TBC Forensic Accounting and Business Advisory Services Team

2

Median Fraud Loss?

3

Median Fraud Loss:$145,000

24% were at least $1 million

4

Median Fraud LossMedian Fraud Lossin US:

$100,000

5

6

7

8

9

Median number of months to uncover a

fraud scheme?

10

Median Duration:

11

12

Most Common Detection Method?

13

Most CommonMost CommonDetection Method:

Tips

14

� 42%

� More than twice the rate of anyrate of anyothermethod

15

16

17

Targeted fraud awareness training for employees and managers isemployees and managers is

a critical component

of a well-rounded program for preventing and detecting fraudp g g

18

19

O b k t t t d� Owner open bank statements andperuse cancelled checks

� Publicize rewards and confidentiality for whistleblowers

� Mandatory vacations� Job rotationsJob rotations� Surprise audits

20

Segregation of DutiesSegregation of Duties

Purpose to prevent any one personPurpose – to prevent any one personfrom having too much control over a particular business functionparticular business function

It’s a built in monitoring mechanism –every person’s actions are verified by

21another

External fraud andExternal fraud andfraud prevention

products at banksproducts at banks

22

Internet Fraud and Risk Update

Chris Squier, CISSP CISM

Vice President, Cybersecurity Risk and PCI Services

C

Agenda

Understanding Internet risks and fraud trends

Understanding crimeware, corporate account takeover fraud and the threat it presents

How to protect yourself, and your company

Questions & Answers

2

Disclaimer

3

This presentation is intended for information purposes Customers should contact their Information Technology provider to determine the best way to safeguard the security of their computers and networks Customers should familiarize themselves with their institution’s account agreement and understand their liability for fraud as ACH and Wire transactions are regulated under the Uniform Commercial Code

Attacks - from Back Rooms to Headlines

4

The 21st Century Holdup

5

Dawning of the Information Age… The Internet - 1980

he Internet Today 8 Billion Users and Growing

Radio: 38 years to reach 50 million people Facebook: 2 years to reach 50 million people

North America

Asia

Western Europe

Russia / Eastern Europe

Latest and Greatest: “Man in the Email” Scam

Based on “spoofed” communication (usually email) Email that looks like it’s from long-standing supplier asking to wire payment to alternate account Executive email account is compromised, asks employee to wire funds to an alternate account (sometimes compromised exec email asks financial institution directly to wire funds) Employee has email hijacked, requests invoice payments to fraudster controlled invoice accounts. Attorney Check Scam: fraudster finds real payment dispute, spoofs attorney email to demand payment to account from litigant.

Moral of the story: Email lies.

8

Characteristics (Courtesy IC3) Businesses and personnel using open source e-mail are most targeted. Individuals responsible for handling wire transfers within a specific business are targeted. Spoofed e-mails very closely mimic a legitimate e-mail request. Hacked e-mails often occur with a personal e-mail account. Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request. The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests. The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt. Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed. Victims report that IP addresses frequently trace back to free domain registrars.

9

“Equal Opportunity Cybercrime” If you have something of value, you’re a target. Very inexpensive for Cybercriminal organizations to “Cast a Wide Net.”

How much does it cost to send out 100k, 200k, 500k + emails? Cases involving:

Small business Charity/not-for-profit State/local government Healthcare Practitioners And more…

10

11

Attacks By Size of Organization Source: Symantec

* Data collected by 69 million sensors deployed in 157 countries.

ATM Skimmers

12

Hidden Camera or PIN pad overlay grabs the PIN number

More ATM Skimmers

13

“Carder” Rings..Credit Card Black Market

14

Malware Delivery Disguised as ACH Warning

15

Malware Download

Crimeware infection - Spear Phishing

Automated Income Tax Filing Fraud Social Engineering W2 Forms from HR

17

Screenshot of Fraudster Management Tracking Console

The Fake Anti-Virus Scam

The Key Takeaways

Cybercrime organizations doing their homework, Studying:

How to evade detection by security software and hardware (server-side automation, elaborate rootkits, bypassing “chip and pin” authentication) The financial system as a whole (fraud triggers) The technologies utilized specific to each target.

19

How to Protect Yourself and Your Business “Don’t be scared, just be aware” Review and distribute the M&T Bank - Payment Fraud Risk Management Handbook/Checklist Ensure your internal staff is aware of the risks and operates with safe computing best practices in mind Be aware what your banking sites normally look like Run up-to-date Endpoint/Internet Protection Software Run up-to-date host based firewall software Patch third-party software – Adobe, Java, QuickTime Activate a “pop-up” blocker on Internet browsers to help prevent web-based intrusions 20

Review your credit report/banking transactions regularly Use fraud prevention and detection services offered by M&T Bank: Payee Positive Pay, ACH block, etc. Limit staff Administrative access to privileges on the PC and bank products used to conduct transactional activity Use a stand-alone PC for banking transactions Add “Dual Administration” for money movement applications to reduce internal fraud with better control over user permissions and transaction auditing If you accept credit/debit card payments, become and remain compliant with Payment Card Industry standards

21

How to Protect Yourself and Your Business

Fraud Prevention and Detection Services

ACH Monitor Fraud Review and Approval or ACH Block. With this service, you can choose which ACH debits you want to honor, and which ones you want to return.

Authorize certain entities to debit your accounts while blocking all others Receive emails to alert you to any debits not matching a preapproved authorization Make pay or return decisions on any received debits that do not match an existing pre-authorization

Payee Positive Pay. This valuable service verifies checks presented to the bank against the checks you authorized for payment.

Bank will report checks and payee names that do not match your list of authorized normally online Review and return any suspect checks you determine to be unauthorized

ACH Account Number Masking (UPIC). Enables your organization to collect ACH payments without distributing sensitive account numbers. You will receive bank account identifiers that you can publish and distribute in place of your sensitive banking information

Check Block. Helps protect your cash concentration account by returning all presented checks, while allowing you to send and receive electronic payments or deposits from that same account

22

Questions, Answers and Useful links

23

• browsercheck.qualys.com • www.ic3.gov • www.mtb.com/fraud

� Allegation or signs of fraud – full facts unknown or unclear

� Fraud Response Plan� Fraud Response Plan� Necessary actions

C i t t d h i� Consistent and comprehensive manner

23

� Reporting Protocols� A response team to conduct initialA response team to conduct initial

assessment� Factors used to decide on the course of� Factors used to decide on the course of

action

24

� Litigation hold procedures� Principles for documenting the responsePrinciples for documenting the response

plan� A fraud incident report log template or� A fraud incident report log template or

form

25

� Legal counselg� Management representative� Certified Fraud Examiner� Certified Fraud Examiner� Finance Director� Internal Auditor� Audit Committee member� IT personnel� Human Resources

26

� Human Resources

A ti t th t� Activate the response team.� Engage legal counsel, if necessary.� Consider contacting the insurance

provider.p� Address immediate concerns.� Conduct an initial assessment� Conduct an initial assessment.� Document the initial response.

27

� Preserve all relevant documents� Employee might want to hide or destroy� Employee might want to hide or destroy� Suspend record retention policy

L l l t i liti ti h ld� Legal counsel to issue a litigation hold� Lockdown access to emails or digital files

28

� Forensic IT� Recover evidence a non-expert cannotp� Recover deleted files� Details about computer’s usersp� Data related to use of computer, what is or

has been stored on it� Proper seizure and examination of digital

evidence

29

� Act of intentionally or negligently destroying documents relevant to litigation.� Monetary fines and sanctions� Adverse inference jury instruction

sanctions� Dismissal of claims or defenses

30

Don’t tip off the fraudster or others suspected of misconduct.

Maintain confidentialityMaintain confidentiality

W k di tl ith t di ti thWork discreetly without disrupting thenormal course of business

31

Fraud Examination:Fraud Examination:� establish what happened

id tif th ibl� identify the responsibleparty

� provide recommendations� provide recommendations

�General to specific

32

Legal CounselLegal Counsel

P t t fid ti lit f i ti tiProtect confidentiality of investigationunder attorney-client privilege and the

k d t d t iwork product doctrine.

33

�How serious? $$$?�Participate in p

investigation?�Financial crime unit?Financial crime unit?�Not accountants

34

�Access to third party documentsAccess to third party documents�Control of company documents/evidenceDuration of time to resolve�Duration of time to resolve�Expert report

35

Criminal prosecution: cases referred-median loss $200 000; not referred-median loss of $75 000

36

$200,000; not referred median loss of $75,000.

75% resulted in perpetrators being found guilty.

3721% of those not prosecuted had private settlement.

38

39

� Civil and criminal tax penalties can be imposed for:p� nonfiling of returns � nonpayment of taxnonpayment of tax� filing of a false and fraudulent return

40

� Duty to see that returns are filed and� Duty to see that returns are filed andtaxes paid and willfully fail to do soIf ti f il t i tit t� If a corporation fails to instituteadequate and reasonable internal

t l t i th t t idcontrols to insure that taxes are paidand returns filed, it may be vicariously li bl f th t f it ffi dliable for the acts of its officers andagents.

41

� FIT FICA FUTA and various state tax� FIT, FICA, FUTA and various state taxwithholdings

Li bilit t di h bl i b k t� Liability not dischargeable in bankruptcy� “responsible persons”

“ illf l f il ”� “willful failure”

42

� Timely notice� Coverage - $$ and triggerCoverage $$ and trigger� Bias

E t id� Expert paid� Less restitution

43

� Plea (but not to amount or specifics)� Intent- mental stateIntent mental state

�Prove intent to defraud the organization for pecuniary benefit oforganization for pecuniary benefit ofthe employee

I iti ll l iti t b i th t� Initially legitimate business purpose thatultimately goes sour

44

45

Pamela D Wickes, CPA, CFE, CFF, ABVDirector of Forensic Accounting Services518-456-6663 x108

T l B k & Chi t CPA P C (TBC)

pwickes@tbccpa.com

The Forensic Lady blog:htt // tb / t /th Teal, Becker & Chiaramonte, CPAs, P.C. (TBC)

is an accounting and advisory firm located inAlbany, NY. The firm was founded in 1971.

With all of our clients, our mission is to provide

http://www.tbccpa.com/category/the-forensic-lady/

46

With all of our clients, our mission is to providehigher standards of excellence in the quality ofour relationships and in the quality of our work.