480 likes | 690 Views
Acknowledgments. Material is from:Essentials of Corporate Fraud, T L Coenen, John Wiley
E N D
1. Fraud The Environment of Fraud
Preventing Internal Fraud
External Fraud
2. Acknowledgments Material is from:
Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008
The Art of the Steal, Frank Abignale, Broadway Books, 2001
CISA Review Manual, 2009
Check Fraud: A Guide to Avoiding Losses
The Art of Deception, Mitnick & Simon, Wiley & Sons, 2002
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers:
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
3. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons The Problem Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006)
Average scheme lasts 18 months, costs $159,000
25% costs exceed $1M
Smaller companies suffer greater average $ losses than large companies
4. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Internal or Occupational Fraud Definition
Violates the employees fiduciary responsibility to employer
Is done secretly and is concealed
Is done to achieve a direct or indirect benefit
Costs the organization assets, revenue, or opportunity
5. Fraud Categories Examples:
Collusion is when two employees work together to defraud the system. Perhaps each by themselves do not have permissions, but together they do.
Conflict of Interest: In government we see this: Industry lobbyists head up a government department that enforces government policy. In business, a person hires his relative without comparing against other vendors.
Corporate espionage: Example: It has been reported that one ivy-league college hacked in to determine what another was doing relative to offering incoming freshman acceptances.
Financial Statement Fraud: Accounts are often modified to make income look high (for stock prices) or low (for tax purposes). These modifications can occur via account adjustments, input or requested at a high managerial level.
Does anyone see what a computer scientist can do about this? Not yet? Keep thinkingExamples:
Collusion is when two employees work together to defraud the system. Perhaps each by themselves do not have permissions, but together they do.
Conflict of Interest: In government we see this: Industry lobbyists head up a government department that enforces government policy. In business, a person hires his relative without comparing against other vendors.
Corporate espionage: Example: It has been reported that one ivy-league college hacked in to determine what another was doing relative to offering incoming freshman acceptances.
Financial Statement Fraud: Accounts are often modified to make income look high (for stock prices) or low (for tax purposes). These modifications can occur via account adjustments, input or requested at a high managerial level.
Does anyone see what a computer scientist can do about this? Not yet? Keep thinking
6. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Vocabulary Skimming: Taking funds before they are recorded into company records
Cash Larceny: Taking funds (e.g., check) that company recorded as going to another party
Lapping: Theft is covered with another persons check (and so on)
Check Tampering: Forged or altered check for gain
Shell Company: Payments made to fake company
Payroll Manipulation: Ghost employees, falsified hours, understated leave/vacation time
Fraudulent Write-off: Useful assets written off as junk
Collusion: Two or more employees or employee & vendor defraud together
False Shipping Orders or Missing/Defective Receiving Record: Inventory theft Lapping: An employee steals money from an account A, then moves money from account B to A, then moves money from C to B, and continually does this to hide stolen money.
Shell Company: An employee creates a company DFloss with a postal code and simply charges money to the account on a regular basis.
What can be done from a CS (programming) perspective for any of these?Lapping: An employee steals money from an account A, then moves money from account B to A, then moves money from C to B, and continually does this to hide stolen money.
Shell Company: An employee creates a company DFloss with a postal code and simply charges money to the account on a regular basis.
What can be done from a CS (programming) perspective for any of these?
7. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Legal Considerations of Fraud Intentionally false representation
Not an error
Lying or concealing actions
Pattern of unethical behavior
Personal material benefit
Organizational or victim loss
8. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Key Elements of Fraud Motivation: Need or perceived need
Opportunity: Access to assets, information, computers, people
Rationalization: Justification for action Rationalization seems to have deteriorated in recent years. Many years ago people would apologize for stealing money to save their mother. Now they think that the company should have paid them more and offer no apology.Rationalization seems to have deteriorated in recent years. Many years ago people would apologize for stealing money to save their mother. Now they think that the company should have paid them more and offer no apology.
9. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons How Fraud is Discovered This really goes to show that tip is very important as a means to detect fraud. Thus it is very important to have a means to report fraud anonymously.
Audit is not a good means to detect fraud, because audit simply looks that procedures are defined and done. Procedures need to be defined and followed to prevent fraud, and that is how audit can help.This really goes to show that tip is very important as a means to detect fraud. Thus it is very important to have a means to report fraud anonymously.
Audit is not a good means to detect fraud, because audit simply looks that procedures are defined and done. Procedures need to be defined and followed to prevent fraud, and that is how audit can help.
10. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons After Fraud Discovered The top arrow shows the range of actions that may occur as a result of detecting fraud.
The bottom graph shows why fraud is not often reported.The top arrow shows the range of actions that may occur as a result of detecting fraud.
The bottom graph shows why fraud is not often reported.
11. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Who Does Fraud? Most $$$ internal frauds committed by longer-tenured, older, and more educated staff
Executives commit most expensive fraud: $1M
4.5 times more expensive than managers: $218K
13 times more expensive than line employees
Men & women commit fraud in nearly equal proportions, but mens are more expensive:
Mens average: $250k (or 4x)
Womens average: $120k
92% have no criminal convictions related to fraud
To steal a lot of money, you must have a position of power and access: highly degreed > HS grad, older > younger people
Collusion dramatically increases duration and $ loss for fraud Above Highly degreed steals more money than HS grad; Older people steal more money than younger people.
In The Art of the Steal, A study by the Assoc. of Certified Fraud Examiners in 2000 said that mens average was 4 x womens average, that post graduate degrees 5 x more than high school graduates, and 60+ year olders fraud was 28 x more than 25 and under. These results vary from what is on this slide.
Both results show that the more a fraudster has access to, the more they will steal. Thus managers tend to defraud in the largest amounts.Above Highly degreed steals more money than HS grad; Older people steal more money than younger people.
In The Art of the Steal, A study by the Assoc. of Certified Fraud Examiners in 2000 said that mens average was 4 x womens average, that post graduate degrees 5 x more than high school graduates, and 60+ year olders fraud was 28 x more than 25 and under. These results vary from what is on this slide.
Both results show that the more a fraudster has access to, the more they will steal. Thus managers tend to defraud in the largest amounts.
12. Discussion Points What types of fraud could computer programmers or system administrators commit?
For each type of fraud, what methods may help to prevent such fraud? Systems Analysts can ensure that segregation of duties is implemented via the software. (Introduced later)
Also, it should be clear who performs all transactions transactions should be logged..
Transactions could be validated. We will see more on this later too.Systems Analysts can ensure that segregation of duties is implemented via the software. (Introduced later)
Also, it should be clear who performs all transactions transactions should be logged..
Transactions could be validated. We will see more on this later too.
13. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Example 1:Financial Statement Fraud Dunlap of Sunbeam had such high expectations that employees needed to meet the standards or be fired. To meet his high standards, it was necessary to play the game, and financial statement fraud was accepted.
Methods of such fraud may include: manual adjustments to accounts or improper accounting procedures How can a computer scientist prevent this? What types of reports could highlight this?How can a computer scientist prevent this? What types of reports could highlight this?
14. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Example 2: Corruption The Chief Financial Officer had divisional controllers who oversaw various regions. When one controller left, the CFO permanently took over her responsibilities. Checks and balances between the two positions were violated, and the CFO was able to embezzle from the company.
Temporary assumption of some responsibilities may have been acceptable How can computer scientists prevent this?How can computer scientists prevent this?
15. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Example 3: Asset Misappropriation A manager took money from one account, and when payment was due, paid via another account. When that was due, she paid via a third account, etc.
This lapping went on for years and was finally caught when a sickness resulted in her being absent from work for an extended period. How can computer scientists prevent this? Consider what types of reports could have found this.How can computer scientists prevent this? Consider what types of reports could have found this.
16. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Detecting & Preventing Fraud How to Recognize Fraud
How to Prevent Fraud
Info. Systems Applications
17. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Fraud & Audit Audits are not designed to detect fraud
Goal: Determine whether the financial statement is free from material misstatements.
Auditors test only a small fraction of transactions
Auditors must:
Be aware of the potential of fraud
Discuss how fraud could occur
Delve into suspicious observations and report them If procedures are proper and people follow procedures (and in fact if collusion is needed to implement fraud) then auditors can help to prevent future fraud. But rarely do they detect fraud done in the past. There are too many transactions to verify each one.
However, as we shall see, there are red flags that can cause an auditor to closely consider fraud.If procedures are proper and people follow procedures (and in fact if collusion is needed to implement fraud) then auditors can help to prevent future fraud. But rarely do they detect fraud done in the past. There are too many transactions to verify each one.
However, as we shall see, there are red flags that can cause an auditor to closely consider fraud.
18. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Red Flags Significant change in lifestyle: New wealth
Financial difficulties may create need
Gambling or drug addiction
Infidelity is an expensive habit
Criminal background
Chronic legal problems: person looks for trouble
Dishonest behavior in other parts of life
Beat the system: Break rules commonly
Chronically dissatisfaction with job Fraudsters tend to exhibit the following characteristics.Fraudsters tend to exhibit the following characteristics.
19. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Work Habits of Fraudsters One or more:
Justifying poor work habits
Desperately trying to meet performance goals
Over-protective of certain documents (poor sharing or avoids documentation)
Refusal to swap job duties
Consistently at work in off-time (early or late) or never absent Some fraudsters cant afford to take any time off, because their scheme must be continually maintained (think lapping). In these cases, fraud may be detected by forcing people to take vacations or doing a job rotation.Some fraudsters cant afford to take any time off, because their scheme must be continually maintained (think lapping). In these cases, fraud may be detected by forcing people to take vacations or doing a job rotation.
20. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Potential Transaction Red Flags Unusual transactions:
Unusual timing, too frequent or infrequent
Unusual amount: too much or too little
Unusual participant: involves unknown or closely-related party
Voided checks or receipts, with no explanation
Insufficient supervision
Pattern of adjustments to accounts
Different addresses for same vendor, or vendors with similar names Computer scientists can program reports to find some of these. Also, they can ensure that transactions look normal, and if they dont, require proper authorization from a boss. By being aware of how fraud occurs, systems can be developed to reduce the potential of fraud.Computer scientists can program reports to find some of these. Also, they can ensure that transactions look normal, and if they dont, require proper authorization from a boss. By being aware of how fraud occurs, systems can be developed to reduce the potential of fraud.
21. Fraud Control Types The three types of security controls include Preventive, Detective, and Corrective. They relate to when the fraud was found.
Preventive Controls are most important, because the fraud does not occur in the first place. Thus it is better than detecting or correcting fraud (and fraud is rarely corrected anyway.)
*Anonymous hotline finds the most fraud, and internal audits (surprise audit) is the third leading cause of finding fraud. Some Detective and Corrective Controls also serve as Preventive Controls, as indicated by arrows ->.The three types of security controls include Preventive, Detective, and Corrective. They relate to when the fraud was found.
Preventive Controls are most important, because the fraud does not occur in the first place. Thus it is better than detecting or correcting fraud (and fraud is rarely corrected anyway.)
*Anonymous hotline finds the most fraud, and internal audits (surprise audit) is the third leading cause of finding fraud. Some Detective and Corrective Controls also serve as Preventive Controls, as indicated by arrows ->.
22. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Techniques to Discourage Fraud Do you remember the three elements of fraud? They are opportunity, rationalization, and motivation. This looks at preventing fraud by making each of the elements unlikely to occur.
Motivation: A desperate person may defraud to keep their job. Or an untrained person will do whatever they can to keep their job.
Rationalization: Training is important. If people know the rules the rules are explicit they are less likely to break the rules.Do you remember the three elements of fraud? They are opportunity, rationalization, and motivation. This looks at preventing fraud by making each of the elements unlikely to occur.
Motivation: A desperate person may defraud to keep their job. Or an untrained person will do whatever they can to keep their job.
Rationalization: Training is important. If people know the rules the rules are explicit they are less likely to break the rules.
23. CISA Review Manual 2009 Segregation of Duties No one person can deliver service and take money with the potential of stealing or falsifying sales.
Consider a Movie Theater:
Origination: The person who sells you the ticket
Distribution: The person who lets you into the theater.
Authorization: Ticket sales of a certain unusually large amount may require manager approval
Verification: Was this done correctly?
Authorization: Someone charges on VISA. VISA validates that yes, this VISA account is good.No one person can deliver service and take money with the potential of stealing or falsifying sales.
Consider a Movie Theater:
Origination: The person who sells you the ticket
Distribution: The person who lets you into the theater.
Authorization: Ticket sales of a certain unusually large amount may require manager approval
Verification: Was this done correctly?
Authorization: Someone charges on VISA. VISA validates that yes, this VISA account is good.
24. CISA Review Manual 2009 Compensating Controls When Segregation of Duties not possible, use:
Audit Trails
Transaction Logs: Record of all transactions in a batch
Reconciliation: Ensure transaction batches are not modified during processing
Exception reporting: Track rejected and/or exceptional (non-standard) transactions
Supervisory or Independent Reviews
Separation of duties: authorization, distribution, verification
A Compensating Control is a weaker control when a stronger control is not possible. Segregation of Duties is a strong control. This page describes weaker controls that are not as good but can be used if segregation of duties is not possible.
Here transaction generally means a database transaction. Think bank deposit or withdrawal.
Transaction Batch is the set of transactions for a period of time: a day or an hour.
A batch of transactions may include a checksum for the total of the dollar amount and/or number of transactions.
Reconciliation involves verifying check sums of a batch of transactions both before and after processing.
This can be problematic because some transactions may be rejected due to errors.
Supervisory reviews may be to look at the overall results or error results to note if anything suspicious is happening.
Segregation of duties includes origination, authorization, distribution, and verification.
These to a certain degree help in automating segregation of duties. How do they fit into
Authorization, Distribution, Verification? What about the three controls: prevention, detection, correction?
These mostly relate to Detection, which permits Verification when transactions are suspect.
Exception reporting and supervisory reviews are a delayed verification or detective technique.A Compensating Control is a weaker control when a stronger control is not possible. Segregation of Duties is a strong control. This page describes weaker controls that are not as good but can be used if segregation of duties is not possible.
Here transaction generally means a database transaction. Think bank deposit or withdrawal.
Transaction Batch is the set of transactions for a period of time: a day or an hour.
A batch of transactions may include a checksum for the total of the dollar amount and/or number of transactions.
Reconciliation involves verifying check sums of a batch of transactions both before and after processing.
This can be problematic because some transactions may be rejected due to errors.
Supervisory reviews may be to look at the overall results or error results to note if anything suspicious is happening.
Segregation of duties includes origination, authorization, distribution, and verification.
These to a certain degree help in automating segregation of duties. How do they fit into
Authorization, Distribution, Verification? What about the three controls: prevention, detection, correction?
These mostly relate to Detection, which permits Verification when transactions are suspect.
Exception reporting and supervisory reviews are a delayed verification or detective technique.
25. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Software to Detect Fraud Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs.
Detect unusual anomalies such as unusual amounts or patterns
Compare vendor addresses and phone numbers with employee data
Use Range or Limit Validation to detect fraudulent transactions
Logged computer activity, login or password attempts, data access attempts, and geographical location data access. Authorization, Distribution, Verification which do these address?
They seem to address verification, which is fairly easy to do in an automated fasion.
Remember, verification is checking for accuracy or validity.Authorization, Distribution, Verification which do these address?
They seem to address verification, which is fairly easy to do in an automated fasion.
Remember, verification is checking for accuracy or validity.
26. Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons Red flags software can detect Out-of-sequence checks
Large number of voids or refunds made by employee or customer
Manually prepared checks from large company
Payments sent to nonstandard (unofficial) address
Unexplained changes in vendor activity
Vendors with similar names or addresses
Unapproved vendor or new vendor with high activity
Shell companies often create a name that sounds similar to another valid organization, and if multiple shell companies exists,
their addresses may match other shell companies or a (stupid) employees address.
Authorization, Distribution, Verification which do these address?
Can these be caught by report?Shell companies often create a name that sounds similar to another valid organization, and if multiple shell companies exists,
their addresses may match other shell companies or a (stupid) employees address.
Authorization, Distribution, Verification which do these address?
Can these be caught by report?
27. Encourage Security in IT Departments Physical security
Segregation of duties
Employee monitoring
Surprise audits
Job rotation
Examination of Documentation
The picture shows job rotationThe picture shows job rotation
28. The Art of the Steal, Frank Abignale, Broadway Books 2001 Business Application Checks Checks locked up; access restricted
Physical inventory of checks at least every quarter
New accounts payable vendors existence and address double-checked by management
Returned checks sent to PO Box and evaluated by someone independent of Accts Payable Accounts Payable = those the organization pays for supplies, services, goods, etc.
With Segregation of Duties, accounts payable pays bills. Any unusual errors are handled by someone not in Accts Payable:
for example, returned checks or new vendors, audit.Accounts Payable = those the organization pays for supplies, services, goods, etc.
With Segregation of Duties, accounts payable pays bills. Any unusual errors are handled by someone not in Accts Payable:
for example, returned checks or new vendors, audit.
29. Question What is the MOST effective means of preventing fraud?
Effective internal controls
Fraud training program
Fraud hotline
Punishment when fraud is discovered
1 - Effective internal controls includes the other techniques, but a combination of internal control techniques are required to prevent fraud. Fraud prevention is the most important of the three: prevention, detection, and correction. Also consider the keyword in the question here: preventing fraud. The last two techniques are concerned with Detection and Correction. This is a CISA-like question, but has been reformulated.1 - Effective internal controls includes the other techniques, but a combination of internal control techniques are required to prevent fraud. Fraud prevention is the most important of the three: prevention, detection, and correction. Also consider the keyword in the question here: preventing fraud. The last two techniques are concerned with Detection and Correction. This is a CISA-like question, but has been reformulated.
30. Question A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that:
The vendor was a phony company
Purchases from the vendor did not result in inventory received
The initials for the vendor matched an employee in the accounting dept.
Management did not authorize new vendors with a separate phone call 4 Management should have gotten the number of the company from the phone book and placed a call before approving the record. They should have double-checked the name, address and federal tax ID number. Most companies have too many vendors, and auditors are not expected to check each one. Auditors verify the process, not every instance. This is not a CISA question, but looks like one.4 Management should have gotten the number of the company from the phone book and placed a call before approving the record. They should have double-checked the name, address and federal tax ID number. Most companies have too many vendors, and auditors are not expected to check each one. Auditors verify the process, not every instance. This is not a CISA question, but looks like one.
31. Question What is: Origination, Authorization, Distribution, Verification?
Four stages of software release
Recommended authority allocations for access control
Stages for development of a Biometric Identity Management System (BIMS)
Categories for Segregation of Duties
32. From: The Art of the Steal, Frank Abignale, Broadway Books 2001 & Check Fraud: A Guide to Avoiding Losses External Fraud Social Engineering
Check Fraud
Other Scams Information taken from The Art of the Steal, Frank Abignale,Broadway Books, 2001
Check Fraud: A Guide to Avoiding Losses
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
Information taken from The Art of the Steal, Frank Abignale,Broadway Books, 2001
Check Fraud: A Guide to Avoiding Losses
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
33. The Art of Deception, Mitnick & Simon, Wiley, 2002 Social Engineering I Email:
The first 500 people to register at our Web site will win free tickets to
Please provide company email address and choose a password
You received a message from Facebook. Follow this link log in.
Social engineering: Getting people to do something they would not ordinarily do for a stranger
Social engineering is nearly 100% effective From this, the social engineer has found out 1) where everyone works and 2) probably a common password that this user uses. The login and password can be attempted on home and business accounts.
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002From this, the social engineer has found out 1) where everyone works and 2) probably a common password that this user uses. The login and password can be attempted on home and business accounts.
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
34. Social Engineering II Telephone call from IT:
Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix
We need to test a new utility to change your password The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
35. Social Engineering III Phone call 1:
I had a great experience at your store. Can you tell me managers name, address?
Phone call 2:
This is John from X. I got a call from Alice at your site wanting me to fax a sig-card. She left a fax number but I cant read it can you tell me? What is the code?
You should be telling me the code
Thats ok, it can wait. I am leaving but Alice wont get her information
The code is
Phone call or fax 3:
I need Code is The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
This shows that with multiple phone calls, each having a separate purpose, different pieces of information are obtained and can be used as part of social engineering.
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
This shows that with multiple phone calls, each having a separate purpose, different pieces of information are obtained and can be used as part of social engineering.
36. The Art of Decption, Mitnick & Simon, Wiley 2002 Social Engineering Techniques Learns insider vocabulary and/or personnel names
Pretends legit insider: I am <VP, IT, other branch, other dept>. Can you ?
Pretends real transaction:
Helping: I am in trouble <or> you need help due to
<My,Your> computer is <virused, broke, busy, dont have one>. Can you <do, tell me> ?
Deception: Hides real question among others.
Establishes relationship: Uses friendliness to gain trust for future tasks The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
37. Combating Social Engineering Verification Procedure
Verify requester is who they claim to be
Verify the requester is currently employed in the position claimed.
Verify role is authorized for request
Record transaction Organization security
Data classification defines treatment
Policies define guidelines for employee behavior
Employees trained in roles, need-to-know, and policies
Employees who have been fired tend to be angry and do nasty things.
We will be looking at the items on the right in later sections. Data classification is similar to what the military does: Top Secret
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
Employees who have been fired tend to be angry and do nasty things.
We will be looking at the items on the right in later sections. Data classification is similar to what the military does: Top Secret
The Art of Deception, Kevin D Mitnick & William L Simon, Wiley Publishing Inc. 2002
38. The Art of the Steal, Frank W Abagnale, Broadway Books 2001 Fraud Statistics Businesses lose $400 Billion a year in fraud = 2 x US military budget
1/3 of $400B is embezzlement = employees stealing from employer
Next highest sources (KPMG 2000)
Check forgery
Credit cards
Fake invoices
Theft
$350 Billion for counterfeit goods
39. The Art of the Steal, Frank W Abagnale, Broadway Books 2001 Check Fraud Examples Altered Checks: Chemicals are used to erase the payee or amount, then re-printed OR check is appended to.
An Argentinian modified a ticket-overpayment refund check from Miami, changing a $2 check to $1.45 Million
Counterfeit Checks or Identity Assumption
Someone in your checkout line views your check, or does yard work for you
Fishes in a businesss in-mailbox or homes out-mail for a check
Checks can be purchased on-line or mail order
Telemarketing Fraud:
Youve won a prize or Would you like to open a VISA? Now give me your account information.
Hot Check: Insufficient Funds
90% of insufficient funds checks are numbered between 101 and 200
account opening year is printed on check From a mailbox checks can be obtained, then copied by simply ordering them through the mail in the U.S.
The most dangerous checks are those numbered between 101 and 200.
Checks cause the most amount of fraud VISA and MasterCard have stricter standards. From a mailbox checks can be obtained, then copied by simply ordering them through the mail in the U.S.
The most dangerous checks are those numbered between 101 and 200.
Checks cause the most amount of fraud VISA and MasterCard have stricter standards.
40. The Art of the Steal, Frank W Abagnale, Broadway Books 2001 Be Careful Printing Checks! Paychecks & Accounts Payable should not be printed on blank check paper
Laser printer is non-impact (ink does not go into paper but sits on top)
Easy to remove printing
Laser Lock or Toner Lock seals laser printing
Matrix printer puts ink into the paper
Chemical washing removes the print
Good Practices
Use larger printing: 12 font
Reverse toner in software: white on black
Control check stock and guard checks
Check your bank statements you have 30 days Scotch tape removes non-impact printing, nail polish removes impact printing. For impact printing, scotch tape preserves signature.
It is that easy. Plus, with modern printers a 12-year-old can copy money, receipts or whatever they want with a reasonably cheap printer.Scotch tape removes non-impact printing, nail polish removes impact printing. For impact printing, scotch tape preserves signature.
It is that easy. Plus, with modern printers a 12-year-old can copy money, receipts or whatever they want with a reasonably cheap printer.
41. Check Fraud: A Guide to Avoiding Losses Check Security Features Watermark: Subtle design viewable at 45-degree angle toward light. Cannot be photo-copied
Void Pantograph: Background pattern of checks. When photo-copied, the background patter disappears or prints VOID
Chemical Voids: When check is treated with eradicator chemical, the word VOID appears
Microprinting: When magnified, the signature or check border appears to be written words. The resolution is too fine for a photo-copier
3-Dim. Reflective Holostripe: Metallic stripe contains at least one hologram, similar to credit card.
Security ink: React to eradication chemicals, distorting check
Thermochromic Ink: Ink reacts to heat and moisture by fading and reappearing
Most bank checks now have some of these features. Look at your own check (if you didnt order it on-line). Most bank checks now have some of these features. Look at your own check (if you didnt order it on-line).
42. The Art of the Steal, Frank W Abagnale, Broadway Books, 2001 Processing Money Orders Money order information provides info on a ready checking account
Non-negotiable incoming wire account prevents out-going checks This is another social engineering scam. The guy is pretending to want to send money, but instead is planning on writing checks,
after finding out what the account number is. Therefore, out-going and in-coming accounts should be set up.This is another social engineering scam. The guy is pretending to want to send money, but instead is planning on writing checks,
after finding out what the account number is. Therefore, out-going and in-coming accounts should be set up.
43. The Art of the Steal, Frank W Abagnale, Broadway Books 2001 Fraud Scams Get a receipt from the trash, return a product
Copy gift certificate and cash in at multiple locations
Markdown sale prices reimbursed with receipt copied and collected at multiple locations
Fake UPC numbers to pay low prices then return at higher price. If receipt total is sufficient, scam may work. There have been experts who targeted specific stores, with stores and the expert competing with each other. It took a long time to put this guy in jail, but he eventually did go. The above tells some of the stories.There have been experts who targeted specific stores, with stores and the expert competing with each other. It took a long time to put this guy in jail, but he eventually did go. The above tells some of the stories.
44. The Art of the Steal, Frank W Abagnale, Broadway Books 2001 Preventing Scams Receipts must have security marks on them (e.g., two-colored ink on special paper, or better: thermochromatic ink)
Line-item detail on receipts and sales records in company database
Garbage bins which may receive receipts should be protected from access (e.g., bank garbage bins)
Register gift certificates unique numbers
Shredders should be used for any sensitive information
Protect against shoulder surfing or device attachment for card readers Obviously if people throw away receipts, you dont want those receipts readily accessible to incoming thieves.
Consider also how you trash those receipts.
Gift certificates must be maintained in database.Obviously if people throw away receipts, you dont want those receipts readily accessible to incoming thieves.
Consider also how you trash those receipts.
Gift certificates must be maintained in database.
45. Study Questions What are the key elements of fraud, and what techniques can be used to counteract these key elements?
What are the three categories of fraud?
What are the legal considerations of fraud?
Who commits fraud, and who commits the most expensive fraud?
What are the red flags of potential fraud?
How does social engineering occur, and how can it be prevented?
Apply the concept of segregation of duties.