by Jim Marasco, CPA, CIA, CFE
Fraud Matters, Summer 2011
External Threats Facing your Organization
Your organization today faces a variety of external threats that never existed a decade ago. Safeguarding against them is an on-going battle as perpetrators become increasingly sophisticated and clever.
Fraud perpetrated against an organization can originate from within (internal fraud) and includes various methods of employee theft and espionage. Companies are also vulnerable to external threats or forces from outside the organization. For some, such as retailers, these risks involve their own customers. The proliferation of the Internet and electronic media has presented a whole new set of external threats to organizations.
The term “phishing” was coined to describe an emerging form of fraud that is harming both businesses and consumers. Data thieves create a replica of an existing Web page to fool a user into submitting personal, financial or password data that can then be used for illicit purposes.
Thus far, the industries most affected by phishing are financialservices, Internet service providers and online retailers. However, telecommunications and utility companies are increasingly becoming targets. The FBI has called this scheme the hottest, most troubling scam on the Internet.
Companies spend tons of money on anti-malware defenses, firewalls and multi-factor authentication. All of these prevention measures can be nullified by social engineering. Social engineering is defined as understanding what makes a person think, act and react. Once those emotional responses are learned, they are used to manipulate a person into taking an action that the perpetrator wants them to take.
Using this methodology, hackers glean certain knowledge about a company from public sources and start calling various employees using an array of techniques to try to manipulate them into providing certain information. Usually, employees are tricked into disclosing logins and passwords. Another ploy is to convince an employee to visit a specific URL, which contains malware and attacks the organization.
As cell phones are developing into pocket-sized computers, they are also becoming susceptible to viruses, worms and Trojan horses. As a result, your employees may be allowing dangerous viruses onto your network. The attacks that computers have historically experienced are becoming more prevalent on smart phones.
Thieves are stealing data from Blue Tooth and open WiFi networks, sending malware and viruses via texts or by gaining physical access to phones. The ability to manage access to a network through smart phones has become a critical part of safeguarding organizations today.
As organizations batten down the hatches by limiting access to their networks and educating their employees about releasing critical information, they shouldn’t overlook the obvious.
Most companies allow a cleaning agency into their buildingafter hours. These individuals may have full, unsupervised access to the entire office. The records left on desks, in unlocked recycle bins, logged on computers, etc., provide a gold mine to identity thieves. By exposing your proprietary information or your clients’ records to data thieves within your own office, you stand to lose both financially and reputation-wise.
Another scheme threatening companies is from thieves posing as alleged new customers or clients. They offer to pay a sizable deposit or retainer for goods or services and then subsequently downsize the original request and ask that a portion of the retainer be electronically returned to their bank account.
This whole process takes place in a day or two and, before you know it, money has been withdrawn out of your account before it is realized that the check or wire from the alleged customer was fraudulent.
These frauds and the next generation that evolves require a heightened awareness of the advances in technology and the risks they pose. Managing these risks is critical.
Firewalls, two-factor authentication, smart phone safeguards,etc., are important safety measures that must be monitored. In addition, your customers and employees need to be educated as to the unknowing risk that they could pose to the organization. All the safeguards employed are useless against someone voluntarily giving up their username and password to a stranger. A comprehensive IT audit can help assess your organizations’ vulnerability to these threats. – James Marasco, CPA, CIA, CFE