Download Fraud - University of Wisconsin–Parkside: Computer Science

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
The Environment of Fraud
Preventing Internal Fraud
External Fraud
Material is from:
 Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008
 The Art of the Steal, Frank Abignale, Broadway Books, 2001
 CISA Review Manual, 2009
 Check Fraud: A Guide to Avoiding Losses
 The Art of Deception, Mitnick & Simon, Wiley & Sons, 2002
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.
The Problem
Internal Fraud Recovery
$0 Recovered
Substantial Recovery
Organizations lose 5-6%
of revenue annually due
to internal fraud = $652
Billion in U.S. (2006)
Average scheme lasts 18
months, costs $159,000
25% costs exceed $1M
Smaller companies suffer
greater average $ losses
than large companies
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Internal or Occupational Fraud
 Violates the employee’s fiduciary
responsibility to employer
 Is done secretly and is concealed
 Is done to achieve a direct or indirect
 Costs the organization assets, revenue, or
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud Categories
% of Cases,
$ Average
Asset Misappropriation
Theft of checks, cash, money orders, inventory, equipment,
supplies, info
Bribe to accept contractor bid or Kickback, Collusion, Bid
Extortion: threat of harm if demand not met;
False Billing: Providing lower quality, overcharging
Conflict of interest in power decision
Corporate espionage: Sell secrets
Bribery &
Revenue Overstatement: False sales
Understating Expenses: Delayed or capitalization of
Overstating Assets: No write down of uncollectable
accounts, obsolete inventory, …
Understating Liabilities: Not recording owed amounts
Misapplication of Accounting Rules, etc.
Skimming: Taking funds before they are recorded into company
Cash Larceny: Taking funds (e.g., check) that company recorded as
going to another party
Lapping: Theft is covered with another person’s check (and so on)
Check Tampering: Forged or altered check for gain
Shell Company: Payments made to fake company
Payroll Manipulation: Ghost employees, falsified hours, understated
leave/vacation time
Fraudulent Write-off: Useful assets written off as junk
Collusion: Two or more employees or employee & vendor defraud
False Shipping Orders or Missing/Defective Receiving Record:
Inventory theft
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Legal Considerations of Fraud
Intentionally false representation
 Not
an error
 Lying or concealing actions
 Pattern of unethical behavior
Personal material benefit
 Organizational or victim loss
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Key Elements of Fraud
Motivation: Need or
perceived need
Opportunity: Access
to assets,
computers, people
Justification for
3 Key
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
How Fraud is Discovered
How Fraud is Discovered
By Accident
Internal Audit
External Audit
Notified by
Some fraud is discovered via multiple reporting methods,
Thus results do not sum to 100%
Tips come from Employee 64%, Anonymous 18%, Customer 11%, Vendor 7%
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
After Fraud Discovered
Discipline May include
of Employment
Civil or Criminal
legal action
Why Fraud not Reported to Law Enforcement
Fear of bad publicity
Internal discipline
Private settlement
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Too costly to pursue
Who Does Fraud?
Most $$$ internal frauds committed by longer-tenured,
older, and more educated staff
Executives commit most expensive fraud: $1M
Men & women commit fraud in nearly equal proportions,
but men’s are more expensive:
4.5 times more expensive than managers: $218K
13 times more expensive than line employees
Men’s average: $250k (or 4x)
Women’s average: $120k
92% have no criminal convictions related to fraud
To steal a lot of money, you must have a position of
power and access: highly degreed > HS grad, older >
younger people
Collusion dramatically increases duration and $ loss for
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Discussion Points
What types of fraud could computer
programmers or system administrators
 For each type of fraud, what methods may
help to prevent such fraud?
Example 1:
Financial Statement Fraud
Dunlap of Sunbeam had such high
expectations that employees needed to
meet the standards or be fired. To meet
his high standards, it was necessary to
play the game, and financial statement
fraud was accepted.
Methods of such fraud may include: manual
adjustments to accounts or improper
accounting procedures
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Example 2: Corruption
The Chief Financial Officer had divisional
controllers who oversaw various regions.
When one controller left, the CFO
permanently took over her responsibilities.
Checks and balances between the two
positions were violated, and the CFO was
able to embezzle from the company.
Temporary assumption of some
responsibilities may have been acceptable
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Example 3:
Asset Misappropriation
A manager took money from one account,
and when payment was due, paid via
another account. When that was due, she
paid via a third account, etc.
This lapping went on for years and was
finally caught when a sickness resulted in
her being absent from work for an
extended period.
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Detecting &
Preventing Fraud
How to Recognize Fraud
How to Prevent Fraud
Info. Systems Applications
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud & Audit
Audits are not designed to detect fraud
Goal: Determine whether the financial statement
is free from material misstatements.
Auditors test only a small fraction of transactions
Auditors must:
 Be
aware of the potential of fraud
 Discuss how fraud could occur
 Delve into suspicious observations and report them
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Red Flags
Significant change in lifestyle: New wealth
Financial difficulties may create need
 Gambling
or drug addiction
 Infidelity is an expensive habit
Criminal background
Chronic legal problems: person looks for trouble
Dishonest behavior in other parts of life
Beat the system: Break rules commonly
Chronically dissatisfaction with job
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Work Habits of Fraudsters
One or more:
 Justifying poor work habits
 Desperately trying to meet performance
 Over-protective of certain documents
(poor sharing or avoids documentation)
 Refusal to swap job duties
 Consistently at work in off-time (early or
late) or never absent
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Potential Transaction Red Flags
Unusual transactions:
 Unusual timing, too frequent or infrequent
 Unusual amount: too much or too little
 Unusual participant: involves unknown or
closely-related party
 Voided checks or receipts, with no explanation
 Insufficient supervision
 Pattern of adjustments to accounts
 Different addresses for same vendor, or vendors
with similar names
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Fraud Control Types
After Fraud
Fix problems
and prevent
future problems
Amend controls
Time of
Detective Controls:
Finding fraud when it
Anonymous hotline*->
Surprise audits*->
Monitoring activities->
Complaint or fraud
Before Fraud:
Preventive Controls**:
Preventing fraud
Risk assessment
Develop internal controls
Physical security & data security
Authorization (Passwords, etc)
Segregation of duties
Fraud education
Techniques to Discourage Fraud
Realistic job expectations
Adequate pay
Motivation Training in job duties
Segregation of duties
Checks and balances Opportunity
Job rotation
Physical security of assets
Background checks
Mandatory vacations
Examination of required documentation
Trained in policies
and procedures
Rationalization Policy enforcement
Sr. Mgmt models
ethical behavior
to customers, vendors,
employees, share
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Segregation of Duties
Acts on
CISA Review Manual 2009
Compensating Controls
When Segregation of Duties not possible, use:
 Audit Trails
 Transaction Logs: Record of all transactions in a
 Reconciliation: Ensure transaction batches are not
modified during processing
 Exception reporting: Track rejected and/or
exceptional (non-standard) transactions
 Supervisory or Independent Reviews
Separation of duties: authorization, distribution,
CISA Review Manual 2009
Software to Detect Fraud
Provide reports for customer credits, adjustment
accounts, inventory spoilage or loss, fixed-asset writeoffs.
Detect unusual anomalies such as unusual amounts or
Compare vendor addresses and phone numbers with
employee data
Use Range or Limit Validation to detect fraudulent
Logged computer activity, login or password attempts,
data access attempts, and geographical location data
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Red flags software can detect
Out-of-sequence checks
Large number of voids or refunds made by
employee or customer
Manually prepared checks from large company
Payments sent to nonstandard (unofficial)
Unexplained changes in vendor activity
Vendors with similar names or addresses
Unapproved vendor or new vendor with high
Essentials of Corporate Fraud, T L
Coenen, 2008, John Wiley & Sons
Encourage Security in IT
Physical security
Segregation of duties
Employee monitoring
Surprise audits
Job rotation
Examination of
Business Application Checks
Checks locked up; access restricted
 Physical inventory of checks at least every
 New accounts payable vendors’ existence
and address double-checked by
 Returned checks sent to PO Box and
evaluated by someone independent of
Accts Payable
The Art of the Steal, Frank Abignale,
Broadway Books 2001
What is the MOST effective means of
preventing fraud?
1. Effective internal controls
2. Fraud training program
3. Fraud hotline
4. Punishment when fraud is discovered
A woman in the accounting department set up a
vendor file with her own initials, and was able
to steal more than $4 M after 3 years. The
auditor should have found that:
The vendor was a phony company
Purchases from the vendor did not result in
inventory received
The initials for the vendor matched an
employee in the accounting dept.
Management did not authorize new vendors
with a separate phone call
What is: Origination, Authorization, Distribution,
Four stages of software release
Recommended authority allocations for access
Stages for development of a Biometric Identity
Management System (BIMS)
Categories for Segregation of Duties
External Fraud
Social Engineering
Check Fraud
Other Scams
From: The Art of the Steal, Frank
Abignale, Broadway Books 2001 &
Check Fraud: A Guide to Avoiding
Social Engineering I
 The first 500 people to register at our Web site will win
free tickets to …
 Please provide company email address and choose a
You received a message from Facebook. Follow this
link … log in.
Social engineering: Getting people to do something they
would not ordinarily do for a stranger
Social engineering is nearly 100% effective
The Art of Deception, Mitnick & Simon,
Wiley, 2002
Social Engineering II
Telephone call from ‘IT’:
 Some company computers have been
infected with a virus that the anti-virus
software cannot fix. Let me walk you
through the fix…
 We need to test a new utility to change
your password…
Social Engineering III
Phone call 1:
 “I had a great experience at your store. Can you tell me
manager’s name, address?”
Phone call 2:
 “This is John from X. I got a call from Alice at your site
wanting me to fax a sig-card. She left a fax number but I
can’t read it can you tell me? What is the code?
 “You should be telling me the code…”
 “That’s ok, it can wait. I am leaving but Alice won’t get
her information…”
 “The code is … “
Phone call or fax 3:
 “I need … Code is …”
Social Engineering Techniques
Learns insider vocabulary and/or personnel
Pretends legit insider: “I am <VP, IT, other
branch, other dept>. Can you …?”
Pretends real transaction:
 Helping:
I am in trouble <or> you need help due to …
 <My,Your> computer is <virused, broke, busy, don’t
have one>. Can you <do, tell me> …?
 Deception: Hides real question among others.
Establishes relationship: Uses friendliness to
gain trust for future tasks
The Art of Decption, Mitnick & Simon,
Wiley 2002
Combating Social Engineering
Verification Procedure
 Verify requester is who
they claim to be
 Verify the requester is
currently employed in the
position claimed.
 Verify role is authorized
for request
 Record transaction
Organization security
 Data classification
defines treatment
 Policies define guidelines
for employee behavior
 Employees trained in
roles, need-to-know, and
Fraud Statistics
Businesses lose $400 Billion a year in fraud = 2
x US military budget
1/3 of $400B is embezzlement = employees
stealing from employer
Next highest sources (KPMG 2000)
 Check
 Credit cards
 Fake invoices
 Theft
$350 Billion for counterfeit goods
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Check Fraud Examples
Altered Checks: Chemicals are used to erase the payee or amount,
then re-printed OR check is appended to.
 An Argentinian modified a ticket-overpayment refund check from
Miami, changing a $2 check to $1.45 Million
Counterfeit Checks or Identity Assumption
 Someone in your checkout line views your check, or does yard work
for you
 Fishes in a business’s in-mailbox or home’s out-mail for a check
 Checks can be purchased on-line or mail order
Telemarketing Fraud:
 “You’ve won a prize” or “Would you like to open a VISA?” “Now give
me your account information.”
Hot Check: “Insufficient Funds”
 90% of ‘insufficient funds’ checks are numbered between 101 and
 account opening year is printed on check
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Be Careful Printing Checks!
Paychecks & Accounts Payable should not be printed on
blank check paper
Laser printer is non-impact (ink does not go into paper
but sits on top)
Matrix printer puts ink into the paper
Easy to remove printing
‘Laser Lock’ or ‘Toner Lock’ seals laser printing
Chemical ‘washing’ removes the print
Good Practices
Use larger printing: 12 font
Reverse toner in software: white on black
Control check stock and guard checks
Check your bank statements – you have 30 days
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Check Security Features
Watermark: Subtle design viewable at 45-degree angle toward
light. Cannot be photo-copied
Void Pantograph: Background pattern of checks. When photocopied, the background patter disappears or prints ‘VOID’
Chemical Voids: When check is treated with eradicator
chemical, the word VOID appears
Microprinting: When magnified, the signature or check border
appears to be written words. The resolution is too fine for a
3-Dim. Reflective Holostripe: Metallic stripe contains at least
one hologram, similar to credit card.
Security ink: React to eradication chemicals, distorting check
Thermochromic Ink: Ink reacts to heat and moisture by fading
and reappearing
Check Fraud: A Guide to Avoiding
Processing Money Orders
Money order information provides info on
a ready checking account
 Non-negotiable incoming wire account
prevents out-going checks
I would like to send you a
money order. What is your
account number?
The Art of the Steal, Frank W Abagnale,
Broadway Books, 2001
Fraud Scams
Get a receipt from the trash, ‘return’ a product
Copy gift certificate and cash in at multiple
Markdown sale prices reimbursed with receipt –
copied and collected at multiple locations
Fake UPC numbers to pay low prices then return
at higher price. If receipt total is sufficient, scam
may work.
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Preventing Scams
Receipts must have security marks on them (e.g., twocolored ink on special paper, or better: thermochromatic
Line-item detail on receipts and sales records in
company database
Garbage bins which may receive receipts should be
protected from access (e.g., bank garbage bins)
Register gift certificates – unique numbers
Shredders should be used for any sensitive information
Protect against shoulder surfing or device attachment for
card readers
The Art of the Steal, Frank W Abagnale,
Broadway Books 2001
Study Questions
What are the key elements of fraud, and what
techniques can be used to counteract these key
What are the three categories of fraud?
What are the legal considerations of fraud?
Who commits fraud, and who commits the most
expensive fraud?
What are the red flags of potential fraud?
How does social engineering occur, and how can it be
Apply the concept of segregation of duties.