In today’s world, it’s not uncommon to see headlines about a new instance of fraud many times a week. Whether it’s a new phishing scam targeting seniors or the arrest of a low-level employee embezzling small amounts from a local government office, most fraud-related issues are interesting to the public regardless of their profession. Since anti-fraud professionals are on the front line of fraud prevention and investigation, it’s also predictable that family and friends may turn to you for clarification of these fraud-related stories.Read More
FROM THE PRESIDENT
James D. Ratley, CFE
The editors of Fraud Magazine know the value of a good story. They like to begin feature articles and many of the columns with case histories because they know you want illustrations of fraud examination principles in action.
We go one step further in our latest issue. Most of the feature articles are detailed analyses of case histories, including the cover article, "To snare a menace: 'Synthetic identity' fraudster stole millions."
The authors — Anthony P. Valenti, CFE, CAMS, and Stephen G. Korinko, CFE, CAMS, CPP — tell of a cyberfraudster who not only ripped off the identity of a client but created new "synthetic" guises to do it.
Fraudsters create synthetic identity persons, according to the authors, by combining real Social Security numbers with different dates of birth plus fictitious names and addresses. The combinations are endless. Law enforcement personnel now are trying to track identities that technically don't exist.
The author's perpetrator went to extreme measures — he bought a credit reporting agency's protection service, changed the date of the birth linked to the victim's account and effectively blocked the victim's access to his credit file. The fraudster changed the victim's telephone number and address so now the agency would call or write the fraudster whenever it detected any "unusual activity." Thus, the fraudster had an open window into the client's financial movements and the fraud examination almost from the start.
Apparently, the fraudster could now unlock the credit history just before filing a fraudulent loan application so merchants could access his credit history, then lock the account and await responses from those merchants and financial institutions.
Ultimately, the authors write that they were able to identify the fraudster's given name (and numerous synthetic persons with multiple addresses, which the fraudster had created) by comparing the victim's actual addresses with those listed in credit reports and with fraudulent information on applications the fraudster submitted to credit card companies, retail merchants and banks.
The authors then were able to link the fraudster to other victims and crimes, which amounted to millions of dollars in losses.
They connected the fraudster to the theft of $2 million from a hedge fund, fraudulent student loan applications and fraudulent receipt of veterans' benefits, among other crimes. They referred all the frauds to the U.S. Postal Inspection Service, which presented the case to the local U.S. attorney's office. (Be sure to read the interview with the inspector in charge of the New York Division of the U.S. Postal Inspection about synthetic identity fraud.)
The cyberfraudster received a multi-count indictment and faces mandatory jail time. Not a bad story.
Nikola Blagojevic, CFE, CISA
In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."
Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:
- Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
- User identification and passwords (to emails, social networks, etc.).
- Mobile applications that record PII.
- Geolocation data about the smartphone user.
Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.
So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.
Understanding and mitigating the risks
The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:
- Data leakage resulting from device loss or theft.
- Unintentional disclosure of data.
- Attacks on decommissioned smartphones.
- Phishing attacks.
- Spyware attacks.
- Network spoofing attacks.
- Surveillance attacks.
- Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
- Financial malware attacks.
- Network congestion.
We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.
Here are various measures that can help reduce the risks associated with mobile devices:
- Encrypt mobile devices.
- Regularly update mobile devices' applications and operating systems.
- Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence. For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be: "t@1rbfw@1pc."
CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)
Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.
Managing Partner of Martin Kenney & Co., Solicitors
The answer to the failure to prosecute more than one in 100 cases of fraud may lie in civil investigations
The Times recently reported that U.K. police forces were struggling to deal with a wave of online fraud cases.
Fewer than one in 100 cybercrimes were being followed up, it said, with many of those having originated overseas.
“The scale of offending is so great that officers rely on a computer program to assess whether cases are worth following up,” wrote journalist Andrew Ellson.
It’s not surprising that the police are coming under pressure and being criticised. Our teams have long experience in the fields of law enforcement and investigative work, and these type of crimes are notoriously difficult to prosecute. They require complex investigations which are reliant upon technical expertise – expertise often outside the normal policing skills toolkit – and many are perpetrated by foreign gangs operating in overseas jurisdictions.
Although the U.K. is expanding its cybercrime fighting capabilities, cross-jurisdictional issues can see investigations stagnate. Requests for overseas assistance get bogged down in diplomatic channels, allowing the culprits ample time to cover their tracks, move money and evade justice.
As a specialised asset recovery and retrieval law firm focusing on fraud cases, we have proposed to police here the possibility of using the private sector, which would allow asset-recovery experts such as ourselves, and partner liquidation experts, to assess whether civil recovery may be possible and cost-effective. Without that option, we know that many victims will be left feeling frustrated and disappointed at the lack of action on their behalf.
Our proposal may be in its infancy, but it’s clear authorities are being inundated with fraud. Thanks to austerity cuts, police are unable to investigate crimes which, historically, they might have tackled. Although the National Crime Agency and some of the regional policing units do embark on civil recoveries when the targets are out of the reach of normal criminal prosecution, it’s still only a small percentage of all such crimes.
For a civil route to become viable, losses need to be significant before an investigation becomes cost effective. However, some frauds involve multiple victims who yield comparatively small sums, but when added together can become a significant illicit gain for the fraudster. The question for police is this: would it be better to relieve the culprits of their ill-gotten gains through the civil courts or simply turn a blind-eye due to the unlikelihood of a criminal prosecution?
I believe that many victims would rather see some of their monies returned, even if legal fees had to be paid, than know the culprits were able to enjoy the high-life on the back of the entirety of their loss.
It must be remembered that the majority of these offences are committed by organised crime groups involved in all sorts of other serious crimes (human trafficking, drug trafficking and even the funding of terrorism). Anything we can do to frustrate their activities should be welcomed.
Martin Kenney is Managing Partner of Martin Kenney & Co., Solicitors, a specialist investigative and asset retrieval practice focused on multi-jurisdictional fraud cases. www.martinkenney.com | @MKSolicitors
SPECIAL TO THE WEB
Scott Swanson, CFE
It’s easy for us, as armchair analysts, when we hear about daily data breaches, to point our fingers and poke holes in the ways institutions fail to mitigate risk and threats of data loss and leakage. Take, for example, the sophisticated cyberattack of CareFirst BlueCross BlueShield (CareFirst) on May 20. According to the article, CareFirst Announces Cyberattack; Offers Protection for Affected Members, on the CareFirst website, the attackers gained limited, unauthorized access to a single CareFirst database. The company discovered the breach as a part of its ongoing IT security efforts in the wake of recent cyberattacks on health insurers.
According to the article, CareFirst engaged a cybersecurity firm to conduct an end-to-end examination of its IT environment. Evidence suggested that attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification numbers.
In truth, staffs within most IT security and compliance departments are diligent in their roles — they do the best they can with what they have. I believe that information security should have a place in IT. But IT shouldn’t hold the reins of information protection and investigation; if it does, perhaps anti-fraud experts can help.
IS A CYBERBREACH ACTUALLY CYBERFRAUD?
Right now, fraud examiners should be licking their chops. Fraud, by its nature, includes any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means (2015 Fraud Examiners Manual, 2.201). Similarly, theft is when someone takes something from another without consent. A fraudster’s main objective is to hide the act even if the act is completed. This is also is the objective with many data breachers. The acts are largely unknown before and after penetration. The intent is to steal … by means of fraud.
Look at Target, Sony, Home Depot, OPM, etc. In most cyberbreach cases, the incidents are identified long after the penetration and the thieves have absconded with the targeted data.
When I perform periodic testing as a risk consultant to commandeer information and breach controls, I find my pathway in most cases through ruses that will enable me access — technologically, physically or by human shortcomings. Here are some examples of how a cybercriminal might gain access to secure information in these three ways:
- Obtain a network or access password by asking an employee.
- Spear phish to feign a trusted co-worker or site to trick the individual into logging into a trap-identity capture. For example, recreate a LinkedIn invitation in an email with an authentic look and feel of the actual website that grabs the user’s name and password when they believe they’re logging in to the invitation.
- Gain access to an unattended device or endpoint (i.e. desktop computers and devices such as laptops, smartphones and tablets) that an employee left on a desk or counter during office hours. When employees leave their systems unattended and fail to log off, passersby can access information that isn’t password protected.
- Enter a facility without authorization by picking the lock or by entering through unlocked doors and other unrestricted access points. Or a fraudster can simply enter while a thoughtful person holds the door open as they both enter the building.
- Steal hard-copy information that’s unattended such as paper forms, bills and customer information near printers, fax machines and in unlocked garbage containers.
- Peer over an employees’ shoulders while they access private content, read information lying in the open or access files that aren’t locked away to see unsecured information.
- Failure to comply with policies and procedures. Most policies and procedures exist as rules on a form that’s either in some nebulous manual or on a database for employees. Without carefully implementing policies and procedures in alignment with natural, daily activities, most employees won’t think about the controls unless they’re culturally ingrained.
- Failure to create adequate controls. Organizations create controls to minimize activities that could create undue risk. However, risks are always changing and not all controls are sustainable, if indeed they were properly created in the first place.
- Failure to identify and plan against dynamic risks, threats and vulnerabilities. Most risk assessments are a snapshot in time, yet organizations often don’t periodically reassess them to identify changes and indicators of adverse events.
Regulatory authorities and directives, such as the ones governing the Health Insurance Portability and Accountability Act of 1996, mandate that organizations need to protect information with technology, physical security and appropriate functional controls. Now, if information protection falls under IT, are companies really using the best resources to cover physical security and processes that fall outside of computer or device-based controls, such as business procedures? Probably not because the key loophole is usually human behavior. That’s a corporate risk and security issue, and it’s also a legal and human resources problem. The fact that the mechanism might have used technology shouldn’t drive “ownership” of the problem to IT. So who can transcend all of these business units? A properly trained fraud examiner.
Read the full article on Fraud-Magazine.com.