Presentation on theme: "Your Role in Preventing Fraud and Abuse Dr"— Presentation transcript:
1 Your Role in Preventing Fraud and Abuse Dr Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education
2 Agenda: Introduction Defining Fraud Sources of Fraud Identify losses relating to FraudReporting FraudPreventing and Deterring FraudResourcesCyber Crime terminology2
3 Introduction:Despite efforts to minimize fraud, student financial aid fraud is a "rapidly growing problem," according to the Semi-Annual Report to Congress #66, October 1, 2012 –March 31, from the U.S. Department of Education's Office of Inspector General.The inspector general estimates that, between 2009 and 2012, federal student aid fraud increased 82%.For that time period, the OIG identified more than 85,000 federal aid recipients who may have participated in fraud ring activity. The education agency believes these students may have illegally received more than $187 million in federal student aid.
4 Fraud DefinedAn intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss.Layman’s terms:Lying, cheating, and/or stealing.We speak about fraud. What is fraud?
5 This is REALLY Happening Sept. 18, individuals have been indicted for participating in Federal student aid fraud schemes that preyed on at least 15 schools across California. The indictments are a result of ED’s Office of Inspector General’s (OIG) criminal investigations aimed at shutting down student aid “fraud rings”—groups of criminals that seek to exploit distance education programs to fraudulently obtain federal student aid. The defendants allegedly fraudulently obtained more than $770,000 in federal student aid.The U.S. Attorney’s Office provided summaries of the seven schemes, which include a fraud ring that not only relied on participating family and friends, but also allegedly used stolen personal identifiers of individuals with disabilities to fraudulently obtain more than $285,000 in federal student aid and grants. Leaders of another ring allegedly recruited more than 50 straw students— including prison inmates—to fraudulently receive $200,000 in student aid. Linda I tried to add the source to this slide (ED OIG SARs, Semi-Annual Reports) and was unable to. You could just verbally speak the source.5
6 Types of Fraud FSA Focus – Financial Fraud! Title IV fraud – single studentFraud RingsOccupational fraudSocial engineeringFSA Focus –Financial Fraud!SchoolsAre you going to verbally define each type of fraud listed.IndividualsFraud Rings
7 Who Commits Fraud Involving Education Funds? School employees, officials, owners, financial managers, and instructorsLenders and lender servicersGuarantee AgenciesAward recipientsGrantees and contractorsED employeesOthers
8 Examples of Title IV Fraud Schemes FAFSA fraud – enrollmentFalsification of entrance examsFalsification of GEDs/HS DiplomasFalsification of attendanceFalsification of gradesFailure to make refundsGhost studentsLeasing of eligibilityLoan theft/forgeriesFraud/theft by school employeesDefault rate fraud90/10 ruleFinancial statement falsificationFalsified last date of attendanceObstruction of a federal audit or program review
9 Title IV Fraud Schemes Related to Students or Other Individuals FAFSA Fraud:Social Security NumberAlien Registration StatusDependency StatusIncome and AssetsNumber of Family Members in CollegeFalsification of GEDs/HS DiplomasIntent to attendIntent to repayIdentity TheftDistance Fraud SchemesFraud Rings (Distance Fraud is not only perpetrated by rings it is many types committed by individual(s) or schools)
10 Title IV Fraud Schemes Related to Schools Ghost studentsLeasing of eligibilityDefault rate fraud90/10 Rule manipulation schemeFinancial statement falsificationFalsified last date of attendanceObstruction of a federal audit or program review.Fraud/Theft by School EmployeesFAFSA fraud- enrollmentFalsification of GEDs/HS DiplomasFalsification of attendance and Satisfactory Academic ProgressFalsification of gradesFailure to make refunds Loan theft/ forgeriesFraud Rings
11 Individual Fraud Student 1 Student 2 Non-Student Parents Tells Tells Fraudulently obtains fundsStudent 2Non-StudentParentsTellsTellsNon- StudentsThis is good – I would love to see this and slide 14 when you are finished. LEWSchool Personnel11
12 Example – Fraud! Source – news releases When Sussette Sheree Timmons, of Dallas, enrolled in several online colleges, she had no intention of becoming educated, federal authorities said. Timmons, 30, instead kept the financial aid she applied for and withdrew from the colleges and universities, which offered “distance learning” programs on the Internet, the U.S. attorney’s office said.She was indicted Tuesday on six counts of financial aid fraud. The indictment said Timmons received financial aid from the following schools: New Mexico State University; Western New Mexico University; Ashford University; Northern New Mexico College; Coconino Community College; and Pima Community College.“She enrolled in classes at the schools and the awarded financial aid was applied to her tuition and fees,” the U.S. attorney’s office said. “She did not complete any of the classes for which she enrolled, and she did not intend to pursue an education at the schools.” Timmons also received checks that she cashed, although she had no plans to use it for educational expenses, according to the indictment.When the schools asked her for the money back, she refused. Timmons even appealed when one of the schools suspended her financial aid in “That school rejected her appeal, stating that she had withdrawn from 13 colleges or universities since 2009,” federal authorities said.If convicted of all counts, Timmons faces up to 30 years in prison and a maximum fine of $1.5 million.The U.S. Department of Education Office of Inspector General investigated the case.Source – news releases
13 Fraud Rings I really like this slide. Great depiction of fraud rings. leaderStudentsRing MasterSchool 1School 2School …School N-1School NSchool N+1leaderStudentsI really like this slide. Great depiction of fraud rings.leaderStudentsleaderStudents13
15 Benjamin Franklin“There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”
16 Profile of an Occupational Fraudster The Perpetrator’s DepartmentFraud offenders were most likely to be found in one of six departments:Accounting (22%)Operations (17%)Sales (13%)Executive/upper management (12%)Customer service (7%)Purchasing (6%)According to the Association of Certified Fraud Examiner’s (ACFE) - LEW
17 Profile of a FraudsterThe most common behavioral red flags displayed by perpetrators:Living beyond one’s meansExperiencing financial difficultiesUnusually close association with vendor/customerControl issues; unwillingness to share duties“Wheeler-dealer” attitudeDivorce/family problemsIrritability, suspiciousness or defensivenessAddiction problemsRefusal to take vacationsAccording to the Association of Certified Fraud Examiner’s (ACFE) – Also, more exhibiting just one of this red flags doesn’t necessarily make someone a fraudster; when multiple red flags are exhibited it’s time to take notice - LEW
18 Cressey’s Fraud Triangle Theory Why People Commit FraudWeak controlsLittle or no oversightLax rulesDebtAddictionsStatusOpportunityPerceived PressureFraudTriangleRationalizationPerceived pressure normally refers to financial pressure. Behaviorists, Criminologists, Sociologists, etc. have come out with newer models that address types of fraudsters over the last two decades. For example, Madoff didn’t have any perceived pressure; he committed fraud out of greed. LEWEveryone does itI was only borrowing the moneyI was underpaid and deserve it
19 Fraud Indicators One person in control No separation of duties High turnover of personnelUnexplained entries in recordsUnusually large amounts of payments for cashInadequate or missing documentationAltered records (white-out, copies of documents, etc.)Non-serial number transactionsInventories and financial records not reconciledLack of internal controls/ignoring controlsRepeat audit findingsUnauthorized transactionsThese are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.
20 Office Manager FraudNEW BRUNSWICK, N.J. - After an office manager for New Jersey City University admitted embezzling $486,000 in student funds three years ago, the U.S. Department of Education began auditing the use of all federal money by the state college. It soon discovered that $608,766 in federally subsidized loans and grant money had been improperly awarded by the school - in some cases to students who flunked out or never showed up to class, making them ineligible for financial assistance.An examination of federal Department of Education records by The Star-Ledger of Newark shows that NJCU was not the only state college in New Jersey cited for giving too much money to students who were either ineligible for the aid or whose financial need was overestimated. Those records show at least three universities are on the hook for $868,000 in improperly awarded loans or grants - or in some cases, undercutting student wages paid under federally subsidized work-study programs. The schools - Kean University in Union Township, Rutgers University, and New Jersey City University in Jersey City - did not contest the findings and either repaid the financial aid money, or are currently paying it off over time. No students were penalized.According to the audits, Kean owed $255,920 in aid inappropriately awarded between 2001 and Unlike the audit at New Jersey City University, the review at Kean was not sparked by any warning bells. A spokeswoman for the U.S. Department of Education said it typically conducts program reviews of schools every five years.
21 Social Engineering Loss of PII Fraud Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception.Social EngineeringLoss of PIIFraudThese are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.
22 Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.”Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed.The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection.Again, great slide – I didn’t define PII well enough in the fraud course; this will be helpfulOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
23 Common Identity Theft Practices Obtain or take over financial accountsTake out loans for large purchasesOpen new lines of creditSign lease agreementsEstablish services with utility companiesWrite fraudulent checksPurchase goods and services on the Internet
25 Who is Responsible for Reporting Fraud? Everyone who deals with Federal Student Aid funding has a responsibility to help control fraud.LOVE this slide – hope you don’t mind if I use this in the fraud course. Note there are many reasons why everyone is responsible, legislative (there is one reg that specifically states schools (it’s in my fraud course under legalities of fraud), stewards of taxpayers money, protection of aid to ensure those that need it have it available, etc. - LEW
26 OIG Sources of Allegations OIG Hotline MIS-USEDED Program OfficesSchool Employees and OfficialsGuarantee AgenciesCitizens and StudentsCompeting Vendors/SchoolsOther Federal AgenciesU.S. Attorney’s OfficesOther ED OIG InvestigationsFederal Bureau of InvestigationState and Local Education Agencies
27 Is Your System a Victim? Yes? Maybe? Not Sure? Immediate reporting is necessary!Have the factsWhy you think there is an issueDate/Time of the IncidentSystem informationLocationType and Purpose of the SystemPoint of ContactActions all ready takenCorrelate this with OIG so it transitions with slide 28 and 30 - LEW
28 Examples of What to Report Compromise of systems privilegesCompromise of information protected by lawUnauthorized access of IT systems or dataExceeding authorized accessDenial of service of major IT resourcesMalicious destruction or modification of data/information
29 Examples of What to Report Applicable to students/schoolsAbuse of professional judgmentCoaching students when filling out the FAFSAAltering attendance records
30 How You Can Help Ensure that staff receive necessary training Review documents thoroughlyQuestion documents/Verify authenticityRequest additional information from the vendors or administrationCompare information on different documentsContact ED-OIGA Guide to Grant Oversight and Best Practices for Combating Grant Fraud final.pdfIt is important that FAA view all student records and activities related to Title IV with “professional skepticism” (a term used in the fraud community) basically it means to view things from a fraud perspective – it is occurring therefore as we go about our daily duties we need to perform our duties from a “fraud focus”
31 Why Report Fraud? Ethical responsibility Statutory and regulatory requirementsTo deter others from committing fraud and abuseTo protect the integrity of the Title IV ProgramsTo avoid being part of a fraud schemeTo avoid administrative actionTo avoid civil penaltiesTo avoid criminal prosecutionTo protect the children’s future
32 Don’t Try To Investigate Suspicious Activity Yourself! You may have the missing piece of the puzzle needed!
33 FSA – Preventing/Deterring Fraud Fraud prevention involves actions taken to discourage the commission of fraud and limit fraud exposure when it occursThe principal mechanism for preventing fraud is to ensure an appropriate control environmentPrimary responsibility for establishing and maintaining internal control should rest with managementEach of us at FSA has a fiduciary responsibility to assist in preventing fraud
34 Fraud Prevention = Education Government workers must be trained in the required duties of the position. This helps to safeguard the assets of the organization by having knowledgeable staff that can spot unusual or red flag transactionsAdministrators must be trained to recognize potential fraud by coworkers and to student accountsStudents must be trained to keep their information secure and to identify when their financial information may have been accessedOrganizations with anti-fraud training programs experience lower losses and shorter durations
35 Deterrence -Schools/FSA/State/Federal Proactive Fraud Prevention - AuditsProactive internal audit/review policies are generated from the top of the operation involvedA proactive policy simply means that internal auditors/reviewers will aggressively seek out inappropriate conduct, instead of waiting for instances to come to their attention during normal audits (external)
36 Actions to Defer Fraud Formal policies addressing fraud Targeted Fraud Awareness Training (research shows lower losses & shorter durations)Effective Internal Controls (as opposed to lack of internal controls and the ability to override existing controls)Management ReviewCompetent personnel in oversight rolesIndependent checks/auditsClear lines of authorityIT Controls (Access Controls, etc.)Ethics PolicyTone at the Top (employees will be more likely to act unethically if management does)Putting controls in place to minimize fraud before it can occur
37 Identity Theft Prevention Properly handle documentsShred sensitive informationUse key identifiers instead of the SSNPassword protect sensitive informationAudit accessReview access privilegesVerify who you are talking to
38 Avoiding Identity Theft Don’t carry your SSN card with you!Request a drivers license numberShred sensitive informationOnly carry what you usePhoto copy all cards in your walletSelect hard to guess PINs and passwordsDon’t leave mail sitting in an unprotected boxDon’t give out private information over the phoneOrder your credit reportsUse caution when providing ANY sensitive informationVerify your personal computer has strong and updated computer anti-virus protection and your network provider is secure
39 FSA Two-Factor Authentication (TFA) Objective – prevent unauthorized access which can result in stolen informationPhysical tokens issued to be used with passwords to provide two-factor sign onPrivileged Users - (schools and financial institutions) access PII data on FSA systemsOver 57,535 privileged user accounts are TFA enabledThe privileged user population includes:Department of Education employees and contractorsPostsecondary School financial aid staffGuaranty AgenciesServicers, Private Collection Agencies, and Not-For-ProfitsCall Center staffNon-Privileged Users - Aid Recipients (students)Next StepDeveloping migration strategy from key fob token to soft tokens, leveraging smart phone technology, will support privileged and non-privileged usersUSE ITGood to know, I would like to use this in the fraud course as well, with your permission
40 OIG – Fraud RingsSince 2010, OIG has highlighted the vulnerability of distance education programs to fraud and abuse, including releasing a report on fraud rings in September 2011.OIG investigations into student loan fraud rings have grown substantially over the last few years. In 2005, the OIG opened 16 distance education fraud ring investigations; in 2012, that figure grew to 119. To date, more than 300 people have been indicted for participating in fraud rings. "The bottom line is scams like this steal money from hardworking taxpayers and legitimate students and that is unacceptable," continued Tighe. "OIG is committed to fighting student financial aid fraud and we will continue to aggressively pursue those that participate in these types of crimes."
41 Office of the Inspector General - OIG Red Flags to InvestigatorsVices such as substance abuse and gambling.Extravagant purchases or lifestyle.Lack of documents (the ‘big flood’ destroyed…)Common Addresses (mailing, , and IP)Pin number and password information the same.Personal information that does not fit the norm.Bank information that is the same.
42 FSA – Potential Fraud Ring Identification Statistical modelUtilizes a combination of application dataIdentifies indicators of potential fraudUtilizes weighting for total scoreIdentifying factor examples:Utilize address and IP address informationReceived Pell Grant funding from multiple institutions over short period of timeReceived Pell Grant funding from more than two institutions in same award periodI like this slide!
43 FSA Fraud Ring Identification(cont.) Uses Fraud Potential AlgorithmBased on Fraud indicators such as # times same phone number usedIndicator 1 x assigned weight +Indicator 2 x assigned weight +Indicator 3 x assigned weight +….= Fraud Risk LevelRedOrangeYellowI’d would be interested in learning more about what this slide means – I understand the part with algorithms…not sure what is meant by indicators to calculate a weighted average of the fraud risk level - LEW
44 Fraud Ring Identification (cont.) Identify Fraud patternsUse rule based filter, set of qualifying determinantsIdentify those who meet minimum thresholds for fraud patternsDistance Education high vulnerability, all aspects online (administration, aid, instruction)Easier for criminal to assume identities, students never present in person at any timeFSA FY13-14 Application processRequire at risk students to present proof of identify in person or through notary publicThis is really good information – do you have a source or are you the source? Again, I’m interested in using some of this data in training.
45 Students at Risk for Fraud Identify applicants, based on statistical risk model, attempting to obtain student aid funds fraudulently or without serious educational intentRequire to:Present themselves in person with government IDExecute Statement of Educational Purpose with school official or notary publicThose with unusual enrollment historyRequire institution to determine if prior academic record support serious academic intent45
46 Perception of Detection Controls with the greatest associated reduction in fraud are those credited with increasing the perpetrator’s perception of detection:Fraud awareness programsJob rotation and mandatory vacation policiesRewards for whistleblowersSurprise (INTERNAL) audits detected frauds more than twice as quickly as organizations lacking such controlsExternal audits are the LEAST successful method of finding fraud
47 Cost for Data Loss reduction in funds for student aid Investigations average $300 per user impactedFSA hosts at least 80 million records1% of those records were leakedFinancial exposure would be approximately $240 million reduction in funds for student aidGood slide – Linda, I would add another slide for conclusions/recommendations to highlight activities the FAA should perform to assist in reducing fraud prior to the questions slide - LEW
48 Summary Fraud cannot be totally prevented Fraud prevention is less expensive and more effective than detectionFraud prevention starts with being informed!!Fraud prevention, detection, and reporting is EVERYONE’s responsibility!
50 Additional ResourcesFind more information about preventing and detecting fraud at the following websites:The Association of Certified Fraud Examiners (www.ACFE.com)The Federal Bureau of Investigation (www.FBI.gov)The National White Collar Crime Center (www.nwc3.org)U.S. Government Accountability Office (www.GAO.gov)Internal Revenue Service (www.IRS.gov)Department of Education Office of the Inspector General (http://www2.ed.gov/about/offices/list/oig/hotline.html)
51 Cyber Crime Terminology Malware - malicious software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs.Computer worm - standalone malware that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.Trojan horse - a type of malware that masquerades as a legitimate file or helpful program but whose real purpose is to grant a hacker unauthorized access to a computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may used downloads or install via online games or internet-driven applications in order to reach target computers.
52 Cyber Crime Terminology (cont.) Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware can collect almost any type of data, including personal information, internet surfing habits, user logins, and bank or credit account information.Adware or advertising-supported software -any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless.