Identity theft and abuse of information in fraud and corruption Steven Powell FISA Conference September 2018
overview What is identity theft Elements of fraud The consequences The reality EFT fraud How to minimise the risk Action plan Conclusion Questions
What is identity theft? The unlawful use of someone else s personal information For example ID / Passport / Driver s licence death certificate marriage certificate letters of executorship salary advice municipal bill bank statements Login details - username / password Organised Crime
Data sources exploited in identity theft? Hacking of g-mail accounts CIPC DEEDS Natis Credit checks Case study example
What syndicates do with this info Fraudulent ID factories create authentic looking docs to Open new retail or credit card accounts Submit false claims/redemptions re investments insurance medical aid Impersonate you and attend to your bank and transact on your accounts open companies in your name on CIPC Change bank accounts receive tax refunds/redemptions payments
Change of bank account fraud This is a form of corporate identity theft Invoices intercepted in the mail Details are cloned NEW BANK ACCOUNT DETAILS are inserted Everything else looks identical and legitimate
How to minimise the risk There are people who gather personal information about you in order to access your funds. Therefore make sure that it is difficult for strangers to access your personal information What must I do? Shred all documents Always remain attentive at ATM s Make sure all your accounts have strong passwords that are not easy to decipher Never respond to an e-mail or sms that asks you to insert or update your personal and banking information by clicking on a website link
How to minimise the risk cont d Be very selective with the type of information that you share on social media sites Case study Only carry identification documentation such as your passport or identity book when it s absolutely necessary and keep these documents safely locked away when not in use.
Are you sharing too much? The use of social media Names of children, places of employment, places you frequent (your Facebook check-ins, birthdate all can be accessed via social media and can be used to perpetrate identify theft. Don t post pics of your holiday in the Seychelles CFO case study Make sure your privacy settings are updated!!
Are you a victim? Read your statements - do you see charges for things you did not buy? Watch your bank account statement - do you see withdrawals you did not make? Are there changes you do not expect? Check your mail - did you stop getting a bill? Or did you start getting a new bill you do not know about? Get your credit report - are there accounts or other information you do not recognize?
I ve been robbed! What do I do? Take three steps immediately: 1.Place a fraud alert on your accounts 2.Change your passwords 3.Open a criminal case with SAPS
The reality you will be held responsible effects your reputation effects your credit score Increases the likelihood of EFT Fraud
the profile of the typical fraudster White collar crime statistics reveal that more than 80% of fraud involves internal employees, most of whom have more than 5 years of service Many companies who fall victim to fraud rely on trust rather than controls The fraudster could be your most capable, most reliable & most trusted employee Generally the profile of the typical fraudster is: Older than 30, stable family situation, above average education, first offender and has been with the company for more than 5 years The fraudster is often the last person that anyone would suspect and the red flags (symptoms) that become known are often ignored due to high levels of trust
the fraud triangle - Psychology behind it fraud takes place when the 3 factors described below converge the fraud recipe fraud takes place when employees under pressure identify the opportunity to commit fraud - coupled to a perceived low risk of detection fraud rationalization The employee will justify committing acts of dishonesty by rationalizing his or her behaviour Rationalization takes the form of finding justification for the behaviour by relabeling to remove moral stigma
fraud pressures Often, formally honest employees commit fraud as a result of pressure which presents itself in a variety of ways: living beyond means insecurity regarding tenure of position, retrenchments trigger events divorce extra marital affairs medical emergency peer pressure gambling alcohol or drug problems
opportunity When employees experience the pressure, they often start looking for gaps or weaknesses in the control environment Opportunity to commit fraud presents itself in a variety of forms: Weak control environment Shared passwords Limited segregation of duties Limited independent review Poor management oversight Remote location High trust
examples of rationalizations Rationalization takes place when employees try to justify or re-label their illicit activity in order to make it seem less morally reprehensible Examples of rationalisations that have been verbalized: it was just a loan I am going to pay it back it was a spotters fee it was just a commission the company makes huge profits but does not pay us enough the company has retrenched a lot of staff I should have been promoted long ago
EFT fraud risk EFT fraud is essentially the diversion of funds from the organisation s bank accounts to third parties, to whom those funds are not due, usually involving manipulation of the vendor payment system This is an important risk area for FISA members to be aware of
electronic funds transfer fraud two methods creation of alternative vendor profile which is then selected to perform illicit transactions substitution of employee account and deletion in the 1st scenario the risk of being caught is higher as the employee info remains on the vendor profile and should be detected through proper checks
whose problem is EFT fraud it is invariably an account holder problem, and usually not a bank problem it is usually facilitated by password abuse within the finance team spyware and collusion with bank officials must be excluded
case study 1 eft payment clerk shaken not stirred 007 steals R740k from a large retailer position - eft payment clerk earnings R10k divorce weak controls fraud rationalization
case study 1 EFT payment clerk A junior employee in a finance team, whose role involved processing batches of vendor payments electronically, got divorced He was already battling to manage financially and now needed to pay for a messy divorce, alternative accommodation & maintenance Realised that he can authorise and release transactions with his supervisors password Made small talk with his supervisor as he was logging in, - noted his password, and voila. he could create, capture and release payments He tested thresholds with small payments to himself then waited Suspect became very bold and loaded a duplicate vendor with his personal bank account on the vendor master database Nobody noticed, and the volume and scale of his fraud escalated, within a year he had stolen just under a million
Case study 1: the black hole lost payment software programmers showed our suspect how to manually override the system to ensure that payments reach the intended destination every time our suspect made a legitimate payment he knew he could steal by changing a text file on his c drive I could not resist the temptation, the controls were so weak they deserved it testing thresholds
case study 2 chief accountant R2 million in one year modus operandi amendment of vendor banking account detail on vendor master file substituted account not own account (DRC) once illicit transaction concluded amended vendor profile deleted and vendor banking info restored to original when routine audits are performed all appears as it should where did the money go? the local casino received R1,95 million out of the R2 million stolen
case study 3 - FD at packaging company R4.2 mil misappropriated R1,7 in one morning substitution and deletion vehicles, houses, timeshare (house search), gambling, overseas travel, holidays, private schooling, heart operation, property for family, vehicles for close friends safety deposit boxes? 3 million rand recovery via full co-operation which translated into mitigation for an effective 5 year jail term
Case study 4 R4,2 million in Western Cape over 8 years Case suspect study placed 4 & personal 5 stop orders (DSTV, Telkom cars and insurance on organisation account) suspect paid for her house R1.3 million with EFT to lawyers suspect overpaid suppliers and diverted reimbursement to her account
what should the company have picked up? eft clerk the payments to a particular supplier whose profile was exploited was far over budget routine audits testing payroll against the vendor master files would have identified the illicit profile chief accountant password control was abused cfo signed off batches of eft s if he just counted the transactions he would have noticed that there were more payments in the batch than the paperwork reflected supplier payments were duplicate- a proper recon of each supplier against approved budget would have identified the overspend There were multiple changes to vendor banking details which is abnormal
key controls to prevent EFT abuse vet vendors properly (address, history, bank account, expertise & infrastructure) enforce tight control over changes to suppliers bank accounts add management authorisation audit changes to supplier banking info over the past year interrogate the changes verify with suppliers and banking institution
conclusion ID theft, fraud and corruption are significant risks prevention is better than cure review your anti-fraud controls annually perform control review regarding eft payments (See ENSafrica checklist) do not rely only on controls - only as effective as the people enforcing the controls recognize the symptoms do not work in a vacuum - use the tools, technology & experts 2009 S Powell
questions
Steven Powell spowell@ensafrica.com +27 21 410 2553 or +27 82 820 1036