Your Role in Preventing Fraud and Abuse Dr Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education

Agenda: Introduction Defining Fraud Sources of Fraud Identify losses relating to Fraud Reporting Fraud Preventing and Deterring Fraud Resources Cyber Crime terminology 2

Introduction: Despite efforts to minimize fraud, student financial aid fraud is a "rapidly growing problem," according to the Semi-Annual Report to Congress #66, October 1, 2012 –March 31, 2013 from the U.S. Department of Education's Office of Inspector General. The inspector general estimates that, between 2009 and 2012, federal student aid fraud increased 82%. For that time period, the OIG identified more than 85,000 federal aid recipients who may have participated in fraud ring activity. The education agency believes these students may have illegally received more than $187 million in federal student aid.

Fraud Defined An intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss. Layman’s terms: Lying, cheating, and/or stealing. We speak about fraud. What is fraud?

This is REALLY Happening Sept. 18, 2012 - 21 individuals have been indicted for participating in Federal student aid fraud schemes that preyed on at least 15 schools across California. The indictments are a result of ED’s Office of Inspector General’s (OIG) criminal investigations aimed at shutting down student aid “fraud rings”—groups of criminals that seek to exploit distance education programs to fraudulently obtain federal student aid. The defendants allegedly fraudulently obtained more than $770,000 in federal student aid.   The U.S. Attorney’s Office provided summaries of the seven schemes, which include a fraud ring that not only relied on participating family and friends, but also allegedly used stolen personal identifiers of individuals with disabilities to fraudulently obtain more than $285,000 in federal student aid and grants.  Leaders of another ring allegedly recruited more than 50 straw students— including prison inmates—to fraudulently receive $200,000 in student aid.  Linda I tried to add the source to this slide (ED OIG SARs, Semi-Annual Reports) and was unable to. You could just verbally speak the source. 5

Types of Fraud FSA Focus – Financial Fraud! Title IV fraud – single student Fraud Rings Occupational fraud Social engineering FSA Focus – Financial Fraud! Schools Are you going to verbally define each type of fraud listed. Individuals Fraud Rings

Who Commits Fraud Involving Education Funds? School employees, officials, owners, financial managers, and instructors Lenders and lender servicers Guarantee Agencies Award recipients Grantees and contractors ED employees Others

Examples of Title IV Fraud Schemes FAFSA fraud – enrollment Falsification of entrance exams Falsification of GEDs/HS Diplomas Falsification of attendance Falsification of grades Failure to make refunds Ghost students Leasing of eligibility Loan theft/forgeries Fraud/theft by school employees Default rate fraud 90/10 rule Financial statement falsification Falsified last date of attendance Obstruction of a federal audit or program review

Title IV Fraud Schemes Related to Students or Other Individuals FAFSA Fraud: Social Security Number Alien Registration Status Dependency Status Income and Assets Number of Family Members in College Falsification of GEDs/HS Diplomas Intent to attend Intent to repay Identity Theft Distance Fraud Schemes Fraud Rings (Distance Fraud is not only perpetrated by rings it is many types committed by individual(s) or schools)

Title IV Fraud Schemes Related to Schools Ghost students Leasing of eligibility Default rate fraud 90/10 Rule manipulation scheme Financial statement falsification Falsified last date of attendance Obstruction of a federal audit or program review. Fraud/Theft by School Employees FAFSA fraud- enrollment Falsification of GEDs/HS Diplomas Falsification of attendance and Satisfactory Academic Progress Falsification of grades Failure to make refunds Loan theft/ forgeries Fraud Rings

Individual Fraud Student 1 Student 2 Non-Student Parents Tells Tells Fraudulently obtains funds Student 2 Non-Student Parents Tells Tells Non- Students This is good – I would love to see this and slide 14 when you are finished. LEW School Personnel 11

Example – Fraud! Source – news releases When Sussette Sheree Timmons, of Dallas, enrolled in several online colleges, she had no intention of becoming educated, federal authorities said. Timmons, 30, instead kept the financial aid she applied for and withdrew from the colleges and universities, which offered “distance learning” programs on the Internet, the U.S. attorney’s office said. She was indicted Tuesday on six counts of financial aid fraud. The indictment said Timmons received financial aid from the following schools: New Mexico State University; Western New Mexico University; Ashford University; Northern New Mexico College; Coconino Community College; and Pima Community College. “She enrolled in classes at the schools and the awarded financial aid was applied to her tuition and fees,” the U.S. attorney’s office said. “She did not complete any of the classes for which she enrolled, and she did not intend to pursue an education at the schools.” Timmons also received checks that she cashed, although she had no plans to use it for educational expenses, according to the indictment. When the schools asked her for the money back, she refused. Timmons even appealed when one of the schools suspended her financial aid in 2011. “That school rejected her appeal, stating that she had withdrawn from 13 colleges or universities since 2009,” federal authorities said. If convicted of all counts, Timmons faces up to 30 years in prison and a maximum fine of $1.5 million. The U.S. Department of Education Office of Inspector General investigated the case. Source – news releases

Fraud Rings I really like this slide. Great depiction of fraud rings. leader Students Ring Master School 1 School 2 School … School N-1 School N School N+1 leader Students I really like this slide. Great depiction of fraud rings. leader Students leader Students 13

Fraud Rings

Benjamin Franklin “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”

Profile of an Occupational Fraudster The Perpetrator’s Department Fraud offenders were most likely to be found in one of six departments: Accounting (22%) Operations (17%) Sales (13%) Executive/upper management (12%) Customer service (7%) Purchasing (6%) According to the Association of Certified Fraud Examiner’s (ACFE) - LEW

Profile of a Fraudster The most common behavioral red flags displayed by perpetrators: Living beyond one’s means Experiencing financial difficulties Unusually close association with vendor/customer Control issues; unwillingness to share duties “Wheeler-dealer” attitude Divorce/family problems Irritability, suspiciousness or defensiveness Addiction problems Refusal to take vacations According to the Association of Certified Fraud Examiner’s (ACFE) – Also, more exhibiting just one of this red flags doesn’t necessarily make someone a fraudster; when multiple red flags are exhibited it’s time to take notice - LEW

Cressey’s Fraud Triangle Theory Why People Commit Fraud Weak controls Little or no oversight Lax rules Debt Addictions Status Opportunity Perceived Pressure Fraud Triangle Rationalization Perceived pressure normally refers to financial pressure. Behaviorists, Criminologists, Sociologists, etc. have come out with newer models that address types of fraudsters over the last two decades. For example, Madoff didn’t have any perceived pressure; he committed fraud out of greed. LEW Everyone does it I was only borrowing the money I was underpaid and deserve it

Fraud Indicators One person in control No separation of duties High turnover of personnel Unexplained entries in records Unusually large amounts of payments for cash Inadequate or missing documentation Altered records (white-out, copies of documents, etc.) Non-serial number transactions Inventories and financial records not reconciled Lack of internal controls/ignoring controls Repeat audit findings Unauthorized transactions These are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.

Office Manager Fraud NEW BRUNSWICK, N.J. - After an office manager for New Jersey City University admitted embezzling $486,000 in student funds three years ago, the U.S. Department of Education began auditing the use of all federal money by the state college. It soon discovered that $608,766 in federally subsidized loans and grant money had been improperly awarded by the school - in some cases to students who flunked out or never showed up to class, making them ineligible for financial assistance. An examination of federal Department of Education records by The Star-Ledger of Newark shows that NJCU was not the only state college in New Jersey cited for giving too much money to students who were either ineligible for the aid or whose financial need was overestimated. Those records show at least three universities are on the hook for $868,000 in improperly awarded loans or grants - or in some cases, undercutting student wages paid under federally subsidized work-study programs. The schools - Kean University in Union Township, Rutgers University, and New Jersey City University in Jersey City - did not contest the findings and either repaid the financial aid money, or are currently paying it off over time. No students were penalized. According to the audits, Kean owed $255,920 in aid inappropriately awarded between 2001 and 2003. Unlike the audit at New Jersey City University, the review at Kean was not sparked by any warning bells. A spokeswoman for the U.S. Department of Education said it typically conducts program reviews of schools every five years.

Social Engineering Loss of PII Fraud Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception. Social Engineering Loss of PII Fraud These are the conditions that contribute to fraud. In many situations, fraud is a crime of opportunity. The presence of anyone of these may not mean there is a problem. However, if more than two are present…the hair on the back of your neck rises and something doesn’t feel right. There might be a problem.

Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.” Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed. The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection. Again, great slide – I didn’t define PII well enough in the fraud course; this will be helpful OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

Common Identity Theft Practices Obtain or take over financial accounts Take out loans for large purchases Open new lines of credit Sign lease agreements Establish services with utility companies Write fraudulent checks Purchase goods and services on the Internet

Stolen PII for Fraud

Who is Responsible for Reporting Fraud? Everyone who deals with Federal Student Aid funding has a responsibility to help control fraud. LOVE this slide – hope you don’t mind if I use this in the fraud course. Note there are many reasons why everyone is responsible, legislative (there is one reg that specifically states schools (it’s in my fraud course under legalities of fraud), stewards of taxpayers money, protection of aid to ensure those that need it have it available, etc. - LEW

OIG Sources of Allegations OIG Hotline 1-800-MIS-USED ED Program Offices School Employees and Officials Guarantee Agencies Citizens and Students Competing Vendors/Schools Other Federal Agencies U.S. Attorney’s Offices Other ED OIG Investigations Federal Bureau of Investigation State and Local Education Agencies

Is Your System a Victim? Yes? Maybe? Not Sure? Immediate reporting is necessary! Have the facts Why you think there is an issue Date/Time of the Incident System information Location Type and Purpose of the System Point of Contact Actions all ready taken Correlate this with OIG so it transitions with slide 28 and 30 - LEW

Examples of What to Report Compromise of systems privileges Compromise of information protected by law Unauthorized access of IT systems or data Exceeding authorized access Denial of service of major IT resources Malicious destruction or modification of data/information

Examples of What to Report Applicable to students/schools Abuse of professional judgment Coaching students when filling out the FAFSA Altering attendance records

How You Can Help Ensure that staff receive necessary training Review documents thoroughly Question documents/Verify authenticity Request additional information from the vendors or administration Compare information on different documents Contact ED-OIG A Guide to Grant Oversight and Best Practices for Combating Grant Fraud http://www.usdoj.gov/oig/special/s0902a/ final.pdf It is important that FAA view all student records and activities related to Title IV with “professional skepticism” (a term used in the fraud community) basically it means to view things from a fraud perspective – it is occurring therefore as we go about our daily duties we need to perform our duties from a “fraud focus”

Why Report Fraud? Ethical responsibility Statutory and regulatory requirements To deter others from committing fraud and abuse To protect the integrity of the Title IV Programs To avoid being part of a fraud scheme To avoid administrative action To avoid civil penalties To avoid criminal prosecution To protect the children’s future

Don’t Try To Investigate Suspicious Activity Yourself! You may have the missing piece of the puzzle needed!

FSA – Preventing/Deterring Fraud Fraud prevention involves actions taken to discourage the commission of fraud and limit fraud exposure when it occurs The principal mechanism for preventing fraud is to ensure an appropriate control environment Primary responsibility for establishing and maintaining internal control should rest with management Each of us at FSA has a fiduciary responsibility to assist in preventing fraud

Fraud Prevention = Education Government workers must be trained in the required duties of the position. This helps to safeguard the assets of the organization by having knowledgeable staff that can spot unusual or red flag transactions Administrators must be trained to recognize potential fraud by coworkers and to student accounts Students must be trained to keep their information secure and to identify when their financial information may have been accessed Organizations with anti-fraud training programs experience lower losses and shorter durations

Deterrence -Schools/FSA/State/Federal Proactive Fraud Prevention - Audits Proactive internal audit/review policies are generated from the top of the operation involved A proactive policy simply means that internal auditors/reviewers will aggressively seek out inappropriate conduct, instead of waiting for instances to come to their attention during normal audits (external)

Actions to Defer Fraud Formal policies addressing fraud Targeted Fraud Awareness Training (research shows lower losses & shorter durations) Effective Internal Controls (as opposed to lack of internal controls and the ability to override existing controls) Management Review Competent personnel in oversight roles Independent checks/audits Clear lines of authority IT Controls (Access Controls, etc.) Ethics Policy Tone at the Top (employees will be more likely to act unethically if management does) Putting controls in place to minimize fraud before it can occur

Identity Theft Prevention Properly handle documents Shred sensitive information Use key identifiers instead of the SSN Password protect sensitive information Audit access Review access privileges Verify who you are talking to

Avoiding Identity Theft Don’t carry your SSN card with you! Request a drivers license number Shred sensitive information Only carry what you use Photo copy all cards in your wallet Select hard to guess PINs and passwords Don’t leave mail sitting in an unprotected box Don’t give out private information over the phone Order your credit reports Use caution when providing ANY sensitive information Verify your personal computer has strong and updated computer anti-virus protection and your network provider is secure

FSA Two-Factor Authentication (TFA) Objective – prevent unauthorized access which can result in stolen information Physical tokens issued to be used with passwords to provide two-factor sign on Privileged Users - (schools and financial institutions) access PII data on FSA systems Over 57,535 privileged user accounts are TFA enabled The privileged user population includes: Department of Education employees and contractors Postsecondary School financial aid staff Guaranty Agencies Servicers, Private Collection Agencies, and Not-For-Profits Call Center staff Non-Privileged Users - Aid Recipients (students) Next Step Developing migration strategy from key fob token to soft tokens, leveraging smart phone technology, will support privileged and non-privileged users USE IT Good to know, I would like to use this in the fraud course as well, with your permission

OIG – Fraud Rings Since 2010, OIG has highlighted the vulnerability of distance education programs to fraud and abuse, including releasing a report on fraud rings in September 2011.   OIG investigations into student loan fraud rings have grown substantially over the last few years. In 2005, the OIG opened 16 distance education fraud ring investigations; in 2012, that figure grew to 119. To date, more than 300 people have been indicted for participating in fraud rings.  "The bottom line is scams like this steal money from hardworking taxpayers and legitimate students and that is unacceptable," continued Tighe. "OIG is committed to fighting student financial aid fraud and we will continue to aggressively pursue those that participate in these types of crimes."

Office of the Inspector General - OIG Red Flags to Investigators Vices such as substance abuse and gambling. Extravagant purchases or lifestyle. Lack of documents (the ‘big flood’ destroyed…) Common Addresses (mailing, e-mail, and IP) Pin number and password information the same. Personal information that does not fit the norm. Bank information that is the same.

FSA – Potential Fraud Ring Identification Statistical model Utilizes a combination of application data Identifies indicators of potential fraud Utilizes weighting for total score Identifying factor examples: Utilize e-mail address and IP address information Received Pell Grant funding from multiple institutions over short period of time Received Pell Grant funding from more than two institutions in same award period I like this slide!

FSA Fraud Ring Identification(cont.) Uses Fraud Potential Algorithm Based on Fraud indicators such as # times same phone number used Indicator 1 x assigned weight + Indicator 2 x assigned weight + Indicator 3 x assigned weight + …. = Fraud Risk Level Red Orange Yellow I’d would be interested in learning more about what this slide means – I understand the part with algorithms…not sure what is meant by indicators to calculate a weighted average of the fraud risk level - LEW

Fraud Ring Identification (cont.) Identify Fraud patterns Use rule based filter, set of qualifying determinants Identify those who meet minimum thresholds for fraud patterns Distance Education high vulnerability, all aspects online (administration, aid, instruction) Easier for criminal to assume identities, students never present in person at any time FSA FY13-14 Application process Require at risk students to present proof of identify in person or through notary public This is really good information – do you have a source or are you the source? Again, I’m interested in using some of this data in training.

Students at Risk for Fraud Identify applicants, based on statistical risk model, attempting to obtain student aid funds fraudulently or without serious educational intent Require to: Present themselves in person with government ID Execute Statement of Educational Purpose with school official or notary public Those with unusual enrollment history Require institution to determine if prior academic record support serious academic intent 45

Perception of Detection Controls with the greatest associated reduction in fraud are those credited with increasing the perpetrator’s perception of detection: Fraud awareness programs Job rotation and mandatory vacation policies Rewards for whistleblowers Surprise (INTERNAL) audits detected frauds more than twice as quickly as organizations lacking such controls External audits are the LEAST successful method of finding fraud

Cost for Data Loss  reduction in funds for student aid Investigations average $300 per user impacted FSA hosts at least 80 million records 1% of those records were leaked Financial exposure would be approximately $240 million  reduction in funds for student aid Good slide – Linda, I would add another slide for conclusions/recommendations to highlight activities the FAA should perform to assist in reducing fraud prior to the questions slide - LEW

Summary Fraud cannot be totally prevented Fraud prevention is less expensive and more effective than detection Fraud prevention starts with being informed!! Fraud prevention, detection, and reporting is EVERYONE’s responsibility!

QUESTIONS?

Additional Resources Find more information about preventing and detecting fraud at the following websites: The Association of Certified Fraud Examiners (www.ACFE.com) The Federal Bureau of Investigation (www.FBI.gov) The National White Collar Crime Center (www.nwc3.org) U.S. Government Accountability Office (www.GAO.gov) Internal Revenue Service (www.IRS.gov) Department of Education Office of the Inspector General (http://www2.ed.gov/about/offices/list/oig/hotline.html)

Cyber Crime Terminology Malware - malicious software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs. Computer worm - standalone malware that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Trojan horse - a type of malware that masquerades as a legitimate file or helpful program but whose real purpose is to grant a hacker unauthorized access to a computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may used downloads or install via online games or internet-driven applications in order to reach target computers.

Cyber Crime Terminology (cont.) Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware can collect almost any type of data, including personal information, internet surfing habits, user logins, and bank or credit account information. Adware or advertising-supported software -any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless.