Fraud in Social Media: Facing the Growing Threat

Fraud in Social Media:
Facing the Growing Threat
September 25, 2013
Special Guest Presenters:
Peter Goldmann
FraudResourceNet - White-Collar
Crime 101 LLC –FraudAware

Copyright © 2013 FraudResourceNet™ LLC

About Peter Goldmann, MSc., CFE

 President and Founder of White Collar
Crime 101
Publisher of White-Collar Crime Fighter
Developer of FraudAware® Anti-Fraud
Training Monthly Columnist, The Fraud
Examiner,
ACFE
Newsletter
 Member of Editorial Advisory Board, ACFE
 Author of “Fraud in the Markets”
Explains how fraud fueled the financial crisis.


About Jim Kaplan, MSc, CIA, CFE
 President and Founder of
AuditNet®, the global resource
for auditors
 Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
 Author of “The Auditor’s
Guide to Internet Resources”
2nd Edition

Webinar Housekeeping


This webinar and its material are the property of AuditNet® and
FraudAware®. Unauthorized usage or recording of this webinar or any
of its material is strictly forbidden. We are recording the webinar and
you will be provided access to that recording within 5 business days
after the webinar. Downloading or otherwise duplicating the webinar
recording is expressly prohibited.



Please complete the evaluation questionnaire to help us continuously
improve our Webinars.



You must answer the polling questions to qualify for CPE per NASBA.



Submit questions via the chat box on your screen and we will answer
them either during or at the conclusion.



If GTW stops working you may need to close and restart. You can
always dial in and listen and follow along with the handout.

Disclaimers






The views expressed by the presenters do not necessarily represent the
views, positions, or opinions of FraudResourceNet LLC (FRN) or the
presenters’ respective organizations. These materials, and the oral
presentation accompanying them, are for educational purposes only and do
not constitute accounting or legal advice or create an accountant-client
relationship.
While FRN makes every effort to ensure information is accurate and
complete, FRN makes no representations, guarantees, or warranties as to
the accuracy or completeness of the information provided via this
presentation. FRN specifically disclaims all liability for any claims or
damages that may result from the information contained in this
presentation, including any websites maintained by third parties and linked
to the FRN website
Any mention of commercial products is for information only; it does not
imply recommendation or endorsement by FraudResourceNet LLC

4

Today’s Agenda







Introduction
Fraud Statistics
Auditors Role – Risk Control and Audit
Social media fraud against individuals
Social media fraud against organizations
How E-fraudsters exploit Facebook and other
social media sites to commit fraud
 How to monitor social media sites for signs of
criminal actions against your Organization
 How to reduce your risk of fraud victimization via
social media
 Your Questions

Fraud: The Big Picture







According to major accounting firms, professional
fraud examiners and law enforcement:
Fraud costs the world $3.5 TRILLION per year. (5%)
(ACFE
Average cost for each incident of fraud is $160K
(ACFE)
People who have been victims of ID theft are just as
likely to be lax in securing their personal information
online. Study results from identity theft victims and nonvictims are identical.(Ponemon)
91% of online adults use Social Media regularly
Social Media use has increased 356% in the US since
2006
(Source: 216 Social Media and Internet Statistics (September 2012),
TheSocialSkinny.com)

Internal Audit’s Role







Understand how social media is being used within the organization
Review social media policies
Conduct a social media risk assessment
Ensure that controls are in place to address social media risks
Records retention issue
Audit Reports
 Social Media Review by Multnomah County August 2011
 GAO SOCIAL MEDIA - Federal Agencies Need Policies and
Procedures for Managing and Protecting Information They Access
and Disseminate http://www.gao.gov/new.items/d11605.pdf
Social media is now embedded in our personal and business culture
and auditors need to know the what the risks and controls are, how to
audit this new communication tool and also how to adapt it for use
within the audit environment.
Jim Kaplan, AuditNet®

Guidance and Publications


Social Media Risk Control and
Audit
Here a few examples of more books,
tools and resources for auditors:
• IIA Auditing Social Media
• AuditNet Social Media Risk
Assessment Workbook
• AuditNet® Guide to Social
Networking Security
• Identity Theft Audit Program


Social Media Risks
The Biggest Social Media Risk: Not Paying
Attention to Social Media, according to
major corporate executives
March 20, 2012

Social Media and Cloud Computing Top Internal Auditors' Technology
Hot List, According to New Protiviti Research

Social media and cloud computing are top concerns – Internal
audit executives and professionals recognize they must have
superior knowledge and understanding of these areas and their
inherent risks, and how their organizations are leveraging as well
as controlling them, in order to perform their jobs at a high level
and add value to the organizations they serve.
Protiviti 2012 Internal Audit Capabilities and Needs Survey


Social Media Risks
As the use of social media continues to grow,
so too does the risk of fraud involving social
media
Social Media and its associated risk – Grant Thornton and FERF

Prioritized concerns from a survey
conducted by Grant Thornton and FERF
1. Disclosure of proprietary information
2. Negative comments about the company
3. Exposure of personally identifiable
information
4. Fraud
5. Out of date information


Social Media Risks

 Risks
 Employees or non-employees creating a social
media page representing your company without
management/IT consent or approval
 Trade secrets or other business secrets being
inadvertently or even deliberately shared
 Dissatisfied customers or disgruntled employees
voicing their opinions freely
 Viruses, spyware and network vulnerabilities
occurring due to the interactivity and open nature of
social media architecture

Social Media Controls

 Controls
 The extent to which social media will be officially
sanctioned by the organization
 Who is allowed to use the social media sites
 How users gain approval to use the social media
sites
 Standards/policy of social media use inside and
outside of the workplace
 Brand monitoring and legal involvement
 How to report false pages


Social Media Audit Objectives
and Scope
 Objective—The objective of a social media audit/assurance
review is to provide management with an independent
assessment relating to the effectiveness of controls over
the enterprise’s social media policies and processes.
 Scope—The review will focus on governance, policies,
procedures, training and awareness functions related to
social media. Specifically, it will address:
 Strategy and governance—policies and frameworks
 People—training and awareness
 Processes
 Technology
 Selection of the social media projects and initiatives will be
based on risks introduced to the enterprise by these
systems.

Social Media Audit Program
Sample Steps
 Social Media Audit Program — Should be a
comprehensively written program to detect, implement,
and monitor compliance with the laws and regulations
that impact the various components of social media. It
should provide written procedures to ensure compliance.
 Identification of inappropriateness with social media
channels and non-compliance with the Social Media
Policy — The company should clearly identify what is
acceptable and what is not acceptable, based on a risk
assessment and the outlined rules and specifications of
the Social Media Audit Program.
Continued…

Social Media Audit Program
Sample Steps
 Prior examination/audit findings — If weaknesses were
previously cited in the company’s social media
examination or audit that may impact the company’s
social media program, has management taken
appropriate steps to institute corrective actions?
 Training program(s) — Training should be tailored to
address all employees. Incident response — A formal
review should be made of all alleged and/or actual
incidents and how the company handled the incident.
 Internal audit and annual reports — Management
should regularly report on its responsiveness to cited
weaknesses in the social media program.

Social Media: The Fraud
Threat
 Social Media - based on Web 2.0 and fosters
the notion that people who consume media,
access the Internet, and use the Web no longer
passively absorb the flow of content from provider
to viewer; rather, they are active contributors,
helping customize media and technology for their
own purposes.

One of social media’s greatest threats comes
from employees who put work-related information
onto social media sites—intentionally or
unintentionally
 It’s all about ID theft, ID fraud, social
engineering, espionage, cyber-crime and
financial fraud against INDIVIDUALS and
ORGANIZATIONS

Fraud Against Individuals
 Wife of Sir John Sawers, Head of MI6, UK equivalent of
CIA posted sensitive information to her Facebook page,
including address of the couple’s London apartment and
locations of their children and Sir John’s parents.
Problem: Potential national security & blackmail risk.
“John Doe” received a message from a Facebook friend
which had a link to a funny video. He clicked on it. The link
did not bring up a video. The friend’s profile had been
hacked, and now malicious software was being
downloaded onto John’s computer as a result of him
clicking on the link. This software was designed to open a
way for an identity thief to take personal information from
John’s system. It also sent a similar E-mail to everybody
he was connected with on his profile, asking them to “view
the video”.

Financial Identity Theft
Against Individuals
 ID theft against individuals. Fraudsters use Facebook
to EASILY crack your password. Most online accounts
use “qualifying questions” or Knowledge Based
Authentication questions and answers to verify your
identity if you “forget” your password. These questions
usually involve personal information, such as your
kids’, other relatives’, or pets’ names or birthdays.
 When fraudsters find this information on your Facebook
page, they can reset your passwords and steal your
identity.
Key message: Limit what you post, and lock down your
privacy settings.

ID Theft Weapon: Social
Engineering
 Social engineering: Techniques used to
manipulate people into performing actions
or divulging confidential information. Uses
various forms of psychological trickery via
numerous channels—now increasingly
with social media -- to get victim to
provide sensitive information or computer
system access…


ID Theft Weapon: Pretexting
Pretexting: Using personal information acquired under
false pretenses to commit fraud.
How it’s done: Creating and using an invented
scenario (the pretext) to persuade a social media target
to release information or perform an action … usually
done over the telephone. More than a lie -- as it most
often involves some prior research or set-up and the
use of pieces of known information from a social media
site (DOB, Social Security Number, last bill amount, etc)
to establish legitimacy in mind of the target…


ID Theft Weapon: Pretexting








Pretexter/fraudsters may pose as employee from
victim’s:
Bank
Utility
Merchant /Organization
Employer (co-worker)
Government agency
Landlord
Key objective: Pretexters sell your information to
people who use it to get credit in your name, steal
your assets, or to investigate or blackmail or sue you.

Polling Question 1
Social media fraud is ________________ risky for
individuals than it is organizations
A. Less
B. More
C. Equally


Social Media Phishing &
Hijacking


More Social Media Phishing
& Hijacking
 Account hijacking. Phishers imitate the Facebook Email template, tricking victims into believing they have
received a legitimate Facebook message or notification.
Once you enter your username and password into the
fake Facebook web site, criminals can take over your
account, pose as you, post unwanted ads, ask your
friends for money, information, etc.
Self defense: Always log into your Facebook account
manually, rather than going through a link in an E-mail.


Social Media Identity Fraud
 Brand-Jacking
IKEA: Scams. Set up a phony
Facebook page and market it to a few
people, who then send it to their
friends, who send it to their friends to
become FB “fans” in exchange for a
$1,000 gift card that never came.
40,000 victims sent their personal
information – became potential ID
theft/fraud victims.
As they say: If it sounds too good to
be true, it probably is.


Fraud Against Organizations: It’s
All About Trust
Survey of 500 managers and employees with access to
sensitive customer information found the following:
66% said co-workers, not hackers, pose greatest risk to
consumer privacy; only 10% said hackers are greatest
threat.
62% reported incidents at work that put customer data at
risk for identity theft.
46% said it would be “easy,” “very easy” or “extremely
easy” for employees to steal sensitive data from corporate
database.
SOCIAL MEDIA SITES ARE BEING USED
INCREASINGLY TO COMMIT THESE CRIMES

Polling Question 2
Pretexting is (Choose the best answer)
a) Gaining unauthorized access to secure computer
networks
b) Acquiring personal information under false pretenses
c) Impersonating you to gain financial benefit illegally
d) Stealing sensitive data from secured networks
e) All of the above


How To Hack A Company With
Facebook-1
 Pose as an employee, setting up a Facebook group,
and inviting or “friending” other employees to join.
Membership will grow exponentially each day.
 Gather intelligence from “co-workers” about the
organization.
 Monitor all social networking sites for employees of
target company --MySpace, LinkedIn, Plaxo, and
Facebook.com
 Find those who openly discuss what they do for a
living
 Key: By creating a group, you have access to profiles
or fellow employees who have no reason to distrust
you. Gathering sensitive information is easy.
Source: Steve Stasiukonis of Secure
Network Technologies

How To Hack A Company With
Facebook-2
 Use the identity of a Facebook-friended employee to
gain access to a company building:
 Create a fake identity of the employee who is not known
to the office to be breached, but still in the company’s
system
 With a little creativity, a fake business card, fake company
ID card from info gathered from our Facebook group, the
fraudster was “in”. Given an office and full access.
 Once inside, can plug into the company network, create
a wireless hub to access from the outside and/or plant
keyloggers or other malware onto office PCs.
Source: Steve Stasiukonis of
Secure Network Technologies

Social Media and Corporate
Espionage
“The gadgets and gizmos of the spy movies have not
gone away. But today's corporate spies are more likely
to trawl through Facebook pages and Twitter feeds for
snippets of information they can build into valuable
intelligence on a target organization.”
‘’The Wall Street Journal”, Oct. 18, 2011
Example:
 Social engineering/espionage: Through social networks it was
learned that a financial executive was a divorcee. Perpetrators
created dummy female profile on Facebook, “friended” him and
cultivated an online relationship that ended in him sharing
confidential information about the company with "her".


Why Impersonate?











Steal clients or potential clients by posing as vendor and claiming to be
going out oan business
Conduct phishing attacks
Intentionally pose as someone (usually senior manager) of your
organization, to bad-mouth competition. Create risk of your employer
becoming target of litigation
Use your identity to harass someone you know.
They may pose as a government entity to steal data and commit new
account fraud.
Pose as rival C-level executive on Facebook, LinkedIn, or Twitter, to
gather marketing intelligence. Once they are “linked” or “friended,” they
have access to those individuals’ contacts and inner circle.
Disgruntled employees use social media to create pseudonyms to vent
frustration about their boss or company. Can result in PR nightmare.
Create blog or link to a tongue-in-cheek Web site that might be funny,
but will not be funny to Copyright © 2013 FraudResourceNet™ LLC
you.

How to Prevent Impersonation
 Set up accounts with your full name and those of your
company, officers, spouse and kids on the most
trafficked social media sites, blogs, domains or Web
based E-mail accounts. If your name is already taken,
include your middle initial, a period or a hyphen. Decide
whether or not to plug in your picture and basic bio, but
leave out your age or birthday.
 Set up a free Google Alerts for your name/company to
get an E-mail every time your name pops up online.


How to Prevent Impersonation
Broaden your company’s online reputation. Blogging is best.
Objective: Try to get Google to bring your
given/company/officers names to top of search in best
possible light. This is a combination of online reputation
management and search engine optimization (SEO) for your
brand.
If you identify someone using your photo or bio in the social
media, be very persistent in contacting the site’s
administrators. THIS IS FRAUD! They too have reputations to
manage and if they see someone using your photo or
likeness they will often delete stolen profiles.
Enlist services such as Mark Monitor or other brand
protection and trademark management firms.

Polling Question #3

To hack into a company using Facebook, you need the
usernames and passwords of its secure networks…

a) True
b) False


Manage Employee Use: Banning


Consider NOT outright banning employee use of Social Media at
work. This often creates resentment and incentive to find ways
around the rules (via use of unprohibited sites, etc)
 Example: Marines recently banned soldiers from using social
media sites such as MySpace, Facebook and Twitter.
 Reasons:
1) Fear that these sites’ lack of security may allow malware to
infiltrate government computers.
2) Concern about leaked military data.
 Problem: Soldiers used online dating sites that weren’t prohibited.
Hackers exposed personal information on military subscribers of an
online dating site. Forced DOD to command military personnel not
to use their military information on commercial social media
sites.
Lesson: Smart usage policy works better than prohibition

Manage Employee Use: Policies
Essential: Policy that regulates employee access and guidelines
for appropriate behavior.
Audit and IT often best positioned to develop –and monitor– policy.
 Teach effective use: Provide training on proper use and
especially what not do to.
 Encourage URL decoding: Before clicking on shortened URLs,
find out where they lead by pasting them into a URL lengthening
service like TinyURL Decoder or Untiny.
 Limit social network use: There are hundreds of social
networks serving numerous uses from music to movies, from
friending to “hooking up”. Some are appropriate and others even
less secure. Screen and enforce “off-limit” rules. Include in
company policy (including privacy).

Review Social Media Guidelines from other companies

Manage Employee Use: Policies
 Train IT personnel: Effective policies begin from the top
down. IT must be up to speed. May need to coordinate with
Internal Audit to monitor social media use.
Critical: Managers and employees never to post workrelated information without authorization, or posting work-related
information on personal pages
 Maintain updated security: Whether hardware or software,
A-V or critical security patches, make sure you are up-todate.
 Lock down settings: Most social networks have privacy
settings that need to be administered to the highest level.
Default settings are often invitations to hackers

Social Media As An Investigative
Tool
 Fraud investigators increasingly use social networks to
gather pubic evidence of misconduct. (see below).
 Illinois and Maryland prohibit employers from requiring
employees to provide social media account passwords.
But loopholes may still enable employer access to
employee accounts.
Caution: Conduct social media investigation only
after consulting qualified attorney. Some laws also
forbid “friending” if you are doing it for investigative
purposes. Law is in flux and can be tricky.
Example: Courts have ruled that lawyers or
investigators working for them cannot “friend” a
suspect already represented by counsel.

Polling Question #4
Which of the following are potentially serious social
media-related threats to most organizations?
a) Spreading false information about a product
b) Gaining unauthorized access to an executive’s inner
circle
c) Posing as your company for phishing attacks to steal
money
d) All of the above


Polling Question 3
Outright banning of social media sites by employees is
the most effective way to minimize the many SM risks
threatening your organization
s
A. True
B. False


Questions?
 Any Questions?
Don’t be Shy!


Coming Up Next Month

 1. An Expert’s Advice on
Establishing an Organization Wide
Fraud Policy October 8
 Using Data Analytics to Detect and
Deter Procure-to-Pay Fraud
October 30


Thank You!
Website: http://www.fraudresourcenet.com
Jim Kaplan
FraudResourceNet™
800-385-1625
jkaplan@fraudresourcenet.com
Peter Goldmann
FraudResourceNet™
800-440-2261
pgoldmann@fraudresourcenet.com


Fraud in Social Media: Facing the Growing Threat

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à Fraud in Social Media: Facing the Growing Threat

Similaire à Fraud in Social Media: Facing the Growing Threat (20)

Plus de FraudBusters

Plus de FraudBusters (11)

Dernier

Dernier (20)

Fraud in Social Media: Facing the Growing Threat