Weitere ähnliche Inhalte Ähnlich wie Fraud in Social Media: Facing the Growing Threat (20) Mehr von FraudBusters (11) Kürzlich hochgeladen (20) Fraud in Social Media: Facing the Growing Threat1. Fraud in Social Media:
Facing the Growing Threat
September 25, 2013
Special Guest Presenters:
Peter Goldmann
FraudResourceNet - White-Collar
Crime 101 LLC –FraudAware
Copyright © 2013 FraudResourceNet™ LLC
About Peter Goldmann, MSc., CFE
President and Founder of White Collar
Crime 101
Publisher of White-Collar Crime Fighter
Developer of FraudAware® Anti-Fraud
Training Monthly Columnist, The Fraud
Examiner,
ACFE
Newsletter
Member of Editorial Advisory Board, ACFE
Author of “Fraud in the Markets”
Explains how fraud fueled the financial crisis.
Copyright © 2013 FraudResourceNet™ LLC
2. About Jim Kaplan, MSc, CIA, CFE
President and Founder of
AuditNet®, the global resource
for auditors
Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
Author of “The Auditor’s
Guide to Internet Resources”
2nd Edition
Copyright © 2013 FraudResourceNet™ LLC
Webinar Housekeeping
This webinar and its material are the property of AuditNet® and
FraudAware®. Unauthorized usage or recording of this webinar or any
of its material is strictly forbidden. We are recording the webinar and
you will be provided access to that recording within 5 business days
after the webinar. Downloading or otherwise duplicating the webinar
recording is expressly prohibited.
Please complete the evaluation questionnaire to help us continuously
improve our Webinars.
You must answer the polling questions to qualify for CPE per NASBA.
Submit questions via the chat box on your screen and we will answer
them either during or at the conclusion.
If GTW stops working you may need to close and restart. You can
always dial in and listen and follow along with the handout.
Copyright © 2013 FraudResourceNet™ LLC
3. Disclaimers
The views expressed by the presenters do not necessarily represent the
views, positions, or opinions of FraudResourceNet LLC (FRN) or the
presenters’ respective organizations. These materials, and the oral
presentation accompanying them, are for educational purposes only and do
not constitute accounting or legal advice or create an accountant-client
relationship.
While FRN makes every effort to ensure information is accurate and
complete, FRN makes no representations, guarantees, or warranties as to
the accuracy or completeness of the information provided via this
presentation. FRN specifically disclaims all liability for any claims or
damages that may result from the information contained in this
presentation, including any websites maintained by third parties and linked
to the FRN website
Any mention of commercial products is for information only; it does not
imply recommendation or endorsement by FraudResourceNet LLC
Copyright © 2013 FraudResourceNet™ LLC
4
Today’s Agenda
Introduction
Fraud Statistics
Auditors Role – Risk Control and Audit
Social media fraud against individuals
Social media fraud against organizations
How E-fraudsters exploit Facebook and other
social media sites to commit fraud
How to monitor social media sites for signs of
criminal actions against your Organization
How to reduce your risk of fraud victimization via
social media
Your Questions
Copyright © 2013 FraudResourceNet™ LLC
4. Fraud: The Big Picture
According to major accounting firms, professional
fraud examiners and law enforcement:
Fraud costs the world $3.5 TRILLION per year. (5%)
(ACFE
Average cost for each incident of fraud is $160K
(ACFE)
People who have been victims of ID theft are just as
likely to be lax in securing their personal information
online. Study results from identity theft victims and nonvictims are identical.(Ponemon)
91% of online adults use Social Media regularly
Social Media use has increased 356% in the US since
2006
(Source: 216 Social Media and Internet Statistics (September 2012),
TheSocialSkinny.com)
Copyright © 2013 FraudResourceNet™ LLC
Internal Audit’s Role
Understand how social media is being used within the organization
Review social media policies
Conduct a social media risk assessment
Ensure that controls are in place to address social media risks
Records retention issue
Audit Reports
Social Media Review by Multnomah County August 2011
GAO SOCIAL MEDIA - Federal Agencies Need Policies and
Procedures for Managing and Protecting Information They Access
and Disseminate http://www.gao.gov/new.items/d11605.pdf
Social media is now embedded in our personal and business culture
and auditors need to know the what the risks and controls are, how to
audit this new communication tool and also how to adapt it for use
within the audit environment.
Jim Kaplan, AuditNet®
Copyright © 2013 FraudResourceNet™ LLC
5. Guidance and Publications
Copyright © 2013 FraudResourceNet™ LLC
Social Media Risk Control and
Audit
Here a few examples of more books,
tools and resources for auditors:
• IIA Auditing Social Media
• AuditNet Social Media Risk
Assessment Workbook
• AuditNet® Guide to Social
Networking Security
• Identity Theft Audit Program
Copyright © 2013 FraudResourceNet™ LLC
7. Social Media Risks
Risks
Employees or non-employees creating a social
media page representing your company without
management/IT consent or approval
Trade secrets or other business secrets being
inadvertently or even deliberately shared
Dissatisfied customers or disgruntled employees
voicing their opinions freely
Viruses, spyware and network vulnerabilities
occurring due to the interactivity and open nature of
social media architecture
Copyright © 2013 FraudResourceNet™ LLC
Social Media Controls
Controls
The extent to which social media will be officially
sanctioned by the organization
Who is allowed to use the social media sites
How users gain approval to use the social media
sites
Standards/policy of social media use inside and
outside of the workplace
Brand monitoring and legal involvement
How to report false pages
Copyright © 2013 FraudResourceNet™ LLC
8. Social Media Audit Objectives
and Scope
Objective—The objective of a social media audit/assurance
review is to provide management with an independent
assessment relating to the effectiveness of controls over
the enterprise’s social media policies and processes.
Scope—The review will focus on governance, policies,
procedures, training and awareness functions related to
social media. Specifically, it will address:
Strategy and governance—policies and frameworks
People—training and awareness
Processes
Technology
Selection of the social media projects and initiatives will be
based on risks introduced to the enterprise by these
systems.
Copyright © 2013 FraudResourceNet™ LLC
Social Media Audit Program
Sample Steps
Social Media Audit Program — Should be a
comprehensively written program to detect, implement,
and monitor compliance with the laws and regulations
that impact the various components of social media. It
should provide written procedures to ensure compliance.
Identification of inappropriateness with social media
channels and non-compliance with the Social Media
Policy — The company should clearly identify what is
acceptable and what is not acceptable, based on a risk
assessment and the outlined rules and specifications of
the Social Media Audit Program.
Continued…
Copyright © 2013 FraudResourceNet™ LLC
9. Social Media Audit Program
Sample Steps
Prior examination/audit findings — If weaknesses were
previously cited in the company’s social media
examination or audit that may impact the company’s
social media program, has management taken
appropriate steps to institute corrective actions?
Training program(s) — Training should be tailored to
address all employees. Incident response — A formal
review should be made of all alleged and/or actual
incidents and how the company handled the incident.
Internal audit and annual reports — Management
should regularly report on its responsiveness to cited
weaknesses in the social media program.
Copyright © 2013 FraudResourceNet™ LLC
Social Media: The Fraud
Threat
Social Media - based on Web 2.0 and fosters
the notion that people who consume media,
access the Internet, and use the Web no longer
passively absorb the flow of content from provider
to viewer; rather, they are active contributors,
helping customize media and technology for their
own purposes.
One of social media’s greatest threats comes
from employees who put work-related information
onto social media sites—intentionally or
unintentionally
It’s all about ID theft, ID fraud, social
engineering, espionage, cyber-crime and
financial fraud against INDIVIDUALS and
ORGANIZATIONS
Copyright © 2013 FraudResourceNet™ LLC
10. Fraud Against Individuals
Wife of Sir John Sawers, Head of MI6, UK equivalent of
CIA posted sensitive information to her Facebook page,
including address of the couple’s London apartment and
locations of their children and Sir John’s parents.
Problem: Potential national security & blackmail risk.
“John Doe” received a message from a Facebook friend
which had a link to a funny video. He clicked on it. The link
did not bring up a video. The friend’s profile had been
hacked, and now malicious software was being
downloaded onto John’s computer as a result of him
clicking on the link. This software was designed to open a
way for an identity thief to take personal information from
John’s system. It also sent a similar E-mail to everybody
he was connected with on his profile, asking them to “view
the video”.
Copyright © 2013 FraudResourceNet™ LLC
Financial Identity Theft
Against Individuals
ID theft against individuals. Fraudsters use Facebook
to EASILY crack your password. Most online accounts
use “qualifying questions” or Knowledge Based
Authentication questions and answers to verify your
identity if you “forget” your password. These questions
usually involve personal information, such as your
kids’, other relatives’, or pets’ names or birthdays.
When fraudsters find this information on your Facebook
page, they can reset your passwords and steal your
identity.
Key message: Limit what you post, and lock down your
privacy settings.
Copyright © 2013 FraudResourceNet™ LLC
11. ID Theft Weapon: Social
Engineering
Social engineering: Techniques used to
manipulate people into performing actions
or divulging confidential information. Uses
various forms of psychological trickery via
numerous channels—now increasingly
with social media -- to get victim to
provide sensitive information or computer
system access…
Copyright © 2013 FraudResourceNet™ LLC
ID Theft Weapon: Pretexting
Pretexting: Using personal information acquired under
false pretenses to commit fraud.
How it’s done: Creating and using an invented
scenario (the pretext) to persuade a social media target
to release information or perform an action … usually
done over the telephone. More than a lie -- as it most
often involves some prior research or set-up and the
use of pieces of known information from a social media
site (DOB, Social Security Number, last bill amount, etc)
to establish legitimacy in mind of the target…
Copyright © 2013 FraudResourceNet™ LLC
12. ID Theft Weapon: Pretexting
Pretexter/fraudsters may pose as employee from
victim’s:
Bank
Utility
Merchant /Organization
Employer (co-worker)
Government agency
Landlord
Key objective: Pretexters sell your information to
people who use it to get credit in your name, steal
your assets, or to investigate or blackmail or sue you.
Copyright © 2013 FraudResourceNet™ LLC
Polling Question 1
Social media fraud is ________________ risky for
individuals than it is organizations
A. Less
B. More
C. Equally
Copyright © 2013 FraudResourceNet™ LLC
13. Social Media Phishing &
Hijacking
Copyright © 2013 FraudResourceNet™ LLC
More Social Media Phishing
& Hijacking
Account hijacking. Phishers imitate the Facebook Email template, tricking victims into believing they have
received a legitimate Facebook message or notification.
Once you enter your username and password into the
fake Facebook web site, criminals can take over your
account, pose as you, post unwanted ads, ask your
friends for money, information, etc.
Self defense: Always log into your Facebook account
manually, rather than going through a link in an E-mail.
Copyright © 2013 FraudResourceNet™ LLC
14. Social Media Identity Fraud
Brand-Jacking
IKEA: Scams. Set up a phony
Facebook page and market it to a few
people, who then send it to their
friends, who send it to their friends to
become FB “fans” in exchange for a
$1,000 gift card that never came.
40,000 victims sent their personal
information – became potential ID
theft/fraud victims.
As they say: If it sounds too good to
be true, it probably is.
Copyright © 2013 FraudResourceNet™ LLC
Fraud Against Organizations: It’s
All About Trust
Survey of 500 managers and employees with access to
sensitive customer information found the following:
66% said co-workers, not hackers, pose greatest risk to
consumer privacy; only 10% said hackers are greatest
threat.
62% reported incidents at work that put customer data at
risk for identity theft.
46% said it would be “easy,” “very easy” or “extremely
easy” for employees to steal sensitive data from corporate
database.
SOCIAL MEDIA SITES ARE BEING USED
INCREASINGLY TO COMMIT THESE CRIMES
Copyright © 2013 FraudResourceNet™ LLC
15. Polling Question 2
Pretexting is (Choose the best answer)
a) Gaining unauthorized access to secure computer
networks
b) Acquiring personal information under false pretenses
c) Impersonating you to gain financial benefit illegally
d) Stealing sensitive data from secured networks
e) All of the above
Copyright © 2013 FraudResourceNet™ LLC
How To Hack A Company With
Facebook-1
Pose as an employee, setting up a Facebook group,
and inviting or “friending” other employees to join.
Membership will grow exponentially each day.
Gather intelligence from “co-workers” about the
organization.
Monitor all social networking sites for employees of
target company --MySpace, LinkedIn, Plaxo, and
Facebook.com
Find those who openly discuss what they do for a
living
Key: By creating a group, you have access to profiles
or fellow employees who have no reason to distrust
you. Gathering sensitive information is easy.
Source: Steve Stasiukonis of Secure
Network Technologies
Copyright © 2013 FraudResourceNet™ LLC
16. How To Hack A Company With
Facebook-2
Use the identity of a Facebook-friended employee to
gain access to a company building:
Create a fake identity of the employee who is not known
to the office to be breached, but still in the company’s
system
With a little creativity, a fake business card, fake company
ID card from info gathered from our Facebook group, the
fraudster was “in”. Given an office and full access.
Once inside, can plug into the company network, create
a wireless hub to access from the outside and/or plant
keyloggers or other malware onto office PCs.
Source: Steve Stasiukonis of
Secure Network Technologies
Copyright © 2013 FraudResourceNet™ LLC
Social Media and Corporate
Espionage
“The gadgets and gizmos of the spy movies have not
gone away. But today's corporate spies are more likely
to trawl through Facebook pages and Twitter feeds for
snippets of information they can build into valuable
intelligence on a target organization.”
‘’The Wall Street Journal”, Oct. 18, 2011
Example:
Social engineering/espionage: Through social networks it was
learned that a financial executive was a divorcee. Perpetrators
created dummy female profile on Facebook, “friended” him and
cultivated an online relationship that ended in him sharing
confidential information about the company with "her".
Copyright © 2013 FraudResourceNet™ LLC
17. Why Impersonate?
Steal clients or potential clients by posing as vendor and claiming to be
going out oan business
Conduct phishing attacks
Intentionally pose as someone (usually senior manager) of your
organization, to bad-mouth competition. Create risk of your employer
becoming target of litigation
Use your identity to harass someone you know.
They may pose as a government entity to steal data and commit new
account fraud.
Pose as rival C-level executive on Facebook, LinkedIn, or Twitter, to
gather marketing intelligence. Once they are “linked” or “friended,” they
have access to those individuals’ contacts and inner circle.
Disgruntled employees use social media to create pseudonyms to vent
frustration about their boss or company. Can result in PR nightmare.
Create blog or link to a tongue-in-cheek Web site that might be funny,
but will not be funny to Copyright © 2013 FraudResourceNet™ LLC
you.
How to Prevent Impersonation
Set up accounts with your full name and those of your
company, officers, spouse and kids on the most
trafficked social media sites, blogs, domains or Web
based E-mail accounts. If your name is already taken,
include your middle initial, a period or a hyphen. Decide
whether or not to plug in your picture and basic bio, but
leave out your age or birthday.
Set up a free Google Alerts for your name/company to
get an E-mail every time your name pops up online.
Copyright © 2013 FraudResourceNet™ LLC
18. How to Prevent Impersonation
Broaden your company’s online reputation. Blogging is best.
Objective: Try to get Google to bring your
given/company/officers names to top of search in best
possible light. This is a combination of online reputation
management and search engine optimization (SEO) for your
brand.
If you identify someone using your photo or bio in the social
media, be very persistent in contacting the site’s
administrators. THIS IS FRAUD! They too have reputations to
manage and if they see someone using your photo or
likeness they will often delete stolen profiles.
Enlist services such as Mark Monitor or other brand
protection and trademark management firms.
Copyright © 2013 FraudResourceNet™ LLC
Polling Question #3
To hack into a company using Facebook, you need the
usernames and passwords of its secure networks…
a) True
b) False
Copyright © 2013 FraudResourceNet™ LLC
19. Manage Employee Use: Banning
Consider NOT outright banning employee use of Social Media at
work. This often creates resentment and incentive to find ways
around the rules (via use of unprohibited sites, etc)
Example: Marines recently banned soldiers from using social
media sites such as MySpace, Facebook and Twitter.
Reasons:
1) Fear that these sites’ lack of security may allow malware to
infiltrate government computers.
2) Concern about leaked military data.
Problem: Soldiers used online dating sites that weren’t prohibited.
Hackers exposed personal information on military subscribers of an
online dating site. Forced DOD to command military personnel not
to use their military information on commercial social media
sites.
Lesson: Smart usage policy works better than prohibition
Copyright © 2013 FraudResourceNet™ LLC
Manage Employee Use: Policies
Essential: Policy that regulates employee access and guidelines
for appropriate behavior.
Audit and IT often best positioned to develop –and monitor– policy.
Teach effective use: Provide training on proper use and
especially what not do to.
Encourage URL decoding: Before clicking on shortened URLs,
find out where they lead by pasting them into a URL lengthening
service like TinyURL Decoder or Untiny.
Limit social network use: There are hundreds of social
networks serving numerous uses from music to movies, from
friending to “hooking up”. Some are appropriate and others even
less secure. Screen and enforce “off-limit” rules. Include in
company policy (including privacy).
Review Social Media Guidelines from other companies
Copyright © 2013 FraudResourceNet™ LLC
20. Manage Employee Use: Policies
Train IT personnel: Effective policies begin from the top
down. IT must be up to speed. May need to coordinate with
Internal Audit to monitor social media use.
Critical: Managers and employees never to post workrelated information without authorization, or posting work-related
information on personal pages
Maintain updated security: Whether hardware or software,
A-V or critical security patches, make sure you are up-todate.
Lock down settings: Most social networks have privacy
settings that need to be administered to the highest level.
Default settings are often invitations to hackers
Copyright © 2013 FraudResourceNet™ LLC
Social Media As An Investigative
Tool
Fraud investigators increasingly use social networks to
gather pubic evidence of misconduct. (see below).
Illinois and Maryland prohibit employers from requiring
employees to provide social media account passwords.
But loopholes may still enable employer access to
employee accounts.
Caution: Conduct social media investigation only
after consulting qualified attorney. Some laws also
forbid “friending” if you are doing it for investigative
purposes. Law is in flux and can be tricky.
Example: Courts have ruled that lawyers or
investigators working for them cannot “friend” a
suspect already represented by counsel.
Copyright © 2013 FraudResourceNet™ LLC
21. Polling Question #4
Which of the following are potentially serious social
media-related threats to most organizations?
a) Spreading false information about a product
b) Gaining unauthorized access to an executive’s inner
circle
c) Posing as your company for phishing attacks to steal
money
d) All of the above
Copyright © 2013 FraudResourceNet™ LLC
Polling Question 3
Outright banning of social media sites by employees is
the most effective way to minimize the many SM risks
threatening your organization
s
A. True
B. False
Copyright © 2013 FraudResourceNet™ LLC
22. Questions?
Any Questions?
Don’t be Shy!
Copyright © 2013 FraudResourceNet™ LLC
Coming Up Next Month
1. An Expert’s Advice on
Establishing an Organization Wide
Fraud Policy October 8
Using Data Analytics to Detect and
Deter Procure-to-Pay Fraud
October 30
Copyright © 2013 FraudResourceNet™ LLC