Here is the text of my article that appeared in the February 2017 issue of AZ CPA Magazine (Pages 11 to 13).
As we start 2017 it is a good idea to consider some of the newer fraud risks facing organizations in a digital world. The Association of Certified Fraud Examiners estimates businesses lose around five percent of their revenue to fraud so it is important that we identify the fraud risks so proper internal controls can be put in place to help prevent and detect these risks to the organization. Here are some frauds that were trending in 2016 and should be considered risks in 2017.
Criminal Identity Theft
There is a modern version of criminal identity theft. The typical pattern for this newer type of criminal identity theft is for the criminal to misappropriate your Social Security Number, driver’s license number, passport number and other personal information. There are various ways for the criminal to do this including data breaches, mail fraud, phishing, vishing, etc. They can also get personal information from social networking sites or by purchasing information on the darknet. Once they have your personal information they use your name and Social Security Number to set up a shell company, usually an LLC because it is the easiest to create. The paper work for the shell company will be filed with the state but there are no operations nor is there any real business being conducted. After the criminals have the shell company approved by the state they open a bank account, with you as the owner, again using your Social Security Number, as the sole proprietor of the LLC. The address will for the shell company will usually be a box at a mailbox store which was rented in your name usually paid for with cash in advance.
Once the shell company and bank accounts are set up the fraudsters get to work cashing stolen checks and processing transactions from stolen credit cards in the shell company’s bank accounts. Once the funds are available in the accounts the criminals immediately wire the money out of the accounts, usually on the very same day the funds were released. The funds are usually sent to overseas bank accounts to make it more difficult to trace. The money is then laundered and put back into the criminal’s pockets. In a case from Houston, Texas the fraudster was able to cash over $5 million in stolen checks using this fraud scheme. In another case from California two defendants pleaded guilty for fraud after cashing stolen U.S. Government checks using bank accounts that were opened using stolen identities. When law enforcement starts to investigate the identity theft victim is usually the first one brought in for questioning.
Double Cashed Checks
In 2016 there was a growing trend in double-cashed fraud schemes. This particular scheme takes advantage of some of the newest technology in online banking. When a payee receives a check the payee uses their cell phone to deposit the check into their bank account. The check clears and the victim reconciles their bank account without any issues. Up to this point everything is legal and no fraud has occurred. The fraudster then sits on the check for five or six months and then takes the original check to a checking cashing outlet and cashes the check by presenting the original signed check. If the victim is properly reconciling their bank account they will notice that this check cleared a second time. If the victim is lucky, and using positive pay, then their bank may refuse to pay the check a second time. Herein comes the legal issue. Since the check cashing store has an original check with a valid signature, unless the victim can prove the check cashing store knew the check had been previously deposited the check cashing store will usually prevail in litigation to get paid for the check.
Once the victim has paid the check cashing store their only recourse is to sue the payee who cashed the check twice. It would be especially difficult to convince a prosecutor to file criminal charges against the payee unless the victim could show a history of double cashing checks because the payee is going to claim it was a mistake and they forgot they previously cashed the check. The payee will often offer a payment plan of a minimal amount per month with no interest to repay the money. Because of the claim that this was an error and an offer for restitution it could be all but impossible for the prosecutor to establish mens rea or intent for the crime.
CEO spoofing is another fraud that took off in 2016. On April 4, 2016, the FBI reported the CEO E-mail fraud had cost U.S. businesses in excess of 2.3 billion dollars. CEO spoofing occurs when the criminal creates a fake email that appears as if it was the CEO’s legitimate email. The criminals use the spoofed email to send an invoice or instructions for payment to an accounts payable clerk with instructions that a payment be made that day by check or ACH. The spoofed email will often contain a fraudulent invoice with an “Approved” stamp and the CEO’s signature, which was copied from documents on the internet. Once the payment is sent the thieves transfer the funds out of the United States making recovery difficult.
Data breaches not only inconvenience the victim companies and the individuals whose information has been compromised but they also place a significant cost on the victim. Because an organization is considered to be negligent in its duties to safeguard the information provided to it by employees, customers, and others there is a significant cost to being a victim of a data breach. According to the 2016 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by IBM and independently conducted by the Ponemon Institute, LLC. The average cost to the victim of a data breach in 2015 was $4 million. Smaller organizations fared better than larger ones. The average cost of a smaller data breach where less than 10,000 records were compromised was $2.1 million; whereas the average cost of a larger data breach where 50,000 or more records were compromised was $6.7 million. The average cost of a data breach in 2015 was up 29% over the average cost in 2013. On average it cost the victim approximately $158 per record compromised.
Ransomware is a type of malware that is placed on a computer which then encrypts all of the files on the computer. The criminals then require that the victim pay a ransom in order to obtain the decryption key and have access to their files. The most well known example of ransomware is CryptoLocker. Cryptowall 2.0 is a newer version of ransomware being used by cybercriminals. The FBI estimates that ransomware is a $1 billion a year fraud. A new type of ransomware, called Reveton, installs itself onto the computer without the user’s knowledge. Then, the computer freezes. A bogus message from the FBI pops up on the screen saying the user violated federal law. To unlock their computer, the user must pay a fine.
For a single computer, the cybercriminals will initially request a ransom ranging from $300 to $500. Larger ransoms are demanded when more computers are infected with the ransomware. Once the deadline for the payment has passed the criminals up the ransom demand to around $1000 per infected computer.
Typical ransomware software uses RSA 2048 encryption to encrypt files. Just to give you an idea of how strong this is, an average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key.
On August 9, 2016, the FBI changed its position on paying the Bitcoin ransom to the cyber criminals. Supervisory special agent for the FBI’s Cyber Division, Will Bales, said that businesses or individuals targeted by ransomware should refuse to pay the ransom. The U.S. Department of Justice stated there are approximately 4,000 ransomware attacks daily in the U.S.
Credit Card Fraud Attacks on the new EMV Chips
While many people believe the security of their credit and debit cards has increased because the banks and card issuers added EMV (Europay MasterCard and VISA) chips to the cards, this may not in fact be true. Although the EMV chips make it more difficult for criminals to skim the information on the card and create a duplicate card the criminals have developed a new fraud scheme to take advantage of the vulnerabilities of the EMV chips. These chips are radio frequency identification chips (RFID) and you can pay for a transaction by waving the EMV chip card over a point-of-sale transaction device designed to capture the RFID information. What most consumers don’t know is that the chips in a smart card can be read at distances up to three feet away.
The criminals are aware of the new chip card’s vulnerability and they use portable, battery operated, point-of-sale devices to capture the information broadcast by the smart cards and process card present transactions. The criminals go to crowded areas such as malls, sports venues, subways, busses, and other public places carrying these portable devices and have them automatically process a card present transaction for under $50, which is the federal legal limit for a fraudulent transaction that is the responsibility of the consumer. For fraudulent transactions over $50 the card issuer is responsible for the transaction. When consumers attempt to dispute these transactions some card issuers will argue that since the card was present, and you still have possession of the card, it must be a legitimate transaction. They may even imply you just forgot about making the purchase.
As CPAs we need to be aware of these trending fraud schemes and ensure that our clients or employers have considered these fraud risks and developed appropriate internal controls to help prevent or detect these fraud schemes. The Arizona Society of CPAs offers numerous continuing professional education courses on fraud and internal controls throughout the year to keep us informed of the latest fraud schemes.