Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education.

Similar presentations


Presentation on theme: "Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education."— Presentation transcript:

1 Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education

2 Agenda: Introduction Defining Fraud Sources of Fraud Identify losses relating to Fraud Reporting Fraud Preventing and Deterring Fraud Resources Cyber Crime terminology 2 2

3 Introduction: Despite efforts to minimize fraud, student financial aid fraud is a "rapidly growing problem," according to the Semi-Annual Report to Congress #66, October 1, 2012 –March 31, 2013 from the U.S. Department of Education's Office of Inspector General. The inspector general estimates that, between 2009 and 2012, federal student aid fraud increased 82%. For that time period, the OIG identified more than 85,000 federal aid recipients who may have participated in fraud ring activity. The education agency believes these students may have illegally received more than $187 million in federal student aid. 3

4 Fraud Defined  An intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss.  Layman’s terms: Lying, cheating, and/or stealing. 4

5 This is REALLY Happening 5 Sept. 18, individuals have been indicted for participating in Federal student aid fraud schemes that preyed on at least 15 schools across California. The indictments are a result of ED’s Office of Inspector General’s (OIG) criminal investigations aimed at shutting down student aid “fraud rings”—groups of criminals that seek to exploit distance education programs to fraudulently obtain federal student aid. The defendants allegedly fraudulently obtained more than $770,000 in federal student aid. The U.S. Attorney’s Office provided summaries of the seven schemes, which include a fraud ring that not only relied on participating family and friends, but also allegedly used stolen personal identifiers of individuals with disabilities to fraudulently obtain more than $285,000 in federal student aid and grants. Leaders of another ring allegedly recruited more than 50 straw students— including prison inmates—to fraudulently receive $200,000 in student aid. 5

6 Types of Fraud Title IV fraud – single student Fraud Rings Occupational fraud Social engineering FSA Focus – Financial Fraud! 6 Schools Individuals Fraud Rings

7 Who Commits Fraud Involving Education Funds? o School employees, officials, owners, financial managers, and instructors o Lenders and lender servicers o Guarantee Agencies o Award recipients o Grantees and contractors o ED employees o Others 7

8 Examples of Title IV Fraud Schemes FAFSA fraud – enrollment Falsification of entrance exams Falsification of GEDs/HS Diplomas Falsification of attendance Falsification of grades Failure to make refunds Ghost students Leasing of eligibility Loan theft/forgeries Fraud/theft by school employees Default rate fraud 90/10 rule Financial statement falsification Falsified last date of attendance Obstruction of a federal audit or program review 8

9 Title IV Fraud Schemes Related to Students or Other Individuals  FAFSA Fraud:  Social Security Number  Alien Registration Status  Dependency Status  Income and Assets  Number of Family Members in College  Falsification of GEDs/HS Diplomas  Intent to attend  Intent to repay  Identity Theft  Distance Fraud Schemes  Fraud Rings (Distance Fraud is not only perpetrated by rings it is many types committed by individual(s) or schools) 9

10 Title IV Fraud Schemes Related to Schools l Ghost students l Leasing of eligibility l Default rate fraud l 90/10 Rule manipulation scheme l Financial statement falsification l Falsified last date of attendance l Obstruction of a federal audit or program review. l Fraud/Theft by School Employees l FAFSA fraud- enrollment l Falsification of GEDs/HS Diplomas l Falsification of attendance and Satisfactory Academic Progress l Falsification of grades l Failure to make refunds Loan theft/ forgeries l Fraud Rings 10

11 Individual Fraud 11 Student 1 Fraudulently obtains funds Student 2 Fraudulently obtains funds Non- Student Fraudulently obtains funds Tells Non- Students Parents School Personnel 11

12 Example – Fraud! When Sussette Sheree Timmons, of Dallas, enrolled in several online colleges, she had no intention of becoming educated, federal authorities said. Timmons, 30, instead kept the financial aid she applied for and withdrew from the colleges and universities, which offered “distance learning” programs on the Internet, the U.S. attorney’s office said. She was indicted Tuesday on six counts of financial aid fraud. The indictment said Timmons received financial aid from the following schools: New Mexico State University; Western New Mexico University; Ashford University; Northern New Mexico College; Coconino Community College; and Pima Community College. “She enrolled in classes at the schools and the awarded financial aid was applied to her tuition and fees,” the U.S. attorney’s office said. “She did not complete any of the classes for which she enrolled, and she did not intend to pursue an education at the schools.” Timmons also received checks that she cashed, although she had no plans to use it for educational expenses, according to the indictment. When the schools asked her for the money back, she refused. Timmons even appealed when one of the schools suspended her financial aid in “That school rejected her appeal, stating that she had withdrawn from 13 colleges or universities since 2009,” federal authorities said. If convicted of all counts, Timmons faces up to 30 years in prison and a maximum fine of $1.5 million. The U.S. Department of Education Office of Inspector General investigated the case. Source – news releases 12

13 Fraud Rings 13 Ring Master School 1 School 2 School … School N-1 School N School N+1 leader Students leader Students leader Students leader Students 13

14 Fraud Rings 14

15 “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.” Benjamin Franklin 15

16 Profile of an Occupational Fraudster The Perpetrator’s Department Fraud offenders were most likely to be found in one of six departments: Accounting (22%) Operations (17%) Sales (13%) Executive/upper management (12%) Customer service (7%) Purchasing (6%) 16

17 Profile of a Fraudster The most common behavioral red flags displayed by perpetrators: Living beyond one’s means Experiencing financial difficulties Unusually close association with vendor/customer Control issues; unwillingness to share duties “Wheeler-dealer” attitude Divorce/family problems Irritability, suspiciousness or defensiveness Addiction problems Refusal to take vacations 17

18 Weak controls Little or no oversight Lax rules Debt Addictions Status Fraud Triangle Cressey’s Fraud Triangle Theory 18 Why People Commit Fraud Everyone does it I was only borrowing the money I was underpaid and deserve it

19 Fraud Indicators One person in control No separation of duties High turnover of personnel Unexplained entries in records Unusually large amounts of payments for cash Inadequate or missing documentation Altered records (white-out, copies of documents, etc.) Non-serial number transactions Inventories and financial records not reconciled Lack of internal controls/ignoring controls Repeat audit findings Unauthorized transactions 19

20 Office Manager Fraud NEW BRUNSWICK, N.J. - After an office manager for New Jersey City University admitted embezzling $486,000 in student funds three years ago, the U.S. Department of Education began auditing the use of all federal money by the state college. It soon discovered that $608,766 in federally subsidized loans and grant money had been improperly awarded by the school - in some cases to students who flunked out or never showed up to class, making them ineligible for financial assistance. An examination of federal Department of Education records by The Star-Ledger of Newark shows that NJCU was not the only state college in New Jersey cited for giving too much money to students who were either ineligible for the aid or whose financial need was overestimated. Those records show at least three universities are on the hook for $868,000 in improperly awarded loans or grants - or in some cases, undercutting student wages paid under federally subsidized work-study programs. The schools - Kean University in Union Township, Rutgers University, and New Jersey City University in Jersey City - did not contest the findings and either repaid the financial aid money, or are currently paying it off over time. No students were penalized. According to the audits, Kean owed $255,920 in aid inappropriately awarded between 2001 and Unlike the audit at New Jersey City University, the review at Kean was not sparked by any warning bells. A spokeswoman for the U.S. Department of Education said it typically conducts program reviews of schools every five years. 20

21 Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception. 21

22 Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.” Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed. The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22,

23 Common Identity Theft Practices Obtain or take over financial accounts Take out loans for large purchases Open new lines of credit Sign lease agreements Establish services with utility companies Write fraudulent checks Purchase goods and services on the Internet 23

24 Stolen PII for Fraud 24

25 Who is Responsible for Reporting Fraud? Everyone who deals with Federal Student Aid funding has a responsibility to help control fraud. 25

26 OIG Sources of Allegations OIG Hotline MIS-USED ED Program Offices School Employees and Officials Guarantee Agencies Citizens and Students Competing Vendors/Schools Other Federal Agencies U.S. Attorney’s Offices Other ED OIG Investigations Federal Bureau of Investigation State and Local Education Agencies 26

27 Is Your System a Victim? Yes? Maybe? Not Sure? Immediate reporting is necessary! Have the facts Why you think there is an issue Date/Time of the Incident System information Location Type and Purpose of the System Point of Contact Actions all ready taken 27

28 Examples of What to Report Compromise of systems privileges Compromise of information protected by law Unauthorized access of IT systems or data Exceeding authorized access Denial of service of major IT resources Malicious destruction or modification of data/information 28

29 Examples of What to Report Applicable to students/schools Abuse of professional judgment Coaching students when filling out the FAFSA Altering attendance records 29

30 How You Can Help Ensure that staff receive necessary training Review documents thoroughly Question documents/Verify authenticity Request additional information from the vendors or administration Compare information on different documents Contact ED-OIG A Guide to Grant Oversight and Best Practices for Combating Grant Fraud final.pdfhttp://www.usdoj.gov/oig/special/s0902a/ final.pdf 30

31 Why Report Fraud? Ethical responsibility Statutory and regulatory requirements To deter others from committing fraud and abuse To protect the integrity of the Title IV Programs To avoid being part of a fraud scheme To avoid administrative action To avoid civil penalties To avoid criminal prosecution To protect the children’s future 31

32 Don’t Try To Investigate Suspicious Activity Yourself! You may have the missing piece of the puzzle needed! 32

33 FSA – Preventing/Deterring Fraud Fraud prevention involves actions taken to discourage the commission of fraud and limit fraud exposure when it occurs The principal mechanism for preventing fraud is to ensure an appropriate control environment Primary responsibility for establishing and maintaining internal control should rest with management Each of us at FSA has a fiduciary responsibility to assist in preventing fraud 33

34 Fraud Prevention = Education Government workers must be trained in the required duties of the position. This helps to safeguard the assets of the organization by having knowledgeable staff that can spot unusual or red flag transactions Administrators must be trained to recognize potential fraud by coworkers and to student accounts Students must be trained to keep their information secure and to identify when their financial information may have been accessed Organizations with anti-fraud training programs experience lower losses and shorter durations 34

35 Deterrence -Schools/FSA/State/Federal Proactive Fraud Prevention - Audits Proactive internal audit/review policies are generated from the top of the operation involved A proactive policy simply means that internal auditors/reviewers will aggressively seek out inappropriate conduct, instead of waiting for instances to come to their attention during normal audits (external) 35

36 Actions to Defer Fraud Formal policies addressing fraud Targeted Fraud Awareness Training (research shows lower losses & shorter durations) Effective Internal Controls (as opposed to lack of internal controls and the ability to override existing controls) Management Review Competent personnel in oversight roles Independent checks/audits Clear lines of authority IT Controls (Access Controls, etc.) Ethics Policy Tone at the Top (employees will be more likely to act unethically if management does) Putting controls in place to minimize fraud before it can occur 36

37 Identity Theft Prevention Properly handle documents Shred sensitive information Use key identifiers instead of the SSN Password protect sensitive information Audit access Review access privileges Verify who you are talking to 37

38 Avoiding Identity Theft Don’t carry your SSN card with you! – Request a drivers license number – Shred sensitive information – Only carry what you use – Photo copy all cards in your wallet – Select hard to guess PINs and passwords – Don’t leave mail sitting in an unprotected box – Don’t give out private information over the phone – Order your credit reports – Use caution when providing ANY sensitive information – Verify your personal computer has strong and updated computer anti-virus protection and your network provider is secure 38

39 FSA Two-Factor Authentication (TFA) Objective – prevent unauthorized access which can result in stolen information Physical tokens issued to be used with passwords to provide two-factor sign on Privileged Users - (schools and financial institutions) access PII data on FSA systems Over 57,535 privileged user accounts are TFA enabled The privileged user population includes: Department of Education employees and contractors Postsecondary School financial aid staff Guaranty Agencies Servicers, Private Collection Agencies, and Not-For-Profits Call Center staff Non-Privileged Users - Aid Recipients (students) Next Step Developing migration strategy from key fob token to soft tokens, leveraging smart phone technology, will support privileged and non-privileged users 39

40 OIG – Fraud Rings Since 2010, OIG has highlighted the vulnerability of distance education programs to fraud and abuse, including releasing a report on fraud rings in September OIG investigations into student loan fraud rings have grown substantially over the last few years. In 2005, the OIG opened 16 distance education fraud ring investigations; in 2012, that figure grew to 119. To date, more than 300 people have been indicted for participating in fraud rings. "The bottom line is scams like this steal money from hardworking taxpayers and legitimate students and that is unacceptable," continued Tighe. "OIG is committed to fighting student financial aid fraud and we will continue to aggressively pursue those that participate in these types of crimes." 40

41 Office of the Inspector General - OIG Red Flags to Investigators Vices such as substance abuse and gambling. Extravagant purchases or lifestyle. Lack of documents (the ‘big flood’ destroyed…) Common Addresses (mailing, , and IP) Pin number and password information the same. Personal information that does not fit the norm. Bank information that is the same. 41

42 FSA – Potential Fraud Ring Identification Statistical model Utilizes a combination of application data Identifies indicators of potential fraud Utilizes weighting for total score Identifying factor examples: – Utilize address and IP address information – Received Pell Grant funding from multiple institutions over short period of time – Received Pell Grant funding from more than two institutions in same award period 42

43 FSA Fraud Ring Identification(cont.) Uses Fraud Potential Algorithm Based on Fraud indicators such as # times same phone number used Indicator 1 x assigned weight + Indicator 2 x assigned weight + Indicator 3 x assigned weight + …. = Fraud Risk Level Red Orange Yellow 43

44 Fraud Ring Identification (cont.) Identify Fraud patterns Use rule based filter, set of qualifying determinants Identify those who meet minimum thresholds for fraud patterns Distance Education high vulnerability, all aspects online (administration, aid, instruction) Easier for criminal to assume identities, students never present in person at any time FSA FY13-14 Application process Require at risk students to present proof of identify in person or through notary public 44

45 Students at Risk for Fraud 45 Identify applicants, based on statistical risk model, attempting to obtain student aid funds fraudulently or without serious educational intent Require to: Present themselves in person with government ID Execute Statement of Educational Purpose with school official or notary public Those with unusual enrollment history Require institution to determine if prior academic record support serious academic intent 45

46 Perception of Detection Controls with the greatest associated reduction in fraud are those credited with increasing the perpetrator’s perception of detection: Fraud awareness programs Job rotation and mandatory vacation policies Rewards for whistleblowers Surprise (INTERNAL) audits detected frauds more than twice as quickly as organizations lacking such controls 46

47 Cost for Data Loss Investigations average $300 per user impacted FSA hosts at least 80 million records 1% of those records were leaked Financial exposure would be approximately $240 million  reduction in funds for student aid 47

48 Summary Fraud cannot be totally prevented Fraud prevention is less expensive and more effective than detection Fraud prevention starts with being informed!!  Fraud prevention, detection, and reporting is EVERYONE’s responsibility! 48

49 QUESTIONS? 49

50 Additional Resources Find more information about preventing and detecting fraud at the following websites: The Association of Certified Fraud Examiners (www.ACFE.com)www.ACFE.com The Federal Bureau of Investigation (www.FBI.gov)www.FBI.gov The National White Collar Crime Center (www.nwc3.org)www.nwc3.org U.S. Government Accountability Office (www.GAO.gov)www.GAO.gov Internal Revenue Service (www.IRS.gov)www.IRS.gov Department of Education Office of the Inspector General (http://www2.ed.gov/about/offices/list/oig/hotline.html)http://www2.ed.gov/about/offices/list/oig/hotline.html 50

51 Cyber Crime Terminology Malware - malicious software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs. Computer worm - standalone malware that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Trojan horse - a type of malware that masquerades as a legitimate file or helpful program but whose real purpose is to grant a hacker unauthorized access to a computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may used downloads or install via online games or internet-driven applications in order to reach target computers. 51

52 Cyber Crime Terminology (cont.) Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware can collect almost any type of data, including personal information, internet surfing habits, user logins, and bank or credit account information. Adware or advertising-supported software -any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless. 52


Download ppt "Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education."

Similar presentations


Ads by Google