“Virtual currencies, perhaps most notably Bitcoin, have captured the imagination of some, struck fear among others and confused the heck out of the rest of us — including me.” – Senator Tom Carper, chair of the Senate Homeland Security and Governmental Affairs Committee, November 2013
Today is day 2 of our Fraud Awareness Week series, Fraud Stories and Lessons Learned, and we want to highlight the rapidly emerging problem of cryptocurrency fraud. Brad Moody, EVP of Operations for Lowers & Associates, points out the rapid increase in crypto-related fraud noting that in 2016 there were only 340 active fraud cases of such fraud and by 2020, there were more than 80,000 cases in the U.S. alone.
In this fraud story, Brad explains how current schemes to capture victim organizations’ cryptocurrency are amplifying the need for effective internal controls, anti-fraud training, and third-party penetration testing.
Listen to the story here:
Interestingly, one of the best ways organizations can protect themselves from cryptocurrency fraud is through the same tried and true practices used to prevent social engineering, phishing, and other related attacks. Employees are increasingly subject to scams through email and link-sharing, so it’s important to look at how to detect and block such activity but also to train employees on how to recognize and avoid becoming victims to such scams.
David Gardiner, Senior Vice President of Lowers Forensics International, offers further advice: “Crypto based currencies are now becoming a professionally acceptable form of tender. Now more than ever, corporations need to proactively mitigate their risk and exposure. This can be done through a myriad of operating procedures including the process of facilitating not only their outbound, but even incoming payments. Strict rules of engagement, much like the protocols already used in wire transfers (verbal confirmation, dual signature authentication, etc.) should be followed here as well.”
Stay tuned tomorrow for another fraud story from the front lines of Lowers & Associates.
It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer. Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible. Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.
Responsible organizations follow robust, documented and accepted practices in an environment that embraces process. The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities. It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.
Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone. With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas. It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.
On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar). Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:
Strengthen screening and re-screening employment practices.
Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.
BONUS: These are a few additional steps that businesses should think about adopting:
Email social engineering education.
Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
Ah, complacency. That quiet sense of security or satisfaction with the status quo that prevents a person from acknowledging the potential dangers or risks around them.
We become complacent about internal controls, believing our employees have always been trustworthy and therefore we can eliminate extra steps in the process. We slack off in our security training, thinking “surely our team knows not to click on an unfamiliar link.” Or, we fail to conduct a background check because the applicant is the nephew of one of our fellow executives.
In our recent blog, 4 Culprits of Complacency, we highlighted some of the underlying factors that lead to complacency. In this blog, we bring forth five stories that expose the negative fallout and damage that can occur when organizational complacency takes root.
1. The Law Firm with Weak Accounting Controls
A law firm specializing in intellectual property let complacency derail its internal controls. The firm has five offices throughout the United States, and the satellite offices normally forward their customer payments to the corporate office for processing. Recently, however, customers from at least one of the five locations notified the firm that their previously cashed payments were being duplicated, forged, and re-cashed, leading the customer to have fraudulent withdrawals taken from their bank accounts. Fraudsters left some of the personalized information on the check, such as handwritten notes in the memo line, but had replaced the recipient name, date, and check number with false information and deposited it remotely through an ATM. Rather than keeping customer payments in a secure, locked location, the firm’s complacency in its failure to follow its own internal controls led to this embarrassing and costly mistake.
2. The National Political Committee Duped by Social Engineering
It was the hack heard round the world, all perpetrated by a simple case of spear phishing made possible by complacency. Hackers sent an email to members of the committee that looked like it had been sent by Google and requested them to click a link to reset their passwords due to malicious activity on their accounts. Several members took the bait, and with the new credentials in hand, hackers subsequently breached (and later published) more than 150,000 emails stolen from the Gmail accounts of committee members.
3. The Nursing Home That Failed to Check Employee Backgrounds
A Texas nursing home employee was caught on video physically assaulting an 83-year-old resident, who had advanced Alzheimer’s disease and could barely move, talk, or understand what was going on around her. The family sued the nursing home for $1 million for its negligent hiring of a 23-year-old employee who had previous arrests for fraud, marijuana possession, and criminal mischief on his record. Had the facility not succumbed to complacency, it would have required all workers to undergo a background check before being hired.
4. The Business Merger That Skipped Due Diligence
Two regional telco companies that had been in competition with one another decided to take the plunge and merge, with Company A doing the actual acquiring and Company B being the one acquired. The executives of both teams had been collegial over the years and knew each other’s respective businesses fairly well, so Company A opted to forgo a formal due diligence process. It was only four months into the new merger that Company A realized Company B had inflated the size of its client base and the average revenue per subscriber (ARPS) for each of those clients. Yes, Company B had 800 clients in their account records, but a full 200 of those clients had discontinued service at some point in the preceding timeframe, leaving only 600 active clients. The true value of revenue, then, wasn’t ARPS x 800 clients, it was ARPS x 600 clients, a reduction of about $600,000 in revenue a year than had been presented in the pre-merger discovery process. Once again, complacency reared its ugly head.
5. The Medical Diagnostic Company Lacking Sound Loss Prevention Strategies
We like to think that all of our employees are honest, but even with good internal controls in place, people find ways to cheat their employers. In this case, a manager set up a series of fake companies, invoices and expense reports to reimburse himself for more than $1.2 million in false expenses. His deception was ultimately uncovered through mismatched addresses used on his falsified documents. While loss prevention tactics can’t necessarily filter out every deceitful action, it’s far better to be proactive than remain complacent, as this company did.
Is complacency a risk factor in your organization?
Lowers and Associates works with a wide range of industries, including financial institutions, healthcare providers, casinos, couriers, and insurance companies, to protect their people, brands, and profits. We offer a full range of services, from cash-in-transit evaluations to venue security to IT risk assessments.
If you’re concerned your business is at risk of being complacent, let’s talk. We’d love to help.
Wikipedia defines social engineering, in the context of information security, as the “psychological manipulation of people into performing actions or divulging confidential information.” Our increasing reliance on vast networks of digital technology for information storage, research, controls, and transactions makes organizations highly vulnerable to social engineering fraud.
There is a strong urge to combat this risk with a technological fix like stronger encryption or better management controls. The problem is not a technical one because social engineering fraud is based on the exploitation of human interactions and human frailties.
One of the more pervasive human risks in modern organizations is fraud through “social engineering.” Social engineering fraudsters gain access to your most valuable assets by using deceitful tactics to turn trusted employees or partners into unwitting and unwilling accomplices. This occurs at a typical loss rate of $25k to $100k per incident. This stealthy crime can be very hard to detect because the accomplice is unaware of being complicit, giving the perpetrator time to escape.