networks to gather pubic evidence of misconduct. (see below). Illinois and Maryland prohibit employers from requiring employees to provide social media account passwords. But loopholes may still enable employer access to employee accounts.Caution: Conduct social media investigation only after consulting qualified attorney. Some laws also forbid “friending” if you are doing it for investigative purposes. Law is in flux and can be tricky.
Example: Courts have ruled that lawyers or investigators working for them cannot “friend” a suspect already represented by counsel.
Outright banning of social media sites by employees is the most effective way to minimize the many SM risks threatening your organizationsA. TrueB. False