Fraud in Social Media: Facing the Growing Threat

Fraud in Social Media:Facing the Growing Threat

September 25, 2013

Special Guest Presenters: Peter Goldmann

FraudResourceNet - White-Collar Crime 101 LLC –FraudAware

Copyright © 2013 FraudResourceNet™ LLC


About Peter Goldmann, MSc., CFE

President and Founder of White Collar Crime 101Publisher of White-Collar Crime FighterDeveloper of FraudAware® Anti-Fraud

Training Monthly Columnist, The Fraud Examiner, ACFE Newsletter

Member of Editorial Advisory Board, ACFE Author of “Fraud in the Markets”

Explains how fraud fueled the financial crisis.


About Jim Kaplan, MSc, CIA, CFE

President and Founder of AuditNet®, the global resource for auditors

Auditor, Web Site Guru,

Internet for Auditors Pioneer

Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

Author of “The Auditor’s Guide to Internet Resources” 2nd Edition


Webinar Housekeeping

This webinar and its material are the property of AuditNet® and FraudAware®. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided access to that recording within 5 business days after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

Please complete the evaluation questionnaire to help us continuously improve our Webinars.

You must answer the polling questions to qualify for CPE per NASBA.

Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.


Disclaimers

4

The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.

While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website

Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC


Today’s Agenda

Introduction Fraud Statistics Auditors Role – Risk Control and Audit Social media fraud against individuals Social media fraud against organizations How E-fraudsters exploit Facebook and other

social media sites to commit fraud How to monitor social media sites for signs of

criminal actions against your Organization How to reduce your risk of fraud victimization via

social media Your Questions


Fraud: The Big Picture

According to major accounting firms, professional fraud examiners and law enforcement:

Fraud costs the world $3.5 TRILLION per year. (5%) (ACFE

Average cost for each incident of fraud is $160K (ACFE)

People who have been victims of ID theft are just as likely to be lax in securing their personal information online. Study results from identity theft victims and non-victims are identical.(Ponemon)

91% of online adults use Social Media regularly Social Media use has increased 356% in the US since

2006(Source: 216 Social Media and Internet Statistics (September 2012),

TheSocialSkinny.com)


Internal Audit’s Role

Understand how social media is being used within the organization

Review social media policies

Conduct a social media risk assessment

Ensure that controls are in place to address social media risks

Records retention issue

Audit Reports

Social Media Review by Multnomah County August 2011

GAO SOCIAL MEDIA - Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate http://www.gao.gov/new.items/d11605.pdf

Social media is now embedded in our personal and business culture and auditors need to know the what the risks and controls are, how to audit this new communication tool and also how to adapt it for use within the audit environment.

Jim Kaplan, AuditNet®


Guidance and Publications


Social Media Risk Control and Audit

Here a few examples of more books, tools and resources for auditors:

• IIA Auditing Social Media• AuditNet Social Media Risk

Assessment Workbook• AuditNet® Guide to Social

Networking Security• Identity Theft Audit Program


Social Media Risks

The Biggest Social Media Risk: Not Paying Attention to Social Media, according to major corporate executives

March 20, 2012

Social Media and Cloud Computing Top Internal Auditors' Technology Hot List, According to New Protiviti Research

Social media and cloud computing are top concerns – Internal audit executives and professionals recognize they must have superior knowledge and understanding of these areas and their inherent risks, and how their organizations are leveraging as well as controlling them, in order to perform their jobs at a high level and add value to the organizations they serve.

Protiviti 2012 Internal Audit Capabilities and Needs Survey


Social Media Risks

Prioritized concerns from a survey conducted by Grant Thornton and FERF

1. Disclosure of proprietary information2. Negative comments about the company3. Exposure of personally identifiable

information4. Fraud5. Out of date information

As the use of social media continues to grow, so too does the risk of fraud involving social media

Social Media and its associated risk – Grant Thornton and FERF


Social Media Risks

Risks Employees or non-employees creating a social

media page representing your company without management/IT consent or approval

Trade secrets or other business secrets being inadvertently or even deliberately shared

Dissatisfied customers or disgruntled employees voicing their opinions freely

Viruses, spyware and network vulnerabilities occurring due to the interactivity and open nature of social media architecture


Social Media Controls

Controls The extent to which social media will be officially

sanctioned by the organization

Who is allowed to use the social media sites

How users gain approval to use the social media sites

Standards/policy of social media use inside and outside of the workplace

Brand monitoring and legal involvement

How to report false pages


Social Media Audit Objectives and Scope

Objective—The objective of a social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media policies and processes.

Scope—The review will focus on governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address: Strategy and governance—policies and frameworks People—training and awareness Processes Technology

Selection of the social media projects and initiatives will be based on risks introduced to the enterprise by these systems.


Social Media Audit Program Sample Steps

Social Media Audit Program — Should be a comprehensively written program to detect, implement, and monitor compliance with the laws and regulations that impact the various components of social media. It should provide written procedures to ensure compliance.

Identification of inappropriateness with social media channels and non-compliance with the Social Media Policy — The company should clearly identify what is acceptable and what is not acceptable, based on a risk assessment and the outlined rules and specifications of the Social Media Audit Program.

Continued…


Social Media Audit Program Sample Steps

Prior examination/audit findings — If weaknesses were previously cited in the company’s social media examination or audit that may impact the company’s social media program, has management taken appropriate steps to institute corrective actions?

Training program(s) — Training should be tailored to address all employees. Incident response — A formal review should be made of all alleged and/or actual incidents and how the company handled the incident.

Internal audit and annual reports — Management should regularly report on its responsiveness to cited weaknesses in the social media program.


Social Media: The Fraud Threat

Social Media - based on Web 2.0 and fosters the notion that people who consume media, access the Internet, and use the Web no longer passively absorb the flow of content from provider to viewer; rather, they are active contributors, helping customize media and technology for their own purposes.

One of social media’s greatest threats comes from employees who put work-related information onto social media sites—intentionally or unintentionally

It’s all about ID theft, ID fraud, social engineering, espionage, cyber-crime and financial fraud against INDIVIDUALS andORGANIZATIONS


Fraud Against Individuals

Wife of Sir John Sawers, Head of MI6, UK equivalent of CIA posted sensitive information to her Facebook page, including address of the couple’s London apartment and locations of their children and Sir John’s parents. Problem: Potential national security & blackmail risk.“John Doe” received a message from a Facebook friend which had a link to a funny video. He clicked on it. The link did not bring up a video. The friend’s profile had been hacked, and now malicious software was being downloaded onto John’s computer as a result of him clicking on the link. This software was designed to open a way for an identity thief to take personal information from John’s system. It also sent a similar E-mail to everybody he was connected with on his profile, asking them to “view the video”.


Financial Identity Theft Against Individuals

ID theft against individuals. Fraudsters use Facebook to EASILY crack your password. Most online accounts use “qualifying questions” or Knowledge Based Authentication questions and answers to verify your identity if you “forget” your password. These questions usually involve personal information, such as your kids’, other relatives’, or pets’ names or birthdays.

When fraudsters find this information on your Facebook page, they can reset your passwords and steal your identity.

Key message: Limit what you post, and lock down your privacy settings.


ID Theft Weapon: Social Engineering

Social engineering: Techniques used to manipulate people into performing actions or divulging confidential information. Uses various forms of psychological trickery via numerous channels—now increasingly with social media -- to get victim to provide sensitive information or computer system access…


ID Theft Weapon: Pretexting

Pretexting: Using personal information acquired under false pretenses to commit fraud.

How it’s done: Creating and using an invented scenario (the pretext) to persuade a social media target to release information or perform an action … usually done over the telephone. More than a lie -- as it most often involves some prior research or set-up and the use of pieces of known information from a social media site (DOB, Social Security Number, last bill amount, etc) to establish legitimacy in mind of the target…


ID Theft Weapon: Pretexting

Pretexter/fraudsters may pose as employee from victim’s:

Bank

Utility

Merchant /Organization

Employer (co-worker)

Government agency

Landlord

Key objective: Pretexters sell your information to people who use it to get credit in your name, steal your assets, or to investigate or blackmail or sue you.


Polling Question 1

Social media fraud is ________________ risky for individuals than it is organizations

A. LessB. MoreC.Equally


Social Media Phishing & Hijacking


More Social Media Phishing & Hijacking

Account hijacking. Phishers imitate the Facebook E-mail template, tricking victims into believing they have received a legitimate Facebook message or notification. Once you enter your username and password into the fake Facebook web site, criminals can take over your account, pose as you, post unwanted ads, ask your friends for money, information, etc.

Self defense: Always log into your Facebook account manually, rather than going through a link in an E-mail.


Social Media Identity Fraud

Brand-JackingIKEA: Scams. Set up a phony Facebook page and market it to a few people, who then send it to their friends, who send it to their friends to become FB “fans” in exchange for a $1,000 gift card that never came.

40,000 victims sent their personal information – became potential ID theft/fraud victims.

As they say: If it sounds too good to be true, it probably is.


Fraud Against Organizations: It’s All About Trust

Survey of 500 managers and employees with access to sensitive customer information found the following:

66% said co-workers, not hackers, pose greatest risk to consumer privacy; only 10% said hackers are greatest threat.

62% reported incidents at work that put customer data at risk for identity theft.

46% said it would be “easy,” “very easy” or “extremely easy” for employees to steal sensitive data from corporate database.

SOCIAL MEDIA SITES ARE BEING USED INCREASINGLY TO COMMIT THESE CRIMES


Polling Question 2

Pretexting is (Choose the best answer)

a) Gaining unauthorized access to secure computer networks

b) Acquiring personal information under false pretenses

c) Impersonating you to gain financial benefit illegally

d) Stealing sensitive data from secured networks

e) All of the above


How To Hack A Company With Facebook-1

Pose as an employee, setting up a Facebook group, and inviting or “friending” other employees to join. Membership will grow exponentially each day.

Gather intelligence from “co-workers” about the organization.

Monitor all social networking sites for employees of target company --MySpace, LinkedIn, Plaxo, and Facebook.com

Find those who openly discuss what they do for a living

Key: By creating a group, you have access to profiles or fellow employees who have no reason to distrust you. Gathering sensitive information is easy.

Source: Steve Stasiukonis of Secure Network Technologies


How To Hack A Company With Facebook-2

Use the identity of a Facebook-friended employee to gain access to a company building:

Create a fake identity of the employee who is not known to the office to be breached, but still in the company’s system

With a little creativity, a fake business card, fake company ID card from info gathered from our Facebook group, the fraudster was “in”. Given an office and full access.

Once inside, can plug into the company network, create a wireless hub to access from the outside and/or plant keyloggers or other malware onto office PCs.

Source: Steve Stasiukonis of Secure Network Technologies


Social Media and Corporate Espionage

“The gadgets and gizmos of the spy movies have not gone away. But today's corporate spies are more likely to trawl through Facebook pages and Twitter feeds for snippets of information they can build into valuable intelligence on a target organization.”

‘’The Wall Street Journal”, Oct. 18, 2011

Example:

Social engineering/espionage: Through social networks it was learned that a financial executive was a divorcee. Perpetrators created dummy female profile on Facebook, “friended” him and cultivated an online relationship that ended in him sharing confidential information about the company with "her".


Why Impersonate?

Steal clients or potential clients by posing as vendor and claiming to be going out oan business

Conduct phishing attacks

Intentionally pose as someone (usually senior manager) of your organization, to bad-mouth competition. Create risk of your employer becoming target of litigation

Use your identity to harass someone you know.

They may pose as a government entity to steal data and commit new account fraud.

Pose as rival C-level executive on Facebook, LinkedIn, or Twitter, to gather marketing intelligence. Once they are “linked” or “friended,” they have access to those individuals’ contacts and inner circle.

Disgruntled employees use social media to create pseudonyms to vent frustration about their boss or company. Can result in PR nightmare.

Create blog or link to a tongue-in-cheek Web site that might be funny, but will not be funny to you.


How to Prevent Impersonation

Set up accounts with your full name and those of your company, officers, spouse and kids on the most trafficked social media sites, blogs, domains or Web based E-mail accounts. If your name is already taken, include your middle initial, a period or a hyphen. Decide whether or not to plug in your picture and basic bio, but leave out your age or birthday.

Set up a free Google Alerts for your name/company to get an E-mail every time your name pops up online.


How to Prevent Impersonation

Broaden your company’s online reputation. Blogging is best.

Objective: Try to get Google to bring your given/company/officers names to top of search in best possible light. This is a combination of online reputation management and search engine optimization (SEO) for your brand.

If you identify someone using your photo or bio in the social media, be very persistent in contacting the site’s administrators. THIS IS FRAUD! They too have reputations to manage and if they see someone using your photo or likeness they will often delete stolen profiles.

Enlist services such as Mark Monitor or other brand protection and trademark management firms.


To hack into a company using Facebook, you need the usernames and passwords of its secure networks…

a) True

b) False

Polling Question #3


Manage Employee Use: Banning

Consider NOT outright banning employee use of Social Media at work. This often creates resentment and incentive to find ways around the rules (via use of unprohibited sites, etc)

Example: Marines recently banned soldiers from using social media sites such as MySpace, Facebook and Twitter.

Reasons:

1) Fear that these sites’ lack of security may allow malware to infiltrate government computers. 2) Concern about leaked military data.

Problem: Soldiers used online dating sites that weren’t prohibited. Hackers exposed personal information on military subscribers of an online dating site. Forced DOD to command military personnel not to use their military information on commercial social media sites.

Lesson: Smart usage policy works better than prohibition


Manage Employee Use: Policies

Essential: Policy that regulates employee access and guidelines for appropriate behavior. Audit and IT often best positioned to develop –and monitor– policy. Teach effective use: Provide training on proper use and especially what not do to. Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny. Limit social network use: There are hundreds of social networks serving numerous uses from music to movies, from friending to “hooking up”. Some are appropriate and others even less secure. Screen and enforce “off-limit” rules. Include in company policy (including privacy).Review Social Media Guidelines from other companies


Manage Employee Use: Policies

Train IT personnel: Effective policies begin from the top down. IT must be up to speed. May need to coordinate with Internal Audit to monitor social media use.

Critical: Managers and employees never to post work-related information without authorization, or posting work-related information on personal pages

Maintain updated security: Whether hardware or software, A-V or critical security patches, make sure you are up-to-date.

Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings are often invitations to hackers


Social Media As An Investigative Tool

Fraud investigators increasingly use social networks to gather pubic evidence of misconduct. (see below). Illinois and Maryland prohibit employers from requiring employees to provide social media account passwords. But loopholes may still enable employer access to employee accounts.Caution: Conduct social media investigation only after consulting qualified attorney. Some laws also forbid “friending” if you are doing it for investigative purposes. Law is in flux and can be tricky.

Example: Courts have ruled that lawyers or investigators working for them cannot “friend” a suspect already represented by counsel.


Which of the following are potentially serious social media-related threats to most organizations?

a) Spreading false information about a product

b) Gaining unauthorized access to an executive’s inner circle

c) Posing as your company for phishing attacks to steal money

d) All of the above

Polling Question #4


Polling Question 3

Outright banning of social media sites by employees is the most effective way to minimize the many SM risks threatening your organizationsA. TrueB. False


Questions?

Any Questions?Don’t be Shy!


Coming Up Next Month

1. An Expert’s Advice on Establishing an Organization Wide Fraud Policy October 8

Using Data Analytics to Detect and Deter Procure-to-Pay Fraud October 30


Thank You!

Website: http://www.fraudresourcenet.com

Jim KaplanFraudResourceNet™

800-385-1625 [email protected]

Peter GoldmannFraudResourceNet™

[email protected]

Economy & Finance

Fraud in Social Media: Facing the Growing Threat