1. Your Role in Preventing Fraud and Abuse Dr
Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education

2. Agenda: Introduction Defining Fraud Sources of Fraud
Identify losses relating to Fraud
Reporting Fraud
Preventing and Deterring Fraud
Resources
Cyber Crime terminology 2

3. Introduction:
Despite efforts to minimize fraud, student financial aid fraud is a "rapidly growing problem," according to the Semi-Annual Report to Congress #66, October 1, 2012 –March 31, from the U.S. Department of Education's Office of Inspector General.
The inspector general estimates that, between 2009 and 2012, federal student aid fraud increased 82%.
For that time period, the OIG identified more than 85,000 federal aid recipients who may have participated in fraud ring activity. The education agency believes these students may have illegally received more than $187 million in federal student aid.

4. Fraud Defined
An intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss.
Layman’s terms:
Lying, cheating, and/or stealing.
We speak about fraud. What is fraud?

5. This is REALLY Happening
Sept. 18, individuals have been indicted for participating in Federal student aid fraud schemes that preyed on at least 15 schools across California. The indictments are a result of ED’s Office of Inspector General’s (OIG) criminal investigations aimed at shutting down student aid “fraud rings”—groups of criminals that seek to exploit distance education programs to fraudulently obtain federal student aid. The defendants allegedly fraudulently obtained more than $770,000 in federal student aid.
The U.S. Attorney’s Office provided summaries of the seven schemes, which include a fraud ring that not only relied on participating family and friends, but also allegedly used stolen personal identifiers of individuals with disabilities to fraudulently obtain more than $285,000 in federal student aid and grants. 
Leaders of another ring allegedly recruited more than 50 straw students— including prison inmates—to fraudulently receive $200,000 in student aid. 
Linda I tried to add the source to this slide (ED OIG SARs, Semi-Annual Reports) and was unable to. You could just verbally speak the source. 5

6. Types of Fraud FSA Focus – Financial Fraud!
Title IV fraud – single student
Fraud Rings
Occupational fraud
Social engineering
FSA Focus –
Financial Fraud!
Schools
Are you going to verbally define each type of fraud listed.
Individuals
Fraud Rings

7. Who Commits Fraud Involving Education Funds?
School employees, officials, owners, financial managers, and instructors
Lenders and lender servicers
Guarantee Agencies
Award recipients
Grantees and contractors
ED employees
Others

8. Examples of Title IV Fraud Schemes
FAFSA fraud – enrollment
Falsification of entrance exams
Falsification of GEDs/HS Diplomas
Falsification of attendance
Falsification of grades
Failure to make refunds
Ghost students
Leasing of eligibility
Loan theft/forgeries
Fraud/theft by school employees
Default rate fraud
90/10 rule
Financial statement falsification
Falsified last date of attendance
Obstruction of a federal audit or program review

9. Title IV Fraud Schemes Related to Students or Other Individuals
FAFSA Fraud:
Social Security Number
Alien Registration Status
Dependency Status
Income and Assets
Number of Family Members in College
Falsification of GEDs/HS Diplomas
Intent to attend
Intent to repay
Identity Theft
Distance Fraud Schemes
Fraud Rings (Distance Fraud is not only perpetrated by rings it is many types committed by individual(s) or schools)

10. Title IV Fraud Schemes Related to Schools
Ghost students
Leasing of eligibility
Default rate fraud
90/10 Rule manipulation scheme
Financial statement falsification
Falsified last date of attendance
Obstruction of a federal audit or program review.
Fraud/Theft by School Employees
FAFSA fraud- enrollment
Falsification of GEDs/HS Diplomas
Falsification of attendance and Satisfactory Academic Progress
Falsification of grades
Failure to make refunds Loan theft/ forgeries
Fraud Rings

11. Individual Fraud Student 1 Student 2 Non-Student Parents Tells Tells
Fraudulently obtains funds
Student 2
Non-Student
Parents
Tells
Tells
Non- Students
This is good – I would love to see this and slide 14 when you are finished. LEW
School Personnel 11

12. Example – Fraud! Source – news releases
When Sussette Sheree Timmons, of Dallas, enrolled in several online colleges, she had no intention of becoming educated, federal authorities said. Timmons, 30, instead kept the financial aid she applied for and withdrew from the colleges and universities, which offered “distance learning” programs on the Internet, the U.S. attorney’s office said.
She was indicted Tuesday on six counts of financial aid fraud. The indictment said Timmons received financial aid from the following schools: New Mexico State University; Western New Mexico University; Ashford University; Northern New Mexico College; Coconino Community College; and Pima Community College.
“She enrolled in classes at the schools and the awarded financial aid was applied to her tuition and fees,” the U.S. attorney’s office said. “She did not complete any of the classes for which she enrolled, and she did not intend to pursue an education at the schools.” Timmons also received checks that she cashed, although she had no plans to use it for educational expenses, according to the indictment.
When the schools asked her for the money back, she refused. Timmons even appealed when one of the schools suspended her financial aid in “That school rejected her appeal, stating that she had withdrawn from 13 colleges or universities since 2009,” federal authorities said.
If convicted of all counts, Timmons faces up to 30 years in prison and a maximum fine of $1.5 million.
The U.S. Department of Education Office of Inspector General investigated the case.
Source – news releases

13. Fraud Rings I really like this slide. Great depiction of fraud rings.
leader
Students
Ring Master
School 1
School 2
School …
School N-1
School N
School N+1
leader
Students
I really like this slide. Great depiction of fraud rings.
leader
Students
leader
Students 13

14. Fraud Rings

15. Benjamin Franklin
“There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”

16. Profile of an Occupational Fraudster
The Perpetrator’s Department
Fraud offenders were most likely to be found in one of six departments:
Accounting (22%)
Operations (17%)
Sales (13%)
Executive/upper management (12%)
Customer service (7%)
Purchasing (6%)
According to the Association of Certified Fraud Examiner’s (ACFE) - LEW

17. Profile of a Fraudster
The most common behavioral red flags displayed by perpetrators:
Living beyond one’s means
Experiencing financial difficulties
Unusually close association with vendor/customer
Control issues; unwillingness to share duties
“Wheeler-dealer” attitude
Divorce/family problems
Irritability, suspiciousness or defensiveness
Addiction problems
Refusal to take vacations
According to the Association of Certified Fraud Examiner’s (ACFE) – Also, more exhibiting just one of this red flags doesn’t necessarily make someone a fraudster; when multiple red flags are exhibited it’s time to take notice - LEW

18. Cressey’s Fraud Triangle Theory
Why People Commit Fraud
Weak controls
Little or no oversight
Lax rules
Debt
Addictions
Status
Opportunity
Perceived Pressure
Fraud
Triangle
Rationalization
Perceived pressure normally refers to financial pressure. Behaviorists, Criminologists, Sociologists, etc. have come out with newer models that address types of fraudsters over the last two decades. For example, Madoff didn’t have any perceived pressure; he committed fraud out of greed. LEW
Everyone does it
I was only borrowing the money
I was underpaid and deserve it

19. Fraud Indicators One person in control No separation of duties
High turnover of personnel
Unexplained entries in records
Unusually large amounts of payments for cash
Inadequate or missing documentation
Altered records (white-out, copies of documents, etc.)
Non-serial number transactions
Inventories and financial records not reconciled
Lack of internal controls/ignoring controls
Repeat audit findings
Unauthorized transactions
These are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.

20. Office Manager Fraud
NEW BRUNSWICK, N.J. - After an office manager for New Jersey City University admitted embezzling $486,000 in student funds three years ago, the U.S. Department of Education began auditing the use of all federal money by the state college. It soon discovered that $608,766 in federally subsidized loans and grant money had been improperly awarded by the school - in some cases to students who flunked out or never showed up to class, making them ineligible for financial assistance.
An examination of federal Department of Education records by The Star-Ledger of Newark shows that NJCU was not the only state college in New Jersey cited for giving too much money to students who were either ineligible for the aid or whose financial need was overestimated. Those records show at least three universities are on the hook for $868,000 in improperly awarded loans or grants - or in some cases, undercutting student wages paid under federally subsidized work-study programs. The schools - Kean University in Union Township, Rutgers University, and New Jersey City University in Jersey City - did not contest the findings and either repaid the financial aid money, or are currently paying it off over time. No students were penalized.
According to the audits, Kean owed $255,920 in aid inappropriately awarded between 2001 and Unlike the audit at New Jersey City University, the review at Kean was not sparked by any warning bells. A spokeswoman for the U.S. Department of Education said it typically conducts program reviews of schools every five years.

21. Social Engineering Loss of PII Fraud Social Engineering
Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception.
Social Engineering
Loss of PII
Fraud
These are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.

22. Personally Identifiable Information (PII)
“PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.”
Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed.
The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection.
Again, great slide – I didn’t define PII well enough in the fraud course; this will be helpful
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

23. Common Identity Theft Practices
Obtain or take over financial accounts
Take out loans for large purchases
Open new lines of credit
Sign lease agreements
Establish services with utility companies
Write fraudulent checks
Purchase goods and services on the Internet

24. Stolen PII for Fraud

25. Who is Responsible for Reporting Fraud?
Everyone who deals with Federal Student Aid funding has a responsibility to help control fraud.
LOVE this slide – hope you don’t mind if I use this in the fraud course. Note there are many reasons why everyone is responsible, legislative (there is one reg that specifically states schools (it’s in my fraud course under legalities of fraud), stewards of taxpayers money, protection of aid to ensure those that need it have it available, etc. - LEW

26. OIG Sources of Allegations
OIG Hotline MIS-USED
ED Program Offices
School Employees and Officials
Guarantee Agencies
Citizens and Students
Competing Vendors/Schools
Other Federal Agencies
U.S. Attorney’s Offices
Other ED OIG Investigations
Federal Bureau of Investigation
State and Local Education Agencies

27. Is Your System a Victim? Yes? Maybe? Not Sure?
Immediate reporting is necessary!
Have the facts
Why you think there is an issue
Date/Time of the Incident
System information
Location
Type and Purpose of the System
Point of Contact
Actions all ready taken
Correlate this with OIG so it transitions with slide 28 and 30 - LEW

28. Examples of What to Report
Compromise of systems privileges
Compromise of information protected by law
Unauthorized access of IT systems or data
Exceeding authorized access
Denial of service of major IT resources
Malicious destruction or modification of data/information

29. Examples of What to Report
Applicable to students/schools
Abuse of professional judgment
Coaching students when filling out the FAFSA
Altering attendance records

30. How You Can Help Ensure that staff receive necessary training
Review documents thoroughly
Question documents/Verify authenticity
Request additional information from the vendors or administration
Compare information on different documents
Contact ED-OIG
A Guide to Grant Oversight and Best Practices for Combating Grant Fraud final.pdf
It is important that FAA view all student records and activities related to Title IV with “professional skepticism” (a term used in the fraud community) basically it means to view things from a fraud perspective – it is occurring therefore as we go about our daily duties we need to perform our duties from a “fraud focus”

31. Why Report Fraud? Ethical responsibility
Statutory and regulatory requirements
To deter others from committing fraud and abuse
To protect the integrity of the Title IV Programs
To avoid being part of a fraud scheme
To avoid administrative action
To avoid civil penalties
To avoid criminal prosecution
To protect the children’s future

32. Don’t Try To Investigate Suspicious Activity Yourself!
You may have the missing piece of the puzzle needed!

33. FSA – Preventing/Deterring Fraud
Fraud prevention involves actions taken to discourage the commission of fraud and limit fraud exposure when it occurs
The principal mechanism for preventing fraud is to ensure an appropriate control environment
Primary responsibility for establishing and maintaining internal control should rest with management
Each of us at FSA has a fiduciary responsibility to assist in preventing fraud

34. Fraud Prevention = Education
Government workers must be trained in the required duties of the position. This helps to safeguard the assets of the organization by having knowledgeable staff that can spot unusual or red flag transactions
Administrators must be trained to recognize potential fraud by coworkers and to student accounts
Students must be trained to keep their information secure and to identify when their financial information may have been accessed
Organizations with anti-fraud training programs experience lower losses and shorter durations

35. Deterrence -Schools/FSA/State/Federal
Proactive Fraud Prevention - Audits
Proactive internal audit/review policies are generated from the top of the operation involved
A proactive policy simply means that internal auditors/reviewers will aggressively seek out inappropriate conduct, instead of waiting for instances to come to their attention during normal audits (external)

36. Actions to Defer Fraud Formal policies addressing fraud
Targeted Fraud Awareness Training (research shows lower losses & shorter durations)
Effective Internal Controls (as opposed to lack of internal controls and the ability to override existing controls)
Management Review
Competent personnel in oversight roles
Independent checks/audits
Clear lines of authority
IT Controls (Access Controls, etc.)
Ethics Policy
Tone at the Top (employees will be more likely to act unethically if management does)
Putting controls in place to minimize fraud before it can occur

37. Identity Theft Prevention
Properly handle documents
Shred sensitive information
Use key identifiers instead of the SSN
Password protect sensitive information
Audit access
Review access privileges
Verify who you are talking to

38. Avoiding Identity Theft
Don’t carry your SSN card with you!
Request a drivers license number
Shred sensitive information
Only carry what you use
Photo copy all cards in your wallet
Select hard to guess PINs and passwords
Don’t leave mail sitting in an unprotected box
Don’t give out private information over the phone
Order your credit reports
Use caution when providing ANY sensitive information
Verify your personal computer has strong and updated computer anti-virus protection and your network provider is secure

39. FSA Two-Factor Authentication (TFA)
Objective – prevent unauthorized access which can result in stolen information
Physical tokens issued to be used with passwords to provide two-factor sign on
Privileged Users - (schools and financial institutions) access PII data on FSA systems
Over 57,535 privileged user accounts are TFA enabled
The privileged user population includes:
Department of Education employees and contractors
Postsecondary School financial aid staff
Guaranty Agencies
Servicers, Private Collection Agencies, and Not-For-Profits
Call Center staff
Non-Privileged Users - Aid Recipients (students)
Next Step
Developing migration strategy from key fob token to soft tokens, leveraging smart phone technology, will support privileged and non-privileged users
USE IT
Good to know, I would like to use this in the fraud course as well, with your permission

40. OIG – Fraud Rings
Since 2010, OIG has highlighted the vulnerability of distance education programs to fraud and abuse, including releasing a report on fraud rings in September 2011.
OIG investigations into student loan fraud rings have grown substantially over the last few years. In 2005, the OIG opened 16 distance education fraud ring investigations; in 2012, that figure grew to 119. To date, more than 300 people have been indicted for participating in fraud rings. 
"The bottom line is scams like this steal money from hardworking taxpayers and legitimate students and that is unacceptable," continued Tighe. "OIG is committed to fighting student financial aid fraud and we will continue to aggressively pursue those that participate in these types of crimes."

41. Office of the Inspector General - OIG
Red Flags to Investigators
Vices such as substance abuse and gambling.
Extravagant purchases or lifestyle.
Lack of documents (the ‘big flood’ destroyed…)
Common Addresses (mailing, , and IP)
Pin number and password information the same.
Personal information that does not fit the norm.
Bank information that is the same.

42. FSA – Potential Fraud Ring Identification
Statistical model
Utilizes a combination of application data
Identifies indicators of potential fraud
Utilizes weighting for total score
Identifying factor examples:
Utilize address and IP address information
Received Pell Grant funding from multiple institutions over short period of time
Received Pell Grant funding from more than two institutions in same award period
I like this slide!

43. FSA Fraud Ring Identification(cont.)
Uses Fraud Potential Algorithm
Based on Fraud indicators such as # times same phone number used
Indicator 1 x assigned weight +
Indicator 2 x assigned weight +
Indicator 3 x assigned weight + ….
= Fraud Risk Level
Red
Orange
Yellow
I’d would be interested in learning more about what this slide means – I understand the part with algorithms…not sure what is meant by indicators to calculate a weighted average of the fraud risk level - LEW

44. Fraud Ring Identification (cont.)
Identify Fraud patterns
Use rule based filter, set of qualifying determinants
Identify those who meet minimum thresholds for fraud patterns
Distance Education high vulnerability, all aspects online (administration, aid, instruction)
Easier for criminal to assume identities, students never present in person at any time
FSA FY13-14 Application process
Require at risk students to present proof of identify in person or through notary public
This is really good information – do you have a source or are you the source? Again, I’m interested in using some of this data in training.

45. Students at Risk for Fraud
Identify applicants, based on statistical risk model, attempting to obtain student aid funds fraudulently or without serious educational intent
Require to:
Present themselves in person with government ID
Execute Statement of Educational Purpose with school official or notary public
Those with unusual enrollment history
Require institution to determine if prior academic record support serious academic intent 45

46. Perception of Detection
Controls with the greatest associated reduction in fraud are those credited with increasing the perpetrator’s perception of detection:
Fraud awareness programs
Job rotation and mandatory vacation policies
Rewards for whistleblowers
Surprise (INTERNAL) audits detected frauds more than twice as quickly as organizations lacking such controls
External audits are the LEAST successful method of finding fraud

47. Cost for Data Loss  reduction in funds for student aid
Investigations average $300 per user impacted
FSA hosts at least 80 million records
1% of those records were leaked
Financial exposure would be approximately $240 million
 reduction in funds for student aid
Good slide – Linda, I would add another slide for conclusions/recommendations to highlight activities the FAA should perform to assist in reducing fraud prior to the questions slide - LEW

48. Summary Fraud cannot be totally prevented
Fraud prevention is less expensive and more effective than detection
Fraud prevention starts with being informed!!
Fraud prevention, detection, and reporting is EVERYONE’s responsibility!

49. QUESTIONS?

50. Additional Resources
Find more information about preventing and detecting fraud at the following websites:
The Association of Certified Fraud Examiners (
The Federal Bureau of Investigation (
The National White Collar Crime Center (
U.S. Government Accountability Office (
Internal Revenue Service (
Department of Education Office of the Inspector General (

51. Cyber Crime Terminology
Malware - malicious software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs.
Computer worm - standalone malware that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Trojan horse - a type of malware that masquerades as a legitimate file or helpful program but whose real purpose is to grant a hacker unauthorized access to a computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may used downloads or install via online games or internet-driven applications in order to reach target computers.

52. Cyber Crime Terminology (cont.)
Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware can collect almost any type of data, including personal information, internet surfing habits, user logins, and bank or credit account information.
Adware or advertising-supported software -any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless.