Fraud, Waste and Abuse Defined by the Oregon Secretary of State

Fraud Risk, Responsibilities, Deterrence, Detection and Prevention Power Point Presentation

Irregularities Power Point Presentation

 

This image shows a blue triangle labeled as the fraud triangle. On top of the triangle is the word opportunity. On the left point of the triangle is the word pressure. On the right point of the triangle is the word rationalization.

- The theories regarding violation of trust that led to the creation of the "fraud triangle" were developed by Donald Cressey, Criminologist, 1951. 

By reducing opportunity, greater presssure and rationalization is needed to commit fraud.

Current theories add a fourth element - capability - and are beginning to be referred to as the "fraud diamond".  Capability would include technical skills, coercion, deception, ability, organizational positioning, intelligence, ego and stress management.

 

COSO Fraud Risk Management Principles (2016)

The image is divided into 2 sections on the left, COSO framework components and principles, and on the right, fraud risk management principles. The left side has 5 sections; control environment in yellow, risk management in green, control activities in blue, information & communication in purple, and monitoring activities in black. Each has an outline of principles as follows.  Control environment:  1) The organization demonstrates a commitment to integrity and ethical values. 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control  3) Management establishes, with board oversight structures reporting lines and appropriate authorities and responsibilities In pursuit of objectives.  4) The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.  5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.  Risk Assessment:  6) The organization specifies objectives with sufficient clarity to enable the identification ans assessment of risks relating to objectives.  7) The organization identifies risks to the achievement of its objectives across the entity and analyses risk risks as a bias for determining how the risks should be managed.  8) The organization considers the potential for fraud in assessing risks to the achievement of objectives.  9) The organization identifies and assesses changes that could significantly affect the system of internal control.  Control Activities:  10) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable values.  11) The organization selects and develops general control activities over technology to support the achievement of objectives.  12) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.  Information & Communication:  13) The organization obtains or generates and uses relevant quality information to support the functioning of internal control.  14) The organization internally communicates information including objectives and responsibilities for internal control, necessary to support the functioning of internal control.  15) The organization communicates with external parties regarding matters affecting internal control.  Monitoring activities: 16) The organization selects develops and performs ingoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.  17) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate.  The first 5 points in control environment points to number one under fraud risk management principles. One reads as follows: The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. The points under risk management point to number two in the right section which reads: The organization performs compressive fraud risk assessments to identify specific fraud schemes, and risks and assess their likelihood and significance, evaluate exiting fraud control activities and implement actions to mitigate residual fraud risk. Control activities points to number 3: The organization selects develops and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Information & communication points to number 4: The organization establishes a communication process to obtain information in a about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. Monitoring activities points to number five that reads: The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicated Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

 

 

Figure 1. Ongoing, Comprehensive Fraud Risk Management Process. A gray arrow goes in a circle starting at the top and passes behind five green boxes moving to the right initially. The boxes read as follows: Establish a fraud risk management policy as part of organizational governance. Perform a comprehensive fraud risk assessment. Select, develop and deploy preventive and detective fraud control activities. Establish a fraud reporting process and coordinate approach to investigation and corrective action. Monitor the fraud risk management process, report results and improve process. After the fifth box the arrow points to the first box completing the circle.

"How might a fraud perpetrator exploit weaknesses in your system of controls?

How could a perpetrator overrride or circumvent controls?

Who might have a motive or incentive to commit fraud?

Given identified fraud risks, which controls are critical to preventing fraud?

What controls might be subject to fraudulent attacks?"

- COSO "Fraud Risk Management Guide", 2016

 

Exhibit 1.1 Internal Audit Roles in Fraud Awareness. Three boxes are positioned above a circle with arrows that point down to the circle. The boxes are labeled educator, facilitator, and assessor from left to right. The circle that they point down to is labeled fraud awareness.
 

- "Raise the Red Flag an Internal Auditor's Guide to Detect and Prevent Fraud", 2015

 

How to Reduce Personal Fraud Risk on the Internet
By
SOU Information Technology

If you have any questions or concerns, please do not hesitate to contact a Computing Coordinator at helpdesk@sou.edu or 541-552-6900.

Phishing

A scam by which a target is duped into revealing personal or confidential information which the scammer can use illicitly. Being tricked into installing a piece of software that you did not mean to install can also be a form of phishing. You can research common scams and how to report them at https://www.usa.gov/stop-scams-frauds.

Email

Companies should never ask you for your password or require that you log in to verify your credentials. Most companies will not even include links to their login pages in their emails.

Examine the URLs of the links in the email by hovering your mouse pointer over them. Where are they trying to take you? If it seems suspicious, don’t click it! You can always go the company’s website on your own to log in if necessary. You never have to use an email link to get to the websites you visit Never trust an email just because it looks legitimate.

Phone

Companies should never ask you for your sensitive information over the phone if they initiated the call, and they should never ask you for your passwords. If someone tries this, tell them that you are going to hang up and call them back at their company’s publicly-listed phone number.

Technology companies will never contact you about problems on your computer. They aren’t monitoring your computer for signs of trouble, and do you really want them to be? If you get a call from someone claiming to be tech support from a company, hang up, and whatever you do, don’t let them connect remotely to your computer.

Be suspicious anytime someone tries to pressure you with the “ticking time bomb” threat. “Act now or else you’re going to lose everything!” This is a common con-artist trick.

Software and Websites

Be cautious when downloading software from websites that like to display manipulative advertisements. Either learn how to determine which download button to click or get your software from another source that respects your time.

Never react to browser windows claiming that your computer is infected. Just close them. You should also familiar yourself with what your computer’s legitimate security alerts look like. They will usually contain the name of your anti-virus software.

Be cautious when installing freeware software that comes with bundled adware or spyware. You can always opt out of installing those annoying extras, but they’ll often try to trick you into installing them anyway.

https://www.ninite.com is a great website that enables you to bundle downloads for many common software products into one convenient package that is safe and free of junkware. 

Updates

Updates are vital to protect you from exploits that cyber criminals discover in the various programs we use every day. Not updating your software is like leaving your doors and windows unlocked.

Operating System

Windows 10: Go to your Start Menu, click on Settings, and then select Update & Security. 

Windows 8, 7, and Vista: Go to your Start Menu, click on Control Panel, and then find the Windows Update control panel applet.

Macintosh: Click on the Apple icon in the top-left corner of your screen, select App Store, and then click on the Updates button in the App Store. 

Web Browsers

Firefox: https://support.mozilla.org/en-US/kb/update-firefox-latest-version

Chrome: https://support.google.com/chrome/answer/95414

Internet Explorer / Edge: Updates come included in your Windows updates.

Safari: Updates come included in your Macintosh updates.  

Browser Plugins 

Java: https://www.java.com/en/download

Flash: https://get.adobe.com/flashplayer

Silverlight: https://www.microsoft.com/getsilverlight  

Microsoft Office and other Products

Microsoft Office: http://tinyurl.com/jdn6h5w (redirects to the Office update page)

Adobe Acrobat Reader: https://get.adobe.com/reader 

Other products: https://www.ninite.com 

Router Firmware 

Updating your router’s firmware carries inherent risks. If you decide to do it yourself, be sure to follow all instructions provided by your router’s manufacturer.

Linksys: http://www.linksys.com/us/support-article?articleNum=132961

Belkin: http://www.belkin.com/us/support-article?articleNum=10797

ASUS: http://www.asus.com/microsite/2014/networks/routerfirmware_update/

D-Link: http://support.dlink.com/ and then look for your router model.

Netgear: http://tinyurl.com/z9t5vql (redirects to the Netgear support page)

Spectrum: https://www.spectrum.net/support/internet/modems-routers-wireless-adapters/ (redirects to Spectrum support page)

Centurylink: http://internethelp.centurylink.com/internethelp/downloads-auto-firmware.html 

Remediation

We try our best to prevent disaster, but sometimes we have to perform remediation. Here’s how.

System Restore for Windows: http://www.wintuts.com/System-Restore

Time Machine for Macintosh: https://support.apple.com/en-us/HT201250

Malwarebytes for both Macintosh and Windows: https://www.malwarebytes.com  

Total System Reset 

This is a method of last resort designed to reset your operating system to its original state when you first booted up the computer. ALWAYS BACK UP YOUR DATA AND ENSURE YOU HAVE THE MEANS TO REINSTALL ALL PROGRAMS YOU’VE DOWNLOADED OR PURCHASED PRIOR TO ATTEMPTING A SYSTEM RESET. The process will undo everything. Professional assistance is recommended.

Macintosh: https://support.apple.com/en-us/HT201314

Windows 8 and 10: http://www.tenforums.com/tutorials/4130-reset-windows-10-a.html

Windows 7 and Vista: Get a professional to help you. 

Encryption 

Keeps your digital life private. 

HTTPS

Encrypts your connection to individual websites. Especially important for online banking and shopping.
Look for the padlock icon next to the URL of the website you’re visiting. The URL will also begin with https:// as opposed to http://. 

VPN

Encrypts your connection to the Internet by directing all of your traffic through a trusted proxy via an encrypted tunnel. Adds an extra layer of protection on top of HTTPS and also provides anonymity. Can be used on a variety of devices, including laptops, tablets, and cell phones. It is highly recommended to use a VPN service while traveling and connecting to open Wi-Fi networks that do not require a password to connect.

Paid VPN Services: https://www.privacytools.io/#vpn (focuses on anonymity and government jurisdiction) and https://vpn-services.bestreviews.net/vpn-comparison (focuses on features) 

Free VPN Services: http://www.vpngate.net/en 

Local Encryption 

Keeps your files private using strong, non-reversible encryption. Cannot view them without the password. Be careful when using this kind of encryption because if you lose the password, you will NOT be able to recover your data. That’s the whole point.

Veracrypt (cross-platform, capable of whole-disk encryption or file/folder encryption): https://veracrypt.codeplex.com 

File Vault (Macintosh): https://support.apple.com/en-us/HT204837 

Bitlocker (Windows): http://tinyurl.com/jdc6xkd (redirects to a tutorial on setting up Bitlocker) 

Password Management 

Passwords secure much of our lives: our personal information, our data, and our money. It is not enough to keep reusing the same, weak passwords on the Internet. Passwords should be lengthy (12 characters or more—the longer the better), complex (a mixture of uppercase and lowercase letters, numbers, and symbols), unique (use different passwords for everything), and ideally randomized (meaningless gibberish is good). Password managers can help by remembering, and even generating, passwords for you in a secure fashion. They work by encrypting your passwords with a master password, which you must not lose or forget, but the risk of losing your master password pales in comparison to the risk of having your passwords compromised.

KeePass: http://keepass.info 

KeePass is open source, free, and very secure because you retain exclusive control of the encrypted password database.

Open source means that security experts worldwide can audit the program’s code every time it changes. Transparency ensures its security.

You can upload the encrypted password database to cloud providers such as Dropbox and Google Drive if you want to sync it between devices. This is still secure because without your master password, the file can’t be opened by the cloud provider.

LastPass: http://lastpass.com 

LastPass is a freemium, cloud-based password management service. The free features are enough for most people, and you can upgrade to their premium version at any time.

LastPass is extremely convenient since it ties into your web browser and syncs your passwords across all of your devices for you. It also makes it easy to audit your passwords and it can even alert you if your credentials for a website have appeared in a known data breach.

Although LastPass is closed-source and retains a copy of your password database, they have a good reputation for transparency and proper security and supposedly they never receive your master password—decryption happens locally on your computer—so they can’t decrypt your password database. That could change, however.

Apple Key Chain: http://tinyurl.com/a9brnch (redirects to a tutorial on Key Chain Access)

Built into the Macintosh operating system and integrates into all of their products and services.
Can be synced through iCloud. See https://support.apple.com/en-us/HT204085 

Implements great security, but it is closed source and controlled by Apple, so just like with LastPass, you are trusting the company to respect your privacy now and in the future.

Other options: https://www.privacytools.io/#pw 

Two-Factor Authentication 

Authentication factors include something you know (e.g. a password), something you have (e.g. a key), and something you are (e.g. your fingerprint). The more factors you use, the more secure your authentication method is. Many online banking websites, stock trading websites, and email providers now support two-factor authentication, usually in the form of one-time codes that they generate and send to you via your cell phone in addition to asking for a password. This means that if a criminal wants to impersonate you, they now need not only your password, but also the code sent to your cell phone. This protects you from password leaks, but not necessarily from phishing.

Google Account Two-Factor Authentication: https://www.google.com/landing/2step

Amazon Two-Factor Authentication: https://www.amazon.com/gp/help/customer/display.html?nodeId=201962420

E*Trade Two-Factor Authentication: www.etrade.com/onlinesecurity

Check with your banks to see if they offer two-factor authentication for their online services. 

Wi-Fi Security

Use WPA2 encryption when setting up your wireless network at home, be sure to choose a good password for it, and update the password periodically. When traveling or using public Wi-Fi, consider using a VPN service (see page 3), especially if the public Wi-Fi network is open (meaning that it doesn’t require a password). Be careful that you don’t accidentally connect to a fake Wi-Fi network with a similar name to the legitimate one you’re trying to connect to (e.g. don’t connect to the malicious “Coffeeshop wi-fi” when you meant to connect to the legitimate “Coffee Shop Wireless Network”).

Set up WPA2 on Belkin routers: http://www.belkin.com/us/support-article?articleNum=10805 

Set up WPA2 on Linksys routers: http://www.linksys.com/us/support-article?articleNum=139152 

Set up WPA2 on Netgear routers: http://tinyurl.com/k48d4ub (redirects to the Netgear support article)

Set up WPA2 on Asus routers (enter product model name): http://www.asus.com/support 

Set up WPA2 on D-Link routers: http://tinyurl.com/gmnl24j (redirects to support article)

Manage Wi-Fi on Charter Routers: http://www.charter.net/support/internet/spectrum-home-wifi 

Manage W-Fi on Centurylink Routers: http://internethelp.centurylink.com/internethelp/wireless.html  

Information Leaks 

Sometimes your personal information and even your passwords will be leaked by the companies you’ve done business with—or even by the government. This is seemingly unavoidable in modern life, so you had best have a plan.

Password leak: The company will notify you, or else you’ll probably hear about it in the news. Hopefully your password was encrypted by the company (if it wasn’t, you should never do business with them again), which buys you some time because encrypted passwords have to be cracked before they can be used. If your password was strong because you followed my advice in this class, you should have ample time to change it before the criminals can crack it. (Weak passwords can be cracked in minutes whereas strong passwords can take years to crack.) If you were only using that password on the website that got breached, then you’re done. If not, you’ll have to update that password everywhere else you’ve used it.

Personal Information leak: The company will notify you, or else you’ll probably hear about it in the news. Your information may have been encrypted, but even if it was, it won’t be difficult for crackers to break it because it will follow well-defined patterns. Assume that your name, address, date of birth, social security number, and any other information that may have been leaked is now somewhere on the Internet for criminals to bid on. Identity theft is what you need to be on the lookout for. Monitoring services can help with that, but they won’t prevent the problem. Credit freezes are a better option.

Credit freezes: http://tinyurl.com/nzdwbwt (redirects to an excellent blog article by a security researcher on how to deal with credit freezes)

Identifytheft.gov (report and recover from identity theft): https://identitytheft.gov 

Your SOU email can be subpoenaed if you are ever the subject of an investigation. Do not conduct personal business on your SOU email account.

Privacy Policies

You should know what a company’s privacy policy is before you do business with them.

Look for the C U R S E

Collection - What are they collecting?
Usage - What are they doing with your information?
Retention - How long do they retain their information on you?
Security - What are they doing to protect their information on you?
Exchange - Whom will they exchange your information with and for what purposes?

Terms of Service; Didn’t Read (explains many privacy policies in plain English): https://tosdr.org

Card and Password Skimming

Whether your credit card or debit card uses a magnetic strip or a RFID/NFC (radio) chip, it can be skimmed. Skimming refers to when a criminal copies the information on your card or passport without your knowledge or permission. This information can be used to charge purchases to your accounts or to steal your identity.

You can protect yourself from magnetic strip skimming by inspecting ATM and other card reading terminals prior to using them. See how your terminal compares to other terminals nearby. Trust your instinct if something looks off about it.

If you do not trust someone to handle your credit card where you cannot see them, consider paying with cash instead.

You can protect yourself from RFID/NFC skimming by placing your RFID/NFC equipped credit cards, debit cards, and passports in a specially designed wallet, purse, case, or sleeve. A homemade sleeve can be constructed out of aluminum foil.

Be especially cautious of skimming when traveling. Tourists make tempting targets.

Keep an eye on your account statements.