developing an anti-fraud program to defend against

© 2015 Association of Certified Fraud Examiners, Inc.

Developing an Anti-Fraud Program to Defend

Against Emerging Social Engineering

Schemes

Steve Morang, CFE, CIA, CRMA

Frank, Rimerman + Co. LLP certified public accountants

4A: Developing an Anti-Fraud Program

to Defend Against Emerging Social

Engineering Schemes

Steve C. Morang, CFE, CIA, CRMA

Copyright Steve C. Morang, All rights reserved.


Presentation Overview

• Introduction (5 min) • Changing Threat Landscape (5 min) • Social Engineering (15 min) • The Link to Social Media (15 min) • The Link to the Deep Web / Dark Net (10 min) • Developing a Framework (20 min) • Wrap-up / Q&A (10 min)


Introduction Learning objectives in this session include:

• Gain an understanding of the links between cybercrime,

fraud, social media and the Deep Web • Prevent, detect and investigate the latest social

engineering fraud schemes • Develop a framework to address social engineering risks • Assess the risks to an organization and develop an

appropriate policy with regard to social media


Where is this road heading ?

“Things are going to get interesting!” - A well known IT security Guru!


“The future is already here, just not evenly distributed to everyone!” “Criminals and fraudsters have always been early adopters of technology.”

Where is this road heading ?


The internet is getting an upgrade from IPv4 to IP6. It will increase by: a) 10% b) 200% c) 4,000% d) I don’t know

Answer: It will increase by a factor of 356,000,000!

First Question – Put on your thinking caps!


In other words the internet infrastructure will increase from the size of:


An excellent read about the future of cybercrime…..


Current and Emerging Fraud Threats

Cybercrime • Has continued to increase year over year - Estimated

at $445 billion in 2014! • More frequent and larger attacks are expected for

2015 • Social Engineering Schemes such as Spear Phishing

are on the rise and pose significant new threats • The consensus approach has moved from prevention

to acceptance and proactive response


Part 1: What is Social Engineering ?


What is social engineering ?

According to Wikipedia, Social Engineering: “in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.”


Social Engineering


Social Engineering

Seven Prevalent Social Engineering Scams 1. USB drive left in parking lot or lobby 2. Phishing emails 3. Spear Phishing 4. Phone calls to work or home 5. Email account hijacking 6. Physical office security breakdown 7. Microsoft Technical Support Call 8. Social Media Scam - LinkedIn


Social Engineering

Social Engineering Schemes increasing and becoming more sophisticated

• State sponsored corporate espionage – IP Theft • Targeted Spear Phishing for

• Asset Misappropriation • Insider trading • IP Theft • PII Theft


Social Engineering

Phishing/ Spear Phishing • Over 30 million malicious URLs • 18% of phishing email recipients click link! • Over 80% of employees are unable to detect the

most common and frequently used phishing scams • Newest trend is to monitor email communications

and then to replicate “original” senders writing style. • Domain names closely resemble companies or

vendors – for example [email protected] instead of [email protected]

mailto:[email protected]



Social Engineering

Social Engineering Levers* 1. Reciprocation: When people are provided with

something, they tend to feel obligated and subsequently repay the favor.

2. Scarcity: People tend to comply when they believe something is in short supply.

3. Consistency: Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable.

*3/3/2015 Computerworld.com/Intel


Social Engineering

Social Engineering Levers* 4. Liking: Targets are more likely to comply when the social engineer is someone they like. 5. Authority: People tend to comply when a request comes from a figure of authority. 6. Social validation: People tend to comply when others are doing the same thing.

*3/3/2015 Computerworld.com/Intel


Part 2: How is social engineering evolving with the increased presence of social media?


The Evolution of Social Engineering • Advances in technology and the wide-spread adoption of

social media has created new opportunities for fraudsters

• Fraudsters are by nature early adopters of technology

and are using the rise in social media to their advantage

• Information shared on social media sites such as Facebook, LinkedIn and Twitter can be used to improve social engineering schemes

• Fraudsters are also using “hacked” online profiles as well as fictitious profiles to build connections to targets


The Evolution of Social Engineering • Fraudsters are also using “hacked” online profiles as well

as fictitious profiles to build connections to targets • Over 600k FB accounts are hacked every day.

Information gathered includes passwords, names, birthdays, addresses, employer details, travel plans, access to friends etc.

• LinkedIn accounts contain important information to be used in Spear Phishing attacks including: organization, title, photograph, coworkers, email syntax, education and work history, certifications, birthdates, work anniversaries, publications, interests etc.


The Evolution of Social Engineering Example 1 – Benefits Provider • Company was well-known to be growing through multiple

acquisitions of competitors • Finance and accounting staff were identifiable through

their LinkedIn profiles • CEO used twitter account to share international travel

plans • Fraudsters used “similar” domain name to impersonate

the CEO and order a URGENT wire transfer for upcoming acquisition

• Wire transfer was prepared but stopped by CFO before final approval


The Evolution of Social Engineering Example 2 – Pharmaceutical Company • Key members of a clients staff were identifiable through

LinkedIn profiles • Fictitious LinkedIn profiles were used to connect to

company Management • Targeted Spear Phishing used to install malware onto

company network and gain access to email servers • Fraudsters were able to monitor confidential emails

regarding financial reporting and make illegal trades • Company suffered reputational damages as well as facing

potential litigation and fines


Part 3: How is Social Engineering connected to the “Deep Web / Dark Net”?


Dark Net and Deep Web Link to Social Engineering Schemes • Dark net allows fraudsters to anonymously trade

confidential information (Tor Network / Bitcoin) • Tools used for specific social engineering attacks can be

bought in the Deep Web – For example, fake LinkedIn profiles, company email register, passwords, etc.

• Information stolen from an organization whether IP, confidential or customer/vendor data will be traded on the Dark Net.

• Most common items includes credit card/debit card numbers, birthdates, social security numbers


Part 4: How do I develop a framework and an appropriate policy to protect my organization against the emerging social engineering threat landscape?


Developing the Framework

Changing the Organization Culture

Conducting a Fraud Risk Assessment

Development of Policies and Procedures

Implementation of Training

Monitoring and Response

Continuous Improvement



Changing the Organization Culture 1. Communicate the risks to the organization at

all levels. 2. Communicate that the risk associated with

social engineering fraud 3. Strive to create a risk adverse culture within

the organization



Conducting a Fraud Risk Assessment 1. Update your Fraud Risk Assessment (FRA) on a

regular basis 2. Hold FRA workshops with multi-disciplinary

teams 3. Review controls for potential Gaps 4. Consider utilizing an anonymous balloting

technology such as Resolver


Fraud Risk Assessment (FRA)



Development of Policies and Procedures 1. Develop policies and procedures appropriate

to your organizational culture while addressing the risks of social engineering

2. Communication and training will be the key elements of compliance with P&P



Implementation of Training 1. Training should be interactive, practical and

ongoing 2. Training module should address the risks 3. Regular updates of emerging threats 4. Consider a “Help Line” function



Monitoring and Response 1. Consider dedicated resources to monitor

compliance 2. Develop an action plan how to respond



Continuous Improvement 1. Be prepared to adapt framework often 2. Consider future growth and needs


Wrap-up / Q & A

Final Thoughts / Key take-aways

• CyberFraud and social engineering are expected to grow exponentially in the years to come

• The successful organizations are going to be the ones

who both accept this threat, and understand that it is not a question of “if” they will be attacked, but “when” they will be attacked, and will have an appropriate response already prepared.


Wrap-up / Q & A

Questions ?


Thank you! Contact Information: Steve C. Morang, CFE CIA CRMA [email protected] www.frankrimerman.com (Cell) 415-781-9173 @sfacfe


http://www.frankrimerman.com/

© 2015 Association of Certified Fraud Examiners, Inc.

Developing an Anti-Fraud Program to Defend

Against Emerging Social Engineering

Schemes

Steve Morang, CFE, CIA, CRMA

developing an anti-fraud program to defend against

Documents