Scams Involving Third-Party Payment Apps on the Rise

Scams Involving Third-Party Payment Apps on the Rise

Throughout the COVID-19 pandemic, fraudsters have developed a broad range of insidious schemes to prey on a variety of industries and subjects. A recent spate of attacks have targeted third-party payment and money transfer phone apps, such as Venmo, Cash App, and Zelle. These apps have soared in popularity as people have been making payments from their phones instead of going to banks or handling cash.

Read More

Fraud Talk: The Rise of Cybercrime During COVID-19

Fraud Talk: The Rise of Cybercrime During COVID-19

In the most recent episode of Fraud Talk, the ACFE’s monthly podcast, Arpinder Singh, CFE, partner and head of India and emerging markets, Forensic & Integrity Services at EY, highlights how cybercrimes like business email compromise (BEC) scams, phishing and account takeover have risen and will continue to rise over the next year.

Read More

Cyberattacks and Cryptocurrency Predicted to be Among Largest Fraud Issues in 2018

Cyberattacks and Cryptocurrency Predicted to be Among Largest Fraud Issues in 2018

In today’s world, it’s not uncommon to see headlines about a new instance of fraud many times a week. Whether it’s a new phishing scam targeting seniors or the arrest of a low-level employee embezzling small amounts from a local government office, most fraud-related issues are interesting to the public regardless of their profession. Since anti-fraud professionals are on the front line of fraud prevention and investigation, it’s also predictable that family and friends may turn to you for clarification of these fraud-related stories.  

Read More

Fraud Magazine: Special Case Study Issue

FROM THE PRESIDENT

James D. Ratley, CFE

The editors of Fraud Magazine know the value of a good story. They like to begin feature articles and many of the columns with case histories because they know you want illustrations of fraud examination principles in action.

We go one step further in our latest issue. Most of the feature articles are detailed analyses of case histories, including the cover article, "To snare a menace: 'Synthetic identity' fraudster stole millions."

The authors — Anthony P. Valenti, CFE, CAMS, and Stephen G. Korinko, CFE, CAMS, CPP — tell of a cyberfraudster who not only ripped off the identity of a client but created new "synthetic" guises to do it.

Fraudsters create synthetic identity persons, according to the authors, by combining real Social Security numbers with different dates of birth plus fictitious names and addresses. The combinations are endless. Law enforcement personnel now are trying to track identities that technically don't exist.

The author's perpetrator went to extreme measures — he bought a credit reporting agency's protection service, changed the date of the birth linked to the victim's account and effectively blocked the victim's access to his credit file. The fraudster changed the victim's telephone number and address so now the agency would call or write the fraudster whenever it detected any "unusual activity." Thus, the fraudster had an open window into the client's financial movements and the fraud examination almost from the start.

Apparently, the fraudster could now unlock the credit history just before filing a fraudulent loan application so merchants could access his credit history, then lock the account and await responses from those merchants and financial institutions.

Ultimately, the authors write that they were able to identify the fraudster's given name (and numerous synthetic persons with multiple addresses, which the fraudster had created) by comparing the victim's actual addresses with those listed in credit reports and with fraudulent information on applications the fraudster submitted to credit card companies, retail merchants and banks.

The authors then were able to link the fraudster to other victims and crimes, which amounted to millions of dollars in losses.

They connected the fraudster to the theft of $2 million from a hedge fund, fraudulent student loan applications and fraudulent receipt of veterans' benefits, among other crimes. They referred all the frauds to the U.S. Postal Inspection Service, which presented the case to the local U.S. attorney's office. (Be sure to read the interview with the inspector in charge of the New York Division of the U.S. Postal Inspection about synthetic identity fraud.)

The cyberfraudster received a multi-count indictment and faces mandatory jail time. Not a bad story.

Understanding and Mitigating Smartphone Risks

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.