Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI
President, Minniti CPA, LLC
COVID-19 New Cyber Frauds & Cybersecurity Internal Controls
Dr. Robert K Minniti
DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator
Objectives
Upon completing this class you will be able to:
Identify cybersecurity risks related to the COVID-19 Virus and employees working remotely
Identify internal controls for cybersecurity
Cybersecurity Risks
•Civil litigation
•Fines
•Damage to reputation
•Loss of customers
•Government settlement•Long term audits
•Business disruption
•Ransom payments
Cybersecurity Risk Factors
EmployeesDon’t understand the risks
Lack of cybersecurity training
Override internal controls
Inattention
Working remotely
Data & file sharing
Using personal devices
Cybersecurity Risk Factors
IT SystemsComplex IT systems
Older technology
Bring your own device (BYOD)
Lack of internal controls
Ineffective cybersecurity measures
Undertrained IT personnel
File sharing
Cloud computing
Polling Question #1
True or False
Employees working remotely adds to a company’s cybersecurity risk
COVID-19 FRAUDS
https://amp-cnn-com.cdn.ampproject.org/c/s/amp.cnn.com/cnn/2020/04/14/politics/coronavirus-scams-and-rip-offs/index.html
COVID-19 FRAUDS
Testing Scams:
Individuals selling fake at-home test kits or going door-to-door performing fake tests for money or insurance information.
COVID-19 FRAUDS
Insurance Scams:
Fraudsters selling fake COVID-19 health insurance plans. Often claiming their current plan will not provide coverage. Sometimes these calls start by claiming the victim has been identified as someone who was exposed to COVID-19.
COVID-19 FRAUDS
Charity Scams:
Fraudsters soliciting donations for individuals, groups, and areas affected by the COVID-19 virus. Also, soliciting donations for hospitals and COVID-19 cure research.
COVID-19 FRAUDS
Quarantine Scams:
Fraudsters call victims pretending to be relatives asking for money to help them get back home because they are stranded because of the COVID-19 quarantine. Requests for airfare, hotel money, bus fare, etc.
Fraudsters use information gathered from social networking sites to impersonate the victim’s relative.
COVID-19 FRAUDS
COVID-19 FRAUDS
COVID-19 Prevention Scams:
Fraudsters selling fake COVID-19 prevention devices or drugs online, over the phone, or door to door
https://www.foxnews.com/world/fake-coronavirus-prevention-devices-spain-arrest-record-daily-deaths-reported-outbreak
COVID-19 FRAUDS
Treatment Scams:
Fraudsters selling fake cures for COVID-19 online, over the phone, or door to door
COVID-19 FRAUDS
https://www.foxnews.com/entertainment/actor-keith-middlebrook-arrested-fbi-allegedly-bogus-coronavirus-cure
Polling Question #2
True or False
Criminals use famous people to help con victims
COVID-19 FRAUDS
Supply Scams:
Scammers creating fake shops, websites, and email addresses claiming to sell medical supplies that are in high demand.
Also, selling toilet paper, hand sanitizer, and other high demand household goods.
COVID-19 FRAUDS
https://www.cnn.com/2020/04/14/us/coronavirus-mask-scam-hospitals-seiu-california-trnd/index.html
COVID-19 FRAUDS
App Scams:
Mobile apps that appear to be designed to track the spread of the COVID-19 virus, but which insert malware that will compromise the victim’s devices and personal & business information
COVID-19 FRAUDS
Phishing Scams:
Phishing emails that appear to be sent from entities such as the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), or the Food & Drug Administration (FDA)
COVID-19 FRAUDS
Provider Scams:
Scammers are contacting people by phone, text messages, and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19, and demanding payment for that treatment
COVID-19 FRAUDS
Funeral & Cremation Scams:
Scammers are contacting people by phone, text messages, and email, pretending to be from funeral homes asking for money to bury or cremate friends or relatives who died.
Also, fraudsters set up Gofundme accounts indicating the family is asking for help with final expenses for victims of the virus.
COVID-19 FRAUDS
Investment Scams:
Fraudsters conducting online or phone promotions claiming that the products or services of publicly traded companies can prevent, detect, or cure COVID-19, and that the stock of these companies will dramatically increase in value as a result.
COVID-19 FRAUDS
Bailout Scams:
Fraudsters pretending to be from the IRS or Treasury Department contacting individuals claiming they need to verify their bank account information to send them their government bailout money.
COVID-19 STIMULUS CHECK SCAM
COVID-19 FRAUDS
COVID-19 Business Loan Scams:
Fraudsters pretending to be from the government are contacting businesses to get them to apply for government stimulus loans, allowing them to gather sensitive information.
Also, they will ask for personal information on employees who are currently working, have been laid off, or who might be laid off in the future.
COVID-19 BUSINESS RISK FRAUDS
COVID-19 FRAUDS
Robocall Scams:
While working from home, your employees are hearing a new crop illegal robocalls. These automated calls are trying to gather personal and business information.
COVID-19 FRAUDS
COVID-19 Asset Sale Scams
Fraudsters pretending to be owners of small businesses or representatives of small government entities are advertising assets for sale to raise money due to the COVID-19 cash crunch
COVID-19 FRAUDS
Data Breaches:
With more employees telecommuting, hackers are hoping companies will drop their online defenses, or that IT departments will be overwhelmed, making it easier to infiltrate company IT systems to steal data.
Polling Question #3
True or False
Fraudsters are taking advantage of the COVID-19 pandemic to increase cyber fraud scams
Phishing, Vishing, & Smishing
Used to gain personal or business information, such as usernames, passwords, Social Security numbers, and credit card numbers, health insurance information, etc.
Also, used to get victims to make payments or donations to fraudulent organizations.
DISGUISING A VOICE
When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”
SPOOFING A PHONE NUMBER
https://www.spoofcard.com/apps
SOCKPUPPETS
COMPUTER GENERATED PHOTOS
https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/
DENIAL OF SERVICE ATTACKS
This cybercrime occurs when the criminals use botnets or networks of infected computers to bring down a website by overloading the server.
Oftentimes criminals follow up with an attempt to hack the system and put malware on the server when the victim is busy repairing the damage.
MALWARE
Malware is placed on computers or cell phones to hijack the computers, steal data, or encrypt the data for ransom.
CRYPTOLOCKER
RANSOMWARE ATTACKS EMAIL
https://www.knowbe4.com/
Polling Question #4
True or False
Fraudsters use COVID-19 pandemic scams to infect computers for data breaches and ransomware.
Cybersecurity Risk Management
Managing IT assetsEmployee awareness & trainingBusiness continuationChange managementIT configuration managementData securityDisaster recovery planIncident response plans & teams
Cybersecurity Risk Management
Access controlMonitoring issuesSending alertsManaging media & dataPhysical securityEnvironmental considerationsHardware & software maintenance
Cybersecurity Risk Management
Vendor managementEmployee trainingAssessing new hardware & softwareMobile devicesWork-at-home employeesCustomer accessLegal & regulatory requirementsBacking up data
Polling Question #5
True or False
It is important to control access to IT systems
Cybersecurity Frameworks
COSO Framework for Internal ControlCOBITISO 27001NISTCIS Critical Security ControlsHITRUST
KEY INTERNAL CONTROLS FOR REMOTE EMPLOYEES
• Employee Training
• Virtual Private Network (VPN)
• Multi-factor authentication
• Anti Virus, Ransomware, Malware software
• Email verifications for payments (CEO Spoofing)
• Don’t give information to unverified callers, emailers, or text messagers
• IT hotline for employee questions or issues
BASIC INTERNAL CONTROLS
• Router & Switch
• Firewall (Hardware & Software)
• Virtual Private Network (VPN)
• Encryption
• Proxies
• Network Intrusion Prevention System (NIPS)
• Network Intrusion Detection System (NIDS)
• Security Information and Event Management (SIEM)
BASIC INTERNAL CONTROLS
• Limit access with user IDs and passwords
• Require complex passphrases
• A minimum of 24 characters
• Require password changes ever 90 days
• Reset the default local administrator password
• Spam filters
• SOC for Cybersecurity (Vendors & others with access)
BASIC INTERNAL CONTROLS
• Install a good anti-virus program on your computer and keep it up-to-date.
• Encrypt your office wireless networks using WPA2.
• Do not send company information over public WiFi networks.
• Enroll in a back-up or wiping program that backs up smartphones and will allow you to remotely erase the information on a lost or stolen phone.
BASIC INTERNAL CONTROLS
• Do not reply to e-mails or click on links in e-mails from unknown sources.
• Use a separate computer for bank and financial transactions
• Monitor user activity on your IT system
• Cyber Insurance
BASIC INTERNAL CONTROLS
• Have real time monitoring of security events on your IT system
• Update all software when vendor updates are made available
• Use multi-factor authentication or biometrics
• Conduct regular penetration & phishing tests
Polling Question #6
True or False
Internal controls over a company’s IT system and data are essential.
Any Questions?