Category: Fraud Prevention

Last week we began a two-part series on fraud. We looked at the profile of a fraud perpetrator and how every business is susceptible to these malicious behaviors. Today we will dig a little deeper into fraudulent activities with a look at computer attacks and social engineering, as well as some ways you can keep your computers virus-free.

Computer Attacks

Every computer connected to the internet, which is basically every computer, is at risk of computer attacks.  Hackers, foreign governments, terrorist groups, disaffected employees, industrial spies, and competitors are attacking computers in search of data or seeking to harm the system. This means that preventing computer attacks is a full time job. Attacks can take on a number of different forms. Let’s take a look at a few of them.

Hacking involves the use of a computer to gain unauthorized access to data in a system. Generally hackers will break into systems through known flaws or weaknesses within an application or program. Some hackers are looking to steal data such as trade secrets, customer lists, credit card numbers, etc. Others are motivated by the challenge of breaking into a system. Either way a breach of this type can be destructive and set your organization back for hours, days, or even months.

Denial of Service In computing, (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Zero- day attack, vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Buffer overflow, or bufferoverrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Man-in-the-middle attack (often abbreviated to MITM, MitM, MIM or MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

Dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.

Another vulnerability to companies is called Social Engineering. Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.

In order to avoid or minimize social engineering, consider establishing the following policies and procedures.

1. Be aware of people entering a restricted building. If your organization has key card access restrictions, be sure that others are not gaining access by following you in.
2. Avoid logging in for someone else on any computer. This is particularly important if you have administrator rights.
3. Do not give away sensitive information via phone or e-mail.
4. Do not share passwords or user IDs
5. Be aware! Exercise caution if anyone you do not know is attempting to gain information or access through you.

As you can see there are a many different ways in which a computer system is vulnerable to attack and therefore businesses are at risk for fraud. Educating yourselves on the potential risks is one of the best ways to reduce your risk. Implementing trainings, a company culture of integrity, and effective internal controls will also help your company to avoid becoming a victim.

What is Fraud?

Any time a person seeks to gain an unfair advantage over another person it is considered fraud. Usually fraud is committed with an intent on gaining a financial benefit and results in harm to the rights or interests of another person or business. Fraud is rampant among businesses today. There is a staggering amount of fraudulent activity each year ranging from the loss of small sums of money on a local level all the way to multimillion-dollar fraud. It is estimated by The Association of Certified Fraud Examiners (ACFE) that organizations are losing 5% of their annual revenues to fraud, with more than 22% of frauds resulting in losses of at least $1 million. They also reported that more than 70% of fraud is committed by employees in the accounting, operations, sales, executive, customer services, and purchases & finance departments. In general, smaller businesses are at a high risk for fraud due to having fewer internal controls to protect themselves.

The good news is there are ways to help reduce your risk for fraud. Prevention measures that range from hotlines for anonymously reporting suspicious activity to regular trainings on what constitutes fraud and how it affects everyone within the organization.

What does a fraud perpetrator look like?

In short, they look like you and me. Most white collar criminals are talented, highly educated, stable, individuals. However, there are some red flags to look for to detect fraudulent activity. Some common behavioral red flags include:

• Living a lifestyle beyond their means
• Financial hardship
• Scarcity mentality (unwilling to share knowledge or data)
• Family problems
• Addiction
• Reluctance to take vacation/time off

Computer Fraud

Another risk for companies is computer fraud. Using a computer to commit fraud can be much more difficult to detect than other crimes. Additionally perpetrators are able to get away with stealing more money in less times with less effort. Computer fraud can be more challenging to detect than other types of fraud. Unfortunately, computer systems are vulnerable to crimes that can go undetected until it’s too late. There are many reasons why computer systems are so vulnerable to fraud. The sheer volume of data that is stored on a company system make it difficult to establish perfect controls and protections. Additionally, many people need to access information in order to service customers and perform the functions of their jobs. However, it is still necessary to protect against computer fraud as best as you can. In fact, it is estimated that at least one incident of computer fraud has effected every U.S. business.

Computer Fraud Prevention

Creating a climate that will reduce your risk for fraud is the best thing your organization can do in order to protect yourself and your employees. Making fraud more difficult to commit, improving methods of detection, education, and policy are all necessary steps to take. Consider the following in order to make fraud less likely to occur:

• Establish a company culture that emphasizes integrity and high ethical values.
• Ensure that internal controls have been established that act as a deterrent to any potential fraud.
• Create accountability by assigning authority and responsibility to specific departments and individuals.
• Develop security policies and communicate them to your employees.
• Create a company code of conduct,
• Establish effective supervision with checks and balances.
• Offer training on ethics and integrity
• Establish a strong system of internal controls
• Implement segregation of duties
• Establish physical and remote access restrictions

In the unfortunate event that fraud has occurred in your company you will want to maintain the following in order to reduce potential losses.

• Obtain adequate insurance
• Establish a fraud contingency plan
• Maintain backups of all program and data files
• Monitor your systems activity with software

Next week we will look at Computer attacks and social engineering as well as ways to keep computers virus-free.