Fraud

 

 

The Price of Carbonhttps://iaonline.theiia.org/2019/Pages/The-Price-of-Carbon.aspxThe Price of Carbon<p>​A lawsuit against Exxon Mobil alleges the oil company understated to investors the impact of carbon pricing in evaluating projects, the <a href="https://nationalpost.com/pmn/news-pmn/canada-news-pmn/oilsands-carbon-liability-at-centre-of-closely-watched-new-york-fraud-lawsuit" target="_blank"><em>National Post</em> reports</a>. Court documents in the case filed last year by New York's state attorney general allege that Exxon often used a lower price per ton for greenhouse gas (GHG) emissions and forecast it for future years. That created "the illusion that it had fully considered the risks of future climate change regulations," the documents state. </p><p>For example, in Canada, the lawsuit claims Exxon understated carbon pricing of 14 projects in the Alberta oilsands by $30 billion, including understating one project by 94%. Exxon claims the lawsuit does not consider the multiple ways in which the company accounts for climate regulations.</p><h2>Lessons Learned</h2><p>Governments around the world are increasingly enacting new laws to put a price on carbon emitted by industrial producers, so it should not be surprising that the question of fraud has come up. As of 2019, more than 70 jurisdictions, representing about 20% of GHG emissions, have put a price on carbon.</p><p>This story involves one company, Exxon, and a case of alleged fraudulent carbon pricing that is still before the courts in two U.S. states. What can internal auditors learn about these laws that can help organizations prevent and detect what could become a more frequent fraud issue?</p><ul><li> <strong>Keep up knowledge of environmental laws and carbon-pricing regimes.</strong> In particular, internal auditors should learn about the requirements and methodologies for dealing with the pricing and taxing of carbon globally. For example, <a href="https://www.worldbank.org/en/programs/pricing-carbon" target="_blank">a section of the World Bank's website</a> defines and measures carbon-pricing regimes around the world. The website's up-to-date dashboard sets out the various kinds of carbon-pricing regimes in place, planned, or being implemented in various jurisdictions, including both emissions trading systems and carbon tax regimes.<br> </li><li> <strong>Assist in compliance.</strong> At this point, companies have considerable discretion in their methodologies for assessing the amounts and impacts of carbon pricing on their products and services. Greater government specificity regarding these methodologies, including their uses and disclosure, appears to be coming. For example, starting in 2020, companies under the jurisdiction of Canada's Greenhouse Gas Pollution Pricing Act must file annual compliance reports with both Environment and Climate Change Canada and the Canada Revenue Agency. Internal auditors would be useful contributors to these reports.<br><br></li><li> <strong>Understand GHC calculation criteria.</strong> Of particular note in relation to this story, Canada's compliance guidance includes several criteria regarding GHG calculations. Specifically, companies must perform these calculations in accordance with a reliable and replicable methodology.<br><br>This methodology should ensure that net emissions are capable of being measured or modeled in a reliable and repeatable manner that includes all relevant sources. Calculations should consider uncertainty to ensure quantified or estimated emissions are accurate and within scientifically established standards or acceptable statistical precision for the project or equipment type. Moreover, they should consider the conservativeness principle in quantifying GHG emissions to ensure they are neither under- or over-estimated.<br><br></li><li> <strong>Advise the organization about disclosure practices.</strong> Companies increasingly face pressure to be more transparent about their treatment of carbon pricing. A proactive approach seems advisable. There are many sources of good disclosure practices and guidance regarding carbon pricing, including CDP Worldwide's <a href="http://b8f65cb373b1b7b15feb-c70d8ead6ced550b4d987d7c03fcdd1d.r81.cf3.rackcdn.com/cms/guidance_docs/pdfs/000/001/567/original/CDP-technical-note-carbon-pricing.pdf?1523952114" target="_blank">Carbon Pricing: CDP Disclosure Best Practice (PDF)</a>. </li></ul>Art Stewart0
Faking the Winning Tickethttps://iaonline.theiia.org/2019/Pages/Faking-the-Winning-Ticket.aspxFaking the Winning Ticket<p>​He might have gotten away with it if he hadn't been greedy, a U.K. judge said in sentencing a man to nine years in prison for lottery fraud. <a href="https://www.bbc.com/news/uk-england-beds-bucks-herts-49932832" target="_blank">The BBC reports</a> that Edward Putman used a forged lottery ticket to claim a £2.5 million prize in 2009. The court found that Putman collaborated with an employee of National Lottery operator, Camelot U.K. Lotteries Ltd., to create the fraudulent ticket based on a list of unclaimed winning numbers.</p><p>The scheme began to unravel after Putman's accomplice, Giles Knibbs, took his own life in 2015. Putman and Knibbs had a dispute over dividing the winnings, and earlier in 2015, Knibbs had told friends he had "conned" the Lottery.</p><h2>Lessons Learned</h2><p>Creating a fraudulent lottery ticket is not as difficult as one might think. Similar to <a href="/2019/Pages/The-Make-Your-Own-Credit-Card-Scam.aspx">creating fake credit cards</a>, there are resources on the internet that describe the basic steps for making a fake ticket. One simple method is to alter the date for which an expired ticket, with a winning number, was issued to fool the sales agent into believing that the ticket is currently valid. </p><p>However, this story involves a much more sophisticated methodology that requires a more systematic approach to fraud prevention and detection. In this case, the story notes that the U.K.'s Gambling Commission fined Camelot £3 million in 2016 for violating its operating license in the way it controlled databases, investigated prize claims, and paid out prizes. These are areas where lottery operators and regulators should consider some measures:</p><ul><li> <strong>Regularly review and enhance controls relating to ticket-making databases and other information sources.</strong> Putman's accomplice, Knibbs, had seen a document detailing big prizes that had not yet been claimed, while he was working for Camelot. Lottery operators should tightly protect such information, particularly details of unclaimed winning ticket numbers and locations of their sales. Very few people should have access, even within the fraud detection department. <br> <br>Related to this, human resource controls, such as regular background checks and rotation of staff, can help deter and detect fraudulent activity. Lottery operators cannot assume that specialized, experienced, long-term employees who perform highly sensitive duties can always be trusted without some measures of verification.<br><br></li><li> <strong>Make processes for investigating and paying out a prize claim as stringent as possible.</strong> This is especially necessary for large prizes. In this case, Camelot paid out the prize to Putman despite the fact that the bottom part of the mangled ticket was missing its barcode. Even if the ticket had been found valid, this is an obvious "red flag." Lottery operators should consider some form of multifactor authentication of a ticket purchase such as a duplicate paper receipt or an electronic form that contains all relevant security information. A winning ticket should not be successfully claimed without such evidence.<br><br><strong></strong></li><li> <strong>Improve public communications about fraud prevention.</strong> Lottery operators such as Camelot should communicate about fraud-prevention measures on their websites and through other channels. Moreover, they should add audit requirements to demonstrate the continuing effectiveness of their controls over the lottery ticket process. <br> <br>In the news story, Camelot states that, "We've strengthened our processes significantly since then and are completely confident that an incident of this nature could not happen today." However, Camelot's website does not provide information about either this incident or how the company is improving its fraud-prevention measures.<br><br>Lottery industry regulators should consider requirements to improve this aspect of fraud awareness and prevention, including for public communications and auditing. This might include public reporting of audit results. As a measure of deterrence, regulators could mandate that a company's operating license be suspended if a further incident of fraud occurred. </li></ul>Art Stewart0
Making a Bad Matchhttps://iaonline.theiia.org/2019/Pages/Making-a-Bad-Match.aspxMaking a Bad Match<p>​Your online dream date may be scam artist. And the dating service may be knowingly turning a blind eye to the fraud. That's among the accusations in a U.S. Federal Trade Commission (FTC) lawsuit against Match Group, which operates many popular online dating apps, <a href="https://techcrunch.com/2019/09/26/dating-app-maker-match-sued-by-ftc-for-fraud/" target="_blank"> <em>TechCrunch</em> reports</a>. </p><p>The FTC suit accuses Match of using misleading advertising, billing, and cancellation policies to convince <span>Match</span><span>.</span><span>com</span> app users to become subscribers. The FTC alleges that <a class="vglnk" href="http://match.com/" rel="nofollow"> <span>Match</span><span>.</span><span>com</span></a> sent emails to app users alerting them to messages from interested individuals, even though the service already had flagged those accounts as fraudulent. Indeed, the FTC contends that Match knew scammers comprise as much as 30% of <span>Match</span><span>.</span><span>com</span> registrations. Moreover, Match's research confirms that between June 2016 and May 2018, almost 500,000 people signed up for subscriptions to the site within 24 hours of receiving an email associated with a fraudulent account. </p><p>Once users had signed up for a six-month subscription, the FTC alleges <span>Match</span><span>.</span><span>com</span> made it difficult for them to cancel the service. That would put <span>Match</span><span>.</span><span>com</span> in violation of the U.S. Restore Online Confidence Act, which requires companies to provide a simple method to stop recurring charges.</p><h2> Lessons Learned</h2><p>According to FTC statistics, U.S. residents reported losing $143 million to romance scams in 2018 — a higher total than for any other type of scam reported to the commission. The median reported loss was $2,600, and it was $10,000 for people over 70. </p><p>This story brings to light that online dating businesses cannot be trusted to fully protect subscribers from such scams, nor are they transparent in the way they deal with customers and their concerns. While the outcome of this case is not yet known, online dating services can take several measures to detect and reduce such scams and business practice exploitation. </p><ul><li> <strong>Mandatory audits of anti-fraud and scamming activities should be required.</strong> While Match does have some educational anti-fraud material on its company website, it is not clear how comprehensive the company's approach is. According to this story, Match contends that it has "developed industry-leading tools and [artificial intelligence] that block 96% of bots and fake accounts from our site within a day." The company says it relentlessly pursues malicious accounts.<br> <br>Companies that operate in fields where quantitative business processes and data are abundant should be able to monitor, audit, and publicly report the results. The latter may be a regulatory measure worth considering by the FTC, at least temporarily when a company has violated standards and laws.<br><br></li><li> <strong>The consequences for deceptive business practices need to be significant.</strong> These consequences also should apply to companies that knowingly allow fraud to take place. Penalties such as reimbursement of subscription fees — as the FTC is asking for in this case — are justified. <br> <br>Match also needs to review and clean up its subscription, billing, and cancellation policies and process. For example, the company could establish a "no questions asked" cancellation and refund policy for an initial period, or provide potential new subscribers with a free trial period with full access to services. The billing and cancellation policy and process should be simplified and publicized, with no hidden additional requirements. Internal auditors would be able to advise on ways to implement these measures.<br><br></li><li> <strong>Measures to ensure market competition may be needed.</strong> Match may face negative publicity from this case, which could lead the company to change its business practices. Given that Match is the predominant company in the online dating field, the FTC could consider whether there is sufficient competition in this industry to foster a high ethical standard of business practices and undertake additional regulatory measures. </li></ul>Art Stewart0
Deepfake Deceptionhttps://iaonline.theiia.org/2019/Pages/Deepfake-Deception.aspxDeepfake Deception<p>​The CEO just called asking you to send a wire transfer. But are you sure it's the CEO? That voice that sounds like the organization's leader may be a deepfake — an audio or video file that has been created using artificial intelligence.</p><p>Deepfakes are becoming the latest lure in phishing schemes, <a href="https://www.pcmag.com/commentary/370606/scammers-go-phishing-with-deepfakes?utm_source=email&utm_campaign=whatsnewnow&utm_medium=title" target="_blank"> <em>PC Magazine</em> reports</a>. Recently, hackers tricked a managing director at a British energy company into authorizing a $243,000 wire transfer to an account in Hungary by creating a fake voice model that sounded like the company's CEO, according to <a href="https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402" target="_blank"> <em>The Wall Street Journal</em></a>. In an email, the employee told the company's insurance carrier, Euler Hermes, that "the voice was so lifelike that he felt he had no choice but to comply," <a href="https://www.washingtonpost.com/technology/2019/09/04/an-artificial-intelligence-first-voice-mimicking-software-reportedly-used-major-theft/" target="_blank"> <em>The Washington Post</em></a> says. Cybersecurity firm Symantec told the <em>Post</em> that it knew of three recent incidents in which attackers mimicked the voices of executives to defraud companies.</p><h2>Lessons Learned</h2><p>Any new technology or societal advance seems to inevitably raise opportunities for fraudsters to benefit at the expense of organizations and individuals. As this news story illustrates, the threat of deepfake fraud and phishing is here and likely to grow. In fact, deepfake audio and video is becoming cheap and easy to create with computers and software, and how-to videos are showing up on social media. </p><p>Deepfake video and audio files are not necessarily bad, as we have seen with some educational and comedic videos on late night TV. The problem is when they are used for crime. What can regulators, organizations, and internal auditors do to identify and counter this threat before it causes damage?</p><ul><li>First and foremost, fraud detection and prevention is a cat-and-mouse exercise — what works now may not last as a long-term solution. Therefore, regulators, organizations, and internal auditors need to educate themselves on how the AI behind deepfakes can be used to defraud.<br><br></li><li>Implementing a two-step verification process where sensitive information, money, or decisions are being sought, is essential. Auditors should keep in mind the concept of "never trust, always verify." That verification process can be as simple and low-tech as a mandatory return phone call to verify sources. Technology-based verification includes requiring the requestor to enter an encrypted passcode separately, and subjecting the request, regardless of its form, to computer-based audio/video analysis to verify its authenticity before taking action. <br><br></li><li>While human beings inevitably will bear the brunt of having to respond to these deepfake fraud attacks, a machine-based approach will be more effective — but only under certain conditions. People still need to learn more about this threat and be equipped to address it.<br><br></li><li>One tool that shows promise is a recurrent neural network (RNN). An RNN is a class of artificial neural network in which connections between nodes form a pattern along a temporal sequence, allowing it to exhibit temporal dynamic behavior that can be applied to handwriting, speech, or visual recognition. These networks can be trained to identify inconsistencies. <br> <br>Applied to video deepfakes, an RNN could identify inconsistencies in lighting conditions, shadows, reflections, or even an entire face, including physiological elements such as mouth movement, blinking, and breathing. This is possible because the algorithms used to build a deepfake work frame by frame but cannot remember what is created for previous frames. <br> <br>While RNN technology can be expensive and may be best suited to protecting against deepfakes of senior executives, software companies currently are developing products that will be more cost-scalable and readily deployed across larger organizations. Such technology could be used in real time to verify the authenticity of a video or audio request as it comes in. For example, Adobe has developed AI that can detect faces that have been manipulated in Photoshop. Another example uses blockchain technology along with AI to create a digital signature that cannot be altered, and will identify attempts to alter it, for embedding in legitimate audio and video.<br><br></li><li>Academic research and collaboration also is needed to understand deepfakes and other forms of manipulated media. Since deepfake videos can go viral on social media, these sites already are working to combat the threat. <br> <br>For example, Facebook deploys engineering teams that can spot manipulated photos, audio, and video. In addition to using software, Facebook and other social media companies hire people to look for deepfakes manually. Similarly, the AI Foundation, a nonprofit organization that focuses on human and AI interaction, conducts research into these issues.</li> </ul>Art Stewart0
Protecting the Protectorshttps://iaonline.theiia.org/2019/Pages/Protecting-the-Protectors.aspxProtecting the Protectors<p>​U.S. federal prosecutors say a former U.S. Army civilian employee and four accomplices stole money from current and former military members and opened accounts in their names to facilitate the crimes, <a href="https://www.militarytimes.com/news/pentagon-congress/2019/08/21/army-civilian-staffer-among-five-charged-in-benefits-fraud-scheme-which-stole-millions-from-servicemembers/" target="_blank"><em>Military Times</em> reports</a>. Prosecutors allege that former civilian medical records technician Fredrick Brown photographed the medical files of service members stationed at the Yongsan Garrison in South Korea. Those records included Social Security numbers and military IDs. </p><p>With that information, prosecutors say Brown and his alleged accomplices set up fake accounts in the U.S. Department of Defense and Department of Veterans Affairs (VA) benefits systems and routed money from those accounts into other bank accounts. The group members, now under arrest, also allegedly accessed and stole money from service members' bank accounts. </p><p> <strong>Lessons Learned</strong></p><p>Members of the U.S. military are twice as likely as other people to be victims of fraud, including identity theft, according to a 2017 AARP study, <a href="https://www.aarp.org/content/dam/aarp/research/surveys_statistics/econ/2017/military-veterans-consumer-fraud.doi.10.26419%252Fres.00182.001.pdf" target="_blank">Under Fire: Military Veterans and Consumer Fraud in the United States</a> (PDF). The AARP website also details the wide range of fraud schemes perpetrated on veterans, including phishing, imposter scams, and investment and loan schemes. </p><p>What can internal auditors and military organizations learn from this story to better prevent and detect identity theft targeting military service members?</p><ul><li>First and foremost, access to the personal information of service members needs to be tightly restricted, while permitting efficient use for legitimate reasons. The fact that the accused individuals had access to medical files and the scheme appears to have been going on since 2014 suggests a need for greater security measures. For example, supervisors and security cameras could have monitored employee activity better during working hours — taking thousands of pictures of medical files takes time and effort that should have been noticed sooner. <br> <br>More frequent rotation of employees who handle sensitive personal information is another possible measure. Likewise, more stringent employee background checks and regular monitoring updates, especially for jobs handling sensitive information, may have helped deter the alleged fraud.<br><br></li><li>All organizations, including the military, need to review and tighten access to employees' personal information such as Social Security numbers. For example, for decades, the U.S. military used Social Security numbers as personal identifiers, which were shared all over the world as service members filled out forms, checked in on base, and showed their military ID cards. <br> <br>In recent years, the military has reduced or eliminated the use of Social Security numbers wherever possible. The U.S. federal government has been removing Social Security numbers from ID cards since 2008, but they are not scheduled to be fully removed from the cards' bar codes, QR codes, and magnetic strips until 2022.</li> <br> <li>Bank and credit card alerts could help military personnel protect their personal information from identify thieves, particularly when service members are involved in a lengthy deployment. When service members are not able to check their bank and credit card accounts regularly, fraudsters have time to do a lot of damage before anyone notices. <br> <br>Deployed military personnel can help prevent identity theft by placing an active duty report on a credit report through a credit reporting company such as Equifax, Experian, and TransUnion. These alerts last for one year but are renewable. The credit reporting company is required to contact the other credit reporting companies about the alerts. <br> <br>In addition, veterans may be eligible for free credit monitoring through the VA. The VA also has an identity protection program called <a href="https://www.va.gov/identitytheft/" target="_blank">More Than a Number</a> that provides veterans and their beneficiaries with information about how to protect themselves. Banks may offer similar programs. </li></ul>Art Stewart0
The Make Your Own Credit Card Scamhttps://iaonline.theiia.org/2019/Pages/The-Make-Your-Own-Credit-Card-Scam.aspxThe Make Your Own Credit Card Scam<p>​Five individuals allegedly used fake credit cards to steal more than $500,000 in merchandise from HomeGoods, Marshalls, and TJ Maxx stores, <a href="https://abc7ny.com/5-charged-in-retail-fraud-ring-accused-of-stealing-over-$500000/5470192/" target="_blank">WABC reports</a>. Police in Westchester County, N.Y. say the group created fake credit cards for the three stores and purchased items with those cards until the stores discovered they were fraudulent. Police charged the individuals with multiple counts of grand larceny and are investigating whether the group's alleged activities extended beyond Westchester County.</p><h2>Lessons Learned</h2><p>The value of the goods and money allegedly stolen by the fraudsters in this story pales in comparison<strong> </strong>with the billions of dollars lost in the past two decades to hackers, skimmers, and other kinds of credit card and identity thieves. Yet, it is still easy for criminals to manufacture fake credit cards and IDs to commit fraud. </p><p>For example, it is legal to purchase a credit card embosser, but it is illegal to use it to commit credit card fraud. These machines can be bought for $1,000 to $3,000, including on the internet. Moreover, there are plenty of videos that show in detail how to make fake credit cards and IDs. In addition, anyone can purchase a magnetic stripe reader (skimmer) for $5 to $10.</p><p>What more can be done to help prevent this kind of fraud? Here are some suggestions for regulators, financial institutions, retailers, and auditors.</p><ul><li> <strong>Restrict the availability of credit card embossing and other similar machines. </strong>While there can be legitimate reasons why individuals would own these machines, requiring greater background checks before allowing such purchases to take place could help prevent them from being used illegitimately.<br><br></li><li> <strong>Extend the use of </strong> <strong>two-factor authentication in conducting financial transactions.</strong> Whether it is a password, personal identification number (PIN), or code sent to a verified location for a card not present transaction, these technologies are helping reduce fraud. More particularly, accelerating the deployment of smart chip technology — known as Europay, MasterCard, and Visa (EMV) — is a significant way to prevent credit card fraud. <br> <br>Widely used in Canada, Europe, and other countries, EMV-based cards are much more secure and harder to hack, at least from a skimming point of view, and they also require a PIN. Counterfeit fraud rates decreased more than 50% in the U.S. between 2016 and 2017 as a result of EMV adoption by merchants, according to MasterCard and Visa.<br> <br>Being EMV-compliant requires having a terminal or point of sale system that can process credit cards with chips embedded in them. Switching to a credit card terminal that can accept chip cards comes with a cost and currently is not mandatory. However, businesses that do not have EMV-compliant terminals risk incurring financial responsibility for any credit card fraud that happens. Not only can business owners protect themselves by becoming EMV-compliant, but they also can contribute to the overall effort to combat credit card fraud.<br><br></li><li> <strong>Retailers and banks need to move away from using magnetic stripes</strong><strong>.</strong> In addition to the transition costs, some critics say people won't use their credit cards as often if they have to enter a PIN. Yet, a dual EMV/magnetic stripe system invites fraudsters to simply avoid using the chip technology. That said, many retailers are using a system that requires the use of the chip on a credit card where available. <br> <br>Alternatively, some retailers are moving to a system where consumers can just tap their cards without entering a PIN, or even just have their cards in their pockets. This type of system is not secure, though — anyone with the right equipment can sit in his or her car and intercept transaction information.<br><br></li><li> <strong>Retailers and auditors should review transaction processes to ensure there are adequate controls in place. </strong>This review needs to include the policies and processes around transaction processes as well as whether employees are trained and required to comply with them.<br> <br>First, inspect the credit card before processing. Indications of tampering or damages may include embossing on the card that isn't clear or straight, a hologram that is rough and not three-dimensional, and signs of tampering on the front and back of the card.<br> <br>Second, ask for customer identification before accepting a credit card and verify that the information between the shopper's ID and his or her payment card match. Specifically, keep an eye out for the shopper's name and signature.<br> <br>Third, compare the account number on the card with the number in the terminal and receipt. Regardless of whether a card is swiped, tapped, or inserted into the machine, verify that the digits on the card match the ones in the retailer's terminal. Examine the printed receipt to see if the last four numbers on the card match the ones on the receipt. When there is doubt, make an authorization request. Doing so will connect the retailer to the card issuer, who will then ask a series of yes or no questions to avoid alerting the customer that his or her card is being flagged.<br> <br>Fourth, be aware of the business' purchasing averages and patterns. If a transaction falls completely outside of those averages, or a daily maximum is reached (as in this story), pay close attention to that transaction and take extra steps to verify the card's authenticity. </li></ul>Art Stewart0
The Refund Cheathttps://iaonline.theiia.org/2019/Pages/The-Refund-Cheat.aspxThe Refund Cheat<p>​<span style="font-size:12px;">The Ontario Court of Appeal has ruled that a university student who fraudulently obtained more than CA$41 million in tax refunds should have been sentenced to 36 months' jail time, rather than the original 13 month-sentence he received, the <em>Toronto Sun</em> reports. Nonetheless, the court decided to spare the individual any further jail time, stating that it could not justify additional punishment.</span></p><p>The offender, now 30, pleaded guilty in 2018 to filing fraudulent tax forms, falsely representing himself as an official from various corporate entities in a scam that began in 2013. The multimillion-dollar refunds were deposited into his personal accounts, though bank diligence prevented him from accessing the bulk of the funds. The Ontario man managed to withdraw just CA$15,000, which he later paid back to the Canadian Revenue Agency (CRA).<br></p><h2>Lessons Learned<br></h2><p>Although there's room for debate on the severity of this fraudster's sentence, audit analysis should focus on how the fraud was committed and what might be done to prevent it from occurring in the future. The method used represents a unique form of phishing/mail fraud, and the ease with which the Ontario man perpetrated it against the CRA is somewhat alarming.<br></p><p>The offender simply downloaded publicly available forms from the CRA website to redirect direct deposits made to several large corporations — including Coca Cola Ltd. and Shell Canada Ltd. — to his own accounts. He placed his personal banking information on the form and mailed it to the CRA. Refunds amounting to more than CA$41 million relating to the Goods and Services/ Harmonized Sales Tax were then paid into his accounts. He apparently needed to make numerous phone calls, falsify information, and impersonate others to succeed, but it worked — until the banking institutions caught on to the scheme. <br></p><p>This case illustrates a variation of a newer form of phishing fraud, where fraudsters use emails/communications (increasingly well written, cordial, and free of misspellings <span style="font-size:12px;">and grammatical errors) purporting to come from CEOs, chief financial officers, or payroll directors. The fraudsters seek to convince officials to change the bank account and routing information used for direct deposit of checks. This kind of fraud is growing because it can more easily bypass many existing technical controls. Plus, if the perpetrator steals smaller sums, the victim organization may just fold it into the cost of doing business.</span></p><p>The CRA — and perhaps other tax agencies around the world — needs to review and strengthen controls over its direct deposit system, if it has not already done so. That could be accomplished simply by limiting the access to corporate direct deposit processes, such as requiring them to be managed via CRA's My Business Account process. My Business Account is more secure than public websites and forms, while still facilitating electronic transactions. Whether the agency prefers a secure electronic account process or continues to use a more public method, additional verification methods need to be applied — particularly where a new or changed set of banking information is involved. Some of the verification methods to prevent direct-deposit phishing scams include:</p><ul><li><span style="font-size:12px;">Implement a two-step or multifactor verification process.</span><br></li><li><span style="font-size:12px;">Require administrators, including IT, to monitor unusual activity, such as changes made to contact and banking information on a large number of accounts over a short period.</span><br></li><li><span style="font-size:12px;">Create a policy that, after a change to banking information, requires a temporary reversion to paper check and/or direct contact with the requestor or bank involved.</span><br></li><li><p>Ensure that login credentials required for changes in account/banking information are different from credentials used for other purposes.<br></p></li></ul><p></p><p>Finally, employee education should cover areas such as:</p><p></p><ul><li><span style="font-size:12px;">Common social engineering and phishing techniques.</span><br></li><li><span style="font-size:12px;">Basic cybersecurity hygiene.</span><br></li><li><span style="font-size:12px;">Strategies for identifying phishing attacks, including new variations.</span><br></li><li><span style="font-size:12px;">Ways to safeguard personal and corporate information.</span><br></li><li><span style="font-size:12px;">Unsafe online behavior.</span><br></li></ul>Art Stewart0
Guilt by Associationhttps://iaonline.theiia.org/2019/Pages/Guilt-by-Association.aspxGuilt by Association<p>​Olivia Munro, a hospital chief financial officer (CFO) and former pharmacist, was approached about the treasurer position with her state's pharmacy organization, which was experiencing sustainability issues. The organization's finances and membership numbers were in decline, and the board was struggling to lead through these challenging times. Out of a sense of professional obligation, she agreed to serve in the role. Never having served on a professional board, Munro did not know what to expect. </p><p>The small association of approximately 750 members charged an annual fee of $350, which included educational programming to satisfy mandatory continuing education requirements for professional licensure. Most of the revenues, however, came from an annual educational meeting that charged a registration fee to attend. The meeting was poorly attended, so most revenue came from pharmaceutical manufacturer grants for advertising. </p><p>After joining the board, Munro quickly realized that the organization had exhausted the available and willing volunteers within the state. Subsequently, it recruited fewer qualified people into leadership roles and recycled previous leaders. With the focus of the organizational leadership on the professional mandate, the financial affairs had been placed in the hands of underqualified individuals with limited fiscal acumen. As a result, this once-healthy organization became insolvent and contracted with an external professional management company specializing in turning around professional organizations. </p><p>Historically, the organization had several decades of financial success, accumulating $500,000 in reserves for operating purposes and an additional $250,000 in restricted funds to support scholarships for students in underserved communities. Although the organization previously had a treasurer, his limited financial expertise was evident in the lack of financial controls in place. </p><p>Munro wanted to determine the status of the organizational books that she was inheriting, so she conducted a review of them to make sure transactions had supporting paperwork, there were not any unusual transactions, and that the bank balances reconciled. She had several questions regarding the language in the contract with the management company and learned that it was signed without legal review. In particular, the contract contained a confusing evergreen clause perpetuating the relationship on a mandatory three-year cycle, rather than typical one-year extensions. Further, the contract did not contain a termination clause. The fee structure was equally complicated, with various a la carte upcharges that were poorly defined. This made it difficult to clarify which services were included in the initial contract and what was added on. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Lessons Learned</strong></p><ul><li>Outsourcing relationships and contracts should be reviewed by internal audit for control weaknesses before implementation and before any significant changes. There is an opportunity for internal audit associations to share guidelines with nonaccounting associations to improve financial practices and protections. </li><li>Internal audit should ensure management has processes in place to monitor contract requirements on a regular basis. The absence of these reviews leads to undetected issues and the inability to optimize the value of the relationship.  </li><li>Organizations that don't segregate financial duties open themselves up to misappropriation of funds and fraud.</li><li>Failure to maintain signatory authority can prevent organizations from legally accessing their own banking information for audit.</li><li>Regardless of the professional nature of an organization, knowledgeable financial people should be assigned to monitor its finances. </li><li>If the outsourced relationship fails to produce financial statements and banking documents regularly, it should prompt an immediate review and rigorous follow-up.</li></ul></td></tr></tbody></table> <p>The relationship had been positive and the organization eventually transitioned additional authority to the management company, which was not reflected in a contractual amendment and instead was governed by email communications. This included managing the organization's website and membership database and organizing the annual meeting. As part of this transition, the organization's official mailing address was also changed to that of the management company, and the company was given signatory authority on the organization's bank accounts. It appeared that the management company had complete control of the organizational finances and operations. </p><p>Over time, the management company's level of service began to decline. The assigned management representative failed to attend board conference calls and provide contractual information such as monthly financial reports. In addition, bank statements were no longer being provided for review and reconciliation by the treasurer, and requests for status updates were responded to with increasingly vague answers. </p><p>Munro feared that the organization's funds had been fraudulently misappropriated and requested access to the organizational paperwork. Requests were repeatedly ignored or incompletely fulfilled. The management company was located in an adjacent state, so a local accountant was hired and law enforcement was notified to gain access to the records. Records were limited and those that were available had sloppy documentation, making it impossible to track payments and expenses accurately. Bank statements showed that $300,000 of the organization's funds were spent and current hotel expenses of $120,000 from the annual meeting had not been paid.</p><p>The organization obtained legal counsel and additional discovery followed. During the previous year, the management company had systematically billed the organization $100,000 for a la carte fees associated with ill-defined activities not specifically outlined in the contract. Because the management company was given authority to pay itself directly from the organization's bank account, and had used the a la carte provisions to generate repeat charges not reviewed by organizational leadership, legal counsel did not think it would be possible to recover these damages. The fact that the organization had not received the monthly bank statements to question these practices was considered gross negligence on behalf of the organization. </p><p>The remaining $250,000 from the restricted funds was also missing. When challenged, the management company refused to supply it, citing that the original contract had auto-renewed for an additional three-year period under the evergreen clause. The organization had failed to exercise the contractual 90-day notice period and, as a result, the remaining funds were due to the management company to satisfy the three-year extension on the contract. The organization's board concluded, with input from legal counsel, that the legal fees would be more than the organization could potentially gain. The management company filed for bankruptcy and subsequently reopened under a new name. </p><p>The management company had control of the organization's website, domain name, and membership lists, and ultimately, it agreed to return control to these proprietary operational elements and both sides walked away. The organization began to rebuild, and Munro set up appropriately designed financial controls. Shockingly, the membership reelected the same board, and Munro made the decision to step down from her role as treasurer.  <br></p>Scott Mark1
Fraud in Transithttps://iaonline.theiia.org/2019/Pages/Fraud-in-Transit.aspxFraud in Transit<p>​The new inspector general (IG) of New York's Metropolitan Transportation Authority (MTA) has issued 30 backlogged reports on misconduct within the agency, according to the <a href="https://www.nydailynews.com/new-york/ny-mta-inspector-general-report-fraud-release-20190710-e7vrqdm5kvep7cghtwvh625qgu-story.html" target="_blank"> <em>New York Daily News</em></a>. The reports detail incidents in which MTA employees were disciplined for overtime abuse, conflicts of interest, and corruption since 2017. </p><p>The most glaring incidents included a railroad foreman who received $280,000 in pay when he wasn't working, an MTA police officer who was using his company car for a second job, and a subway maintenance employee who used sick leave to take a European honeymoon. The reports came out six weeks after IG Carolyn Pokorny took office.</p><h2>Lessons Learned</h2><p>It seems that the MTA, with the help of its IG, is achieving some success in uncovering time, attendance, and other forms of employee fraud. However, after reviewing the IG's annual report and recommendations covering the various cases in this news story, further measures may be needed to more systematically address widespread employee fraud. Here are three suggestions that might be applicable:</p><ul><li> <strong>Increase the scope and frequency of audits and monitoring of time and attendance processes. </strong>Continuous monitoring, along with regular audits, can reveal risks from employee time theft, and the processes needed can be implemented using technology. A simple way to do this is having managers and supervisors run monitoring reports or even audits on random employees' time reporting, whether they are paper- or electronic-based. <br> <br>There also should be separate scrutiny of managers' and supervisors' behaviors to determine whether they are monitoring and approving employee time and attendance reporting appropriately. This scrutiny also can help uncover collusion between employees and managers.<br>  <br> Further, the payroll department should run weekly reports to determine whether certain departments are consistently over budget for payroll, which may be caused by time and attendance fraud. Alternatively, this spending may be legitimate, but could point to the need for improvement, such as in how work is scheduled. Either way, monitoring and auditing can identify patterns and misinformation, and it may indicate that the time-tracking method currently in place is not the best option.<br><strong> </strong></li><li> <strong>Integrate time and attendance with payroll functions. </strong>This can help reduce errors and fraud in employees' time reporting. When attendance and payroll functions are separate, human resources (HR) staff must re-enter information and move the data between the two programs, creating an opportunity for mistakes and fraud. Employees may collude or engage in nepotism. An HR employee may purposefully record fraudulent time information for himself or herself, HR colleagues, or other co-workers. <br> <br>By integrating the two systems, information from the time and attendance program moves to the payroll program automatically, reducing the risk of fraud. Of course, this approach's effectiveness will be enhanced by good communication of what is expected of employees and establishing methods to facilitate their compliance. Such methods include encouraging employees to enter data timely and automating that process.<br> </li> <li> <strong>Cross-check time and attendance. </strong>Verifying that employees were truly present when they say they were is key to helping reduce time-and-attendance fraud. Although there are many methods for such cross-checks, a biometric time clock may be best suited in organizations with a large and diverse workforce. Mobile timesheets and web timesheets include time stamps and make it easier for employees to enter their information. By connecting timesheet data to other apps and tools, such as user engagement metrics or biometric data on employees' physical attendance, auditors can verify whether employees were present and working when they say they were. <br> <br>This story also references the fact that the MTA recently introduced global positioning system (GPS) units to track the location of employees and their company vehicles. The MTA should expand the use of GPS units, which employees can easily carry while working in many varied situations. </li></ul>Art Stewart0
The Benefits Swindlershttps://iaonline.theiia.org/2019/Pages/The-Benefits-Swindlers.aspxThe Benefits Swindlers<p>​A Toronto hospital has fired about 150 employees accused of falsely claiming benefits in one of Canada's largest benefits fraud schemes, <a href="https://nationalpost.com/news/torontos-baycrest-hospital-fires-around-150-employees-after-uncovering-multimillion-dollar-fraud-scheme" target="_blank"> <em>The National Post</em> reports</a>. Baycrest Health Services acknowledged that $5 million in fraudulent claims occurred over an eight-year period at its Baycrest Hospital. </p><p>Consultants first discovered the fraud several months ago while they were vetting a potential partnership between Baycrest and other hospitals. A third-party internal investigation revealed that hospital employees submitted invoices for services they never received and paid a kickback to providers. Another scheme involved accepting products unrelated to the medical device that had been prescribed and paying the provider the difference in price between the two products. </p><p>Baycrest has opted not to press charges against the individuals who were allegedly involved. </p><h2>Lessons Learned</h2><p>Workplace benefits fraud is on the rise in Canada, costing insurance companies hundreds of millions of dollars each year, according to the <a href="https://www.clhia.ca/web/CLHIA_LP4W_LND_Webstation.nsf/page/4ABC3507651CE9C8852583B40071BBB6%21OpenDocument" target="_blank">Canadian Life and Health Insurance Association</a> (CLHIA). For example, in 2018, employees at the Toronto Transit Commission were found to be engaging in similar benefits fraud activities worth as much as $5 million.</p><p>Baycrest's benefits administrator has said his company has "rigorous standards and protocols in place to defend against and detect such activities." He said the company is committed to becoming more vigilant about benefits fraud and has implemented measures "to further guard against similar misuse." Here are some additional measures that employers and regulators need to consider to combat this increasing problem:</p><ul><li> <strong>Increase regulatory audits.</strong> From a regulatory and compliance standpoint, the Canada Revenue Agency (CRA) could step up audits within the benefits service provider industry. The CRA requires that a service must actually be provided where there is an invoice.<br> <br>In Canada, insurance and service providers are both federally and provincially regulated in specific ways. Regulators should review whether these regulations are adequate to prevent benefits fraud. In particular, new provincial regulations may be needed to monitor service providers and levy fines on noncompliant providers. <br> <br>As part of this effort, the benefits insurance industry should take more comprehensive actions such as delisting unscrupulous providers. This has been effective for the biggest providers. For example, in 2018, Sun Life delisted 1,500 providers from across Canada — no longer accepting their claims — after proving their involvement in false claims. Benefits insurers also should carefully weigh the use of up-selling of services and related performance rewards, which can further contribute to benefits fraud.<br><br></li><li> <strong>Apply technology to fraud management.</strong> Insurance carriers should invest in fraud management and business-process solutions that can also support efficient operations. Sun Life, for example, uses data analytics and machine learning to identify suspicious behavior, intelligence analysis to identify players in complex schemes, and investigative skills to monitor a facility's member-claim activity. <br> <br>From the business-process perspective, a direct billing system can deter both providers and employers from attempting benefits fraud. Such systems require service providers to submit electronic documentation at the time the service is provided. <br> <br>Increased scrutiny of frequent and higher-value claims through monitoring and audits is another technique. Additionally, both insurance carriers and employers should have strong whistleblower programs in place to encourage people to come forward with cases of suspected benefits fraud.<br><br></li><li> <strong>Educate the public.</strong> Employers and regulators should educate both employees and the public that benefits fraud is not a victimless crime. From the fraudster's perspective, the Fraud Triangle applies: Fraud typically occurs when three elements are present — opportunity, rationalization, and pressure. People take advantage of opportunity with the perception that there is little chance of detection, penalty, or consequence. They rationalize their actions by feeling entitled to the benefits, even though their employer pays directly for claims.<br> <br>Moreover, many Canadians feel workplace benefits fraud is not a significant problem. According to an Environics Research survey conducted for the CLHIA, 75% of respondents believe the consequences of benefits fraud are simply paying higher premiums or paying back wrong claim payments when uncovered. The insurance industry and regulators need to counteract these false perceptions.</li></ul>Art Stewart0

  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3