Facts and Figures Crime Pays (retail pricing) Cost of Being a Victim Know Your Enemy Mechanisms and Methods Real-world Examples Basic Self-defense Corporate Compensating Controls Process Definition of Fraud Types of Fraud Experienced by Payroll Companies Cost of White Collar Crime Payroll Fraud Schemes Victim, Now what do you do?
Paychex, Inc. Payroll, Human Resource and Employee Benefit Services 13,000 employees ~$2.0 B in annual revenue 100+ locations across the U.S. and Germany 540,000 clients >9 million individual records Awards and Accolades: 2009 Fortune100 Best Companies to Work For 2010 Computerworld 100 Best Places to Work in IT (6 straight years) 2009 Training Top 125 (21st) 2009 World’s Most Ethical Companies Alexander Hamilton – Excellence in Treasury and Financial Mgmt
Certifications: –ASIS Certified Protection Professional (CPP) –ISC2 Certified Information Systems Security Professional (CISSP) –ISACA Certified Information Systems Auditor (CISA) –ISACA Certified Information Security Manager (CISM) –SANS GIAC Systems and Network Auditor (GSNA – GOLD) Member of: –FBI InfraGard –ISACA West New York Chapter –ASIS –ISSA Former: NSTAC participant Resident representative to NCC / Telecom ISAC NS/EP liaison to the Department of Homeland Security for a national telecommunications service provider
New York City ~ 8.4 million 1 Tokyo ~ 13 million 1 Internet ~ 1.7 billion 2 Mariposa botnet infection >12 million 3
New York City ~ 16,500 per month 4 Tokyo ~ 15,500 per month 5 Internet ~ 4 million websites per month 6 Malicious web pages ~ 228,000 per month
Every three and a half minutes a crime is committed on the streets of New York City. Every two and a half minutes a crime is committed on the streets of Tokyo. Every three seconds, an identity is stolen online — that’s nearly 10,512,000 identities each year. Cyber crime has surpassed illegal drug trafficking as a criminal moneymaker; 1 in 5 will become a victim. 7
Black Market Prices (January 2010): Date of Birth (DOB) Drivers License Number (DL) Mother’s Maiden Name (MMN) Social Security Number (SSN) Bank Account Numbers (BA) Credit Card Numbers (CC) $ 10.00 $ 4.00 $ 0.30 $ 4.00
Victims of identity theft can expect: Lost wages - $ 2k to $ 15k Lost time - 9 months Legal Expenses - $ 850 to $ 1,400 Funds withdrawn - $ 6,000 Bottom line > $ 10k out-of-pocket
PhDs on the payroll Computer Scientists Behavioral Scientists Psychologists Marketing and Sales Managers Work weekdays 9 to 5 Mostly taking weekends off
Blackhat SEO Malicious websites E-mail and Snail Mail (attachments and hyperlinks) Social Media Instant Messaging Removable Media (CD/DVD, USB drives, flash cards, etc.) Fax Machines Copiers and multi-function devices Mobile Phones and Texting Media Players Game Consoles (e.g., Xbox, PlayStation) Parking tickets and more…
Free goods and services Purchasing goods and services Fake job offer Check cashing Charity scams Advanced Fee Internet Auctions / Classifieds Fake Malware Scams Lottery scam Arrested out of country Hitman Fraud recovery scams Pet scams Babysitting and Au-Pair scams Rental scams Any social engineering technique that will garner a response…
Social engineering Spear phishing Malware infections Master plan = $$$ Payroll fraud Health care fraud Insurance fraud Retirement account fraud (401(k)) Account takeovers (ACH fraud) Cyber-extortion And the list goes on…
Don’t click on links or open attachments…from anyone! Trust but verify Use defensive layers (firewalls, AV, AM, etc.) Use separate web browsers Use separate computers Share personal information sparingly
Perpetual security training and awareness Identify and inventory your information assets Risk rank assets Identify the asymmetrical use cases (think like a criminal) Research potential security measures for information assets Assign a responsible individual Develop an information security policy defining how you will protect information assets Develop a roadmap Form an information security governance committee (dependent on organizational size) Budget for security measures Implement, manage, monitor, and test controls Wash, rinse, and repeat the process!
Certifications: –ACFE Certified Fraud Examiner (CFE) –IAFCI Certified Financial Crimes Investigator (CFCI) Member of: –ACFE –IAFCI Western New York Chapter –Infragard –FBI Citizens Academy Graduate Former: Police Officer Undercover Narcotics White Collar Crime Vice Tactical Unit
S omeone who knowingly deceives, by using stolen or fictitious information (i.e., names, addresses, dates of birth, social security numbers, invalid bank account information, etc.) to gain a benefit or an advantage. If there is no deception, there may be abuse, but it is not fraud.
Payroll Fraud/ACH Fraud Money Laundering Identity Theft (false Soc. Sec. numbers lack of identity) High-jacking legitimate business info and business bank accounts Check Fraud Healthcare Fraud Stolen Paychex Property Internal Fraud
The typical organization loses 5% of its annual revenue to fraud. Applied to the estimated 2009 Gross World Product, this figure translates to a potential total fraud loss of more than $2.9 trillion worldwide. 8
Enrolling fraudulent companies as payroll clients Hijacking legitimate business information Identity theft Producing fraudulent checks Adding fraudulent employees Keeping terminated employees on payroll Money laundering
Identify the situation Centralize the lead of the investigation to one person; Investigate matter completely before jumping to conclusions Begin collecting evidence Document only the facts using the KISS model Contact the proper Law Enforcement Agency (remember thresholds, severity of crime, don’t contact FBI when local law enforcement will serve you as well) Cooperate with all facets of the investigation, supply evidence as needed, remember you are the victim of the crime, law enforcement does not need a subpoena from the victim
1.Fact Source Wikipedia – Population of Tokyo depends on definition of prefecture boundaries and ranges from 8 mil for special wards to 39 mil for entire prefecture. 2.Internet 2009 in numbers - http://royal.pingdom.com/2010/01/22/internet-2009-in- numbers/ 3.Spanish police shut down 'world's largest' botnet - http://news.techworld.com/security/3214049/spanish-police-shut-down-worlds-largest- botnet/ 4.http://norris.blogs.nytimes.com/ “Buying Old New Homes” – estimates peak of 199,000 unsold in January 2008 5.Housing Starts : New Constrution Starts of Dwellings by Owner Occupant Relation - http://www.e-stat.go.jp/SG1/estat/XlsdlE.do?sinfid=000008188791 6.Internet 2009 in numbers - http://royal.pingdom.com/2010/01/22/internet-2009-in- numbers/ 7.http://www.symantec.com/about/news/release/article.jsp?prid=20090910_01 8.Fact Source ACFE 2010 report to the Nation; http://www.acfe.com/rttn/2010-rttn.asp