October is National Cyber Security Awareness Month, but you knew that already…

Source: Kurhan

Did you know that October is National Cyber Security Awareness Month (NCSAM)? Ok, you probably did not. It isn’t exactly the type of event that hits the front page of most newspapers and websites, but it should.

The FBI’s Robert Mueller recently stated that “cyber security may well become our highest priority in the years to come.” In my opinion, that time is fast approaching. If you follow the news regarding Cyber Security as I do, you may agree that we are already under a sustained attack that has the potential to cut the country’s economy off at the “knees”.

As we all know, it is not just corporations that are the victims. US consumers are targeted by organized crime groups from around the globe. In fact, this is not just a US problem, it is a global epidemic.

It is easy to dismiss NCSAM as a silly event that means nothing. And that is EXACTLY why you should pay attention. As long as consumers are victimized, there will be an incentive for fraudsters to invest the time and money to launch their attacks. So, with that in mind, please take the time to review the FBI’s recommendations below:

  • Set strong passwords, and don’t share them with anyone.
  • Keep a clean machine—your operating system, browser, and other critical software are optimized by installing regular updates.
  • Maintain an open dialogue with your family, friends, and community about Internet safety.
  • Limit the amount of personal information you post online, and use privacy settings to avoid sharing information widely.
  • Be cautious about what you receive or read online—if it sounds too good to be true, it probably is.

If you want more information on NCSAM, the FBI’s press release contains links to a number of helpful resources. I hate to state the obvious, but if you don’t take the time to improve your awareness of the cyber security threat facing the nation, no one will do it for you.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

 

Intel engineer helps himself to $400 million

Photographer: Stephen McCormack

Intel Corporation is a world-class organization that has dominated the market for computer chips for many years. In fact, there is a high probability that the device you are using to read this post has an Intel chip inside. However, based on a recent case involving Biswamohan Pani, an Intel Senior Staff Engineer, it may need a little help protecting its intellectual property.

According to the FBI, here are the facts of the case:

  • From February through April, 2008, Pani was looking for a job at other computer chip manufacturers and ultimately obtained a job at Advanced Micro Devices Inc.
  • Pani kept his job search secret from Intel. (Why wouldn’t he?)
  • When he announced his departure on May 29, 2008, he told the company that he might work for a hedge fund
  • Pani told Intel that he wanted to take the next one-and-a-half weeks as vacation until his last day at work on June 11, 2008
  • Unbeknownst to Intel, Pani had started downloading from Intel numerous secret documents about Intel’s manufacturing and design of computer chips. The intensive downloads began on May 28, just before he announced his departure, and continued on May 29
  • Pani started working at AMD on June 2, while he was still on Intel’s payroll and still had access to Intel’s computer systems
  • On June 8 and June 10, Pani remotely accessed Intel’s computer system numerous times and downloaded 13 of Intel’s most valuable documents
  • Along with other confidential and proprietary information, Pani downloaded a document explaining how encrypted documents could be reviewed when not connected to Intel’s computer system
  • Pani backed up the downloaded files to an external hard drive for access after he left Intel
  • On June 11, 2008, Pani reported to Intel for his exit interview and falsely stated that he had not retained any of Intel’s property, when, in fact, he had kept the electronic equivalent of boxes full of downloaded documents and some printed Intel documents at his apartment
  • Documents taken by Pani were found a month later when the FBI searched his home. Intel has valued those documents as worth $200-$400 million, at minimum
  • The FBI was able to recover these documents quickly, before Pani could use them to Intel’s disadvantage, largely because Intel reported the theft quickly and assisted the investigation. AMD also cooperated with the investigation, and there was no evidence that AMD or its employees had asked Pani to take these documents or even knew that he had them

Based on the fact pattern above, it appears Pani knew exactly what he was doing. He grabbed documents before, during and after Intel knew that he was leaving. He also bought time by convincing Intel that he was leaving the industry. I can’t imagine that lying about his ultimate destination stopped Intel from blocking his system access. They probably just forgot to do it. After all, Pani was still on the payroll and “burning” his vacation allotment. Why block an active employee?

Who knows what actually took place, the net result was that Pani had one-and-a-half weeks of access to Intel’s systems during which time he did the most damage. So how did Intel figure out Pani had stolen trade secrets? Clearly, after the fact, but not much else has been mentioned in the media.

This case is eerily similar to another case that the FBI investigated involving Sanofi-Aventis. Is it really that easy to steal trade secrets from Fortune 500 companies? Apparently so…

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

Employee fraud – the problem may be bigger than you think…

Before you can tackle employee fraud within your organization, you need to know how big a problem you have. An article that I wrote for Memento – a leader in enterprise fraud management – discusses a common mistake that banks make when tackling employee fraud. The principles that I share in the post are applicable to more than just banks.

Click here to read the post.

Please feel free to leave comments here, or on Memento’s blog letting me know what you think.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

Impersonation Schemes: A Big Headache for Companies

This is “Fraud Happens” first guest post. ildar khakimov is a Montreal based internet enthusiast who co-founded several projects including callcenter.com

Companies suffer staggering losses when it comes to impersonation scams.

A good example can be seen in a documentary called “Yes, men fix the world”, in which two men setup fake press conferences on behalf of companies to spread false news.

It’s believed that Dow Chemicals suffered a 2 billion dollar loss as a result of the duo’s fake news announcement which alleged the company’s planned to pay out compensation for the Bhopal Disaster.

So what about the more common forms of impersonation, such as the use of fake caller IDs?

Caller ID spoofing can be even more dangerous because it’s not a single person hitting a single target, but rather a large telecom fraud machine that’s able to place thousands of calls or send millions of SMS messages pretending to be someone they’re not.

Most recent example is fake SMS giftcard scam. In 2012, many individuals started receiving messages that claim they won a free giftcard from Best Buy. The SMS was asking people to visit a specific web-site to claim a prize that didn’t exist.

People that got duped went straight to Best Buy and demanded their “winnings”. This forced Best Buy to spend company resources in order to explain consumers that they got scammed.

In addition, it’s hard to put a monetary value on Best Buy’s tarnished reputation. For example many consumers, who leave complaints on sites like callercenter.com, believe that Best Buy gave out their personal information to telemarketers and that perhaps their personal information was compromised due to company’s inefficient security measures. Even if such allegations are later proven false, the damage to the company’s image has already been done.

One such complaint goes: “[…]Walmart employees are in on it, or  Walmart’s IT security is **** and they were hacked? I paid for my purchase with a credit card, so I certainly hope that wasn’t leaked along with my phone #. One thing’s for sure: I will never step foot in a Walmart again!

Another popular fraud conducted via SMS while showing a fake caller ID is known as Smishing. It consists of a banking notification from crooks who pretend to be the victim’s bank. The SMS threatens the victim to shut down their account unless they login to a specific web-site.

Login information entered is stolen and then used by fraudsters to siphon funds to off shore accounts.

Banks often reimburse stolen funds and thus suffer financial losses from caller ID spoofing. These types of scams are on the rise. A survey of 95 financial institution by ABA show a 260% increase of such scams in 2011 compared to 2009.

In addition to that, banks have to spend millions on security to help fight smishing fraud, in an interview with USA Today, Carol Kaplan of American Bankers Association admitted: “[…]there continues to be huge gobs of investment into shoring up security.”

It’s hard to estimate how much money companies lose because of Caller ID spoofing, but it’s a very significant amount and the situation won’t change until this practice is more strongly regulated by the government.

Now the fraudsters have started spoofing caller IDs making it look like they’re calling from the U.S government to offer a free grant. Who knows, maybe now the government will take notice?

If you are interested in writing a guest post, please email me – pmccormack@connectics.biz. I look forward to hearing from you.

Interesting article: How CIOs Can Learn to Catch Insider Crime (with help from yours truly…)

I thought my readers might be interested in an article that CIO magazine just published on insider crime. A writer from CIO magazine interviewed me about a month or so ago and I am proud to say that I am quoted extensively throughout the article. Here is just one of my sound bites:

“I’ve yet to meet any C-level person who says, ‘I’m so proud that we have 500 people preventing fraud.’ It’s not what people want to put out there as a badge of honor. It’s a necessary evil.”

Please check out the full article. In my opinion, the writer did an excellent job discussing insider fraud from a number of angles.

I hope you enjoy the article. Please let me know what you think!

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

Post-mortem of a fraud – what small and large companies do differently

I believe that each instance of fraud provides companies with an opportunity to reassess their entire fraud defense. Some would call this continuous improvement; others would view it as a best practice. Whatever you call it, fraud defenses must be reviewed, tested and re engineered on a regular basis. Waiting for fraud to happen then scrambling to implement controls after the fact makes very little sense. In the airline industry it is called “Tombstone legislation” – someone has to die for changes to be made – only in this case it is small companies that are “dying”. Large companies live to fight another day. At least most of the time – even when the losses are in the millions…

Things to do on first day with new employer:

  • Turn up on time – check
  • Find desk and log in to computer – check
  • Figure out way to embezzle $1 million…

If the reports are to be believed, when Brenda L. Jones started working with Sirius XM Radio she almost immediately embarked on a fraud scheme that resulted in a seven figure loss.  A co-conspirator with the mysterious initials “VP” was not indicted (any guesses why they were not indicted?)

What makes this fraud particularly interesting is the size of the victim company. Sirius XM Radio is not a “Mom & Pop” company with limited resources to deploy in the fight against fraud. Yet, they suffered a huge loss. Had this fraud happened at a small company, it is highly likely that they would have been forced in to bankruptcy.

I am often asked to detail the size of company that I help fight fraud. My answer is small, medium and large – they all need help! Fraud happens at companies of all sizes and many of the best practices are applicable regardless of size.

  • Over the course of a year, fraud losses at a large company will typically exceed losses for a small company. But on a per incident basis, there is very little difference. To illustrate the point, take a look at the graph below from the Association of Certified Fraud Examiners 2010 Report to the Nations. There really isn’t that much of a difference between the median loss at a small company (less than 100 employees) and losses at companies with more than 100 employees. With that said, a $155,000 fraud at a small company can close the doors. A $164,000 fraud at a Fortune 500 company is a blip on the radar.

The biggest difference between how fraud is handled at small and large companies can be found in the post-mortem process:

  • Not surprisingly, the post-mortem at a large company is focused on preventing the fraud from happening again. Often, employees that failed to uncover the fraud are disciplined or terminated. If the company has an internal audit function, they are often asked to prepare a report that details the control failures and provide recommendations to avoid a similar fraud in the future. Management of the operation where the fraud took place is expected to implement, and subsequently own the changes to the internal control environment. Invariably, the fraud will receive a nickname and over time, the mere mention of the fraud will either silence a room or result in embarrassed chuckles. No one wants to see that fraud happen again.
  • The post-mortem at a small company is an entirely different matter. Instead of internal audit reviewing the situation and recommending improvements, the owner or senior executives normally dive in and do their best to understand what really happened. The entire company – not just the department where the fraud took place – is on tender hooks. They literally don’t know whether they will have a job next week. A law firm is normally involved in some shape or fashion and their mere presence sends concerned employees scurrying up and down the corridor looking for someone to tell them what is happening.

Quite simply, the stakes are not the same for large and small companies.

I believe that the post-mortem process at most companies is in need of an overhaul. Very rarely do small or large companies do anything more than deploy controls to stop exactly the same fraud that they just experienced from happening again. That’s understandable. “Scope creep”, “trying to boil the ocean’, “not trying to solve world hunger” are all euphemisms for don’t over engineer the solution.

I agree that it is important to solve the problem at hand. With that said, it is almost guaranteed that a company will experience more than one fraud in its lifetime. Subsequent frauds may duplicate a previous fraud, be a variation on a theme, or something entirely brand new. Will your company be ready?

As for Sirius XM Communications, I am sure the post-mortem process is over by now. I wonder what they did to stop a similar fraud from happening in the future? Anyone want to bet that they expanded the post-mortem process to include an assessment of fraud risk within the entire accounts payable department.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

“She’s just a wolf in sheep’s clothing”

Looks like another bookkeeper may have forced their employer to declare bankruptcy. Karen Tripp allegedly embezzled $1.5 million from Seiler-Nabors Construction Company, based in Collierville, Tennessee. The indictment states that Tripp wrote checks to her personal bank account as well as the antiques store that she owned. She also allegedly used the money to buy her children cars, build a mansion and take exotic vacations.

Collierville’s population is just under 45,000. I am sure the Seiler-Nabors bankruptcy will create a sizable ripple effect across the community. The company has already fired 20 employees which will obviously have a direct impact on a number of families.

Christy Klink worked alongside Tripp. She shared her thoughts with Memphis reporters regarding the indictment.

“It’s not going to change anything that happened or change the financial problems it has caused us. It does give us some satisfaction to know she is going to spend a lot of time in jail.”

Klink may be in for a rude awakening if Tripp is found guilty or “cops” a plea. In reality “a lot of time in jail” may not amount to much. It is probably Tripp’s first offense, and I would guess that she’ll serve 2 to 4 years. She’ll probably be ordered to pay the money back and it sounds like there may be some assets that can be liquidated. But, when the IRS comes knocking for the taxes on the $1.5 million (I doubt that Karen declared all of her income), they’ll likely jump to the head of the line demanding payment.

This case is just another example of how fraud can destroy a business. Ultimately, there are very few “winners”. In addition to closing the business and putting 20 people out of work, trust was lost. Trust that their employee was honest. Trust that their mother’s gifts and new house were earned and not stolen, and trust that if you work hard and do the “right thing” for your employees and the community that you’ll be rewarded.

Christy Clink’s father is a part owner of Seiler-Nabors Construction. Clink told reporters that her father had hoped that the company would pay for his retirement.

“He lost my mom about three years ago. He’s not really gotten over that and this comes and destroys him. She’s taken everything. He’s going to lose it all.”

This story involves a small company, but the “lessons learned” can apply to companies of all sizes. If you learn only one thing from this post, please monitor employees that issue payments. This case involved checks, but fraud can just as easily happen with wires, debit cards, credit cards, ACHs and of course cash. When was the last time that you reviewed your bookkeeper’s work? Do you reconcile your company’s bank statements on a daily basis? Who has access to blank checks?

Remember: You can trust but always verify.

 

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

 

paul@mccormackwrites.com

 

Grab your Magic 8 Ball

I’d love to hear your thoughts on fraud in 2012. Several industry associations are predicting that we will see a significant increase in corporate fraud. Others believe that we are over the worst and that fraud losses may actually decrease. Your turn… please take 2 seconds to submit your vote.

Also, if you would like to share your thought process in the comments section, please do so! You may be the “lone voice”, or in the majority. Either way, you’ll find out!

Thanks for taking the time to vote!

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

 

5 reasons why companies struggle to combat fraud

Companies lose billions every year. Some are shocked that it happened to them. Others, have a line item in their financial plan (Yes, you read that correctly. They plan to lose money to fraud.) Far too many companies are forced to close their doors because of it…

So, why is it so hard for companies to combat fraud? Here are five reasons that I have uncovered during my career:

  1. “You work here as well?” – Fraud professionals often talk about their frustration with “silos” that result when departments involved with preventing and detecting fraud don’t talk to each other. In fact, a significant portion of my career has been spent helping break down the silos within organizations. The fraudster – both employee and third-party – is able to exploit the lack of communication between departments for their own benefit. Large companies are particularly guilty. It is not unusual for two or more departments to be actively investigating the same employee! No one has the complete picture of the fraud, yet each department continues to investigate the situation independently while the losses mount.
  2. “I don’t want to think about it” – Fraud can be overwhelming, especially for senior executives with an already heavy workload. It is easier not to think about what fraud may be doing to the company’s bottom line. Unfortunately, ignoring the problem will never solve it. In fact, when losses do result (yes, fraud happens) they are often gigantic.
  3. “We don’t have the money” – This reason is certainly understandable, especially when you consider the dire state of the global economy. It is probably the biggest hurdle that our firm has to overcome when talking with companies of all sizes. Unless the company has experienced a significant fraud within the last 12 months, there is resistance to any investment in fraud prevention or detection services. Until the company sees a spike in fraudulent activity, why should they worry? Well, unfortunately, you can’t pick a date and time when fraud will happen. It has an uncanny knack of taking place when you can least afford it. The costs to fix the problem are normally far higher than the prevention that was needed in the first place.
  4. “Bring it. We’ve got it covered” – From time to time, I run across an exceptionally high performing fraud department. They have the right mix of people, processes and technology to fight fraud. The company’s executives support their efforts and they routinely hire the “best of the best” to join their organization. They have fraud – internal and external – under control. Well, almost. What worked last month, or last year, will not automatically work today. Combating fraud requires a “continuous improvement mindset”. Fraud evolves, so too must the fraud department. Complacency can eventually destroy even the best fraud department. The latest fraud intelligence can literally make the difference between success and failure. Trust me; I’ve seen it happen on more than one occasion.
  5. “They were just that good” – I have interviewed 100’s of people who have committed fraud. Many of the schemes that they perpetrated required tremendous vision, drive and determination to execute. Some of the most intelligent individuals that I have met were in fact accomplished fraudsters. The really smart fraudsters are often never caught. Every fraud investigator can cite at least one or two situations where the fraudster got away with it. Some fraudsters are just that good. If they don’t make a mistake, you have almost no chance of catching them.

This list is certainly not all inclusive. I’d love to hear from others as to why fraud is so difficult for companies to fight. Also, if you disagree with any of my observations, feel free to say so!

Sign up for the “Fraud Happens” Weekly Intelligence Report.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

History repeats itself, yet we learn nothing?!?

“The man who is admired for the ingenuity of his larceny is almost always rediscovering some earlier form of fraud. The basic forms are all known, have all been practiced. The manners of capitalism improve. The morals may not.”

– John Kenneth Galbraith

Bernie Madoff stunned the world with an audacious $65 billion fraud. However, there is nothing new about Madoff’s method of fraud. In fact, the type of scheme that he operated – commonly known as a Ponzi scheme – dates back to the 1920s and an infamous fraudster named Charles Ponzi.

The numbers may be bigger and the public outrage much more vocal, but fraud has been part of society for as far back as there are records. How big a problem is fraud today? The Association of Certified Fraud Examiners, the preeminent authority on internal and external fraud reported in their 2010 “Report to the Nation” that organizations lose 5% of their gross revenue to fraud every year.

Internal fraud (fraud perpetrated by employees and members of management) routinely grabs the headlines. The damage that can be caused by internal fraudsters can range from a mere nuisance to a catastrophe that can literally destroy a company, wipe out shareholder value and leave thousands without jobs. Internal fraud schemes range in complexity from simple embezzlement schemes to highly orchestrated financial statement frauds that require tremendous time, effort and resources to perpetrate.

Typically, frauds perpetrated by members of management are far more damaging and costly than employee level fraud. The Madoff, WorldCom, Enron and Stanford cases all involved white males, over 50 years of age, all well educated. In addition, each man had a large team of helpers that knowingly, or unknowingly, helped perpetuate the alleged fraud schemes over multiple years.

Does this mean that all males over 50 with college degrees are fraudsters in the making? Certainly not, but it does give you an idea as to which individuals are more likely to involved.

So what? Fraud happens, and we move on with our lives. Well not exactly… In a recent article by Brian Payne, chair of the Department of Criminal Justice in the Andrew Young School of Policy Studies at Georgia State, he noted the following:

“…white-collar crime harms the community by reducing the faith that individuals have in public and private leaders. This consequence is particularly problematic given that most white-collar leaders are, in fact, honest professionals. Make no mistake about it — the vast majority of white-collar professionals never engage in wrongdoing. The few professionals who do commit crime dramatically lower the trust that individuals have in our political and economic institutions. The consequences of this broken trust are enormous.”

How much faith, or trust in the “system” has been lost as a result of headline grabbing frauds and the resulting collapse of the global economy? It is impossible to tell, but whether you agree with the tactics or not, “Occupy Wall Street” is just one example of frustration with the “system” and a desire to do “something”.

If we reduced the amount of fraud in the economy, would the level of trust in our institutions automatically increase? Probably not. Fraud is just one piece of a very large complex puzzle. However, when the people don’t trust the system, they push for change. Something eventually gives. Wouldn’t it be nice to see less fraud, and more trust? We can dream, right?

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com