Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI

President, Minniti CPA, LLC

COVID-19 New Cyber Frauds & Cybersecurity Internal Controls

Dr. Robert K Minniti

DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator

Objectives

Upon completing this class you will be able to:

Identify cybersecurity risks related to the COVID-19 Virus and employees working remotely

Identify internal controls for cybersecurity

Cybersecurity Risks

•Civil litigation

•Fines

•Damage to reputation

•Loss of customers

•Government settlement•Long term audits

•Business disruption

•Ransom payments

Cybersecurity Risk Factors

EmployeesDon’t understand the risks

Lack of cybersecurity training

Override internal controls

Inattention

Working remotely

Data & file sharing

Using personal devices

Cybersecurity Risk Factors

IT SystemsComplex IT systems

Older technology

Bring your own device (BYOD)

Lack of internal controls

Ineffective cybersecurity measures

Undertrained IT personnel

File sharing

Cloud computing

Polling Question #1

True or False

Employees working remotely adds to a company’s cybersecurity risk

COVID-19 FRAUDS

https://amp-cnn-com.cdn.ampproject.org/c/s/amp.cnn.com/cnn/2020/04/14/politics/coronavirus-scams-and-rip-offs/index.html

COVID-19 FRAUDS

Testing Scams:

Individuals selling fake at-home test kits or going door-to-door performing fake tests for money or insurance information.

COVID-19 FRAUDS

Insurance Scams:

Fraudsters selling fake COVID-19 health insurance plans. Often claiming their current plan will not provide coverage. Sometimes these calls start by claiming the victim has been identified as someone who was exposed to COVID-19.

COVID-19 FRAUDS

Charity Scams:

Fraudsters soliciting donations for individuals, groups, and areas affected by the COVID-19 virus. Also, soliciting donations for hospitals and COVID-19 cure research.

COVID-19 FRAUDS

Quarantine Scams:

Fraudsters call victims pretending to be relatives asking for money to help them get back home because they are stranded because of the COVID-19 quarantine. Requests for airfare, hotel money, bus fare, etc.

Fraudsters use information gathered from social networking sites to impersonate the victim’s relative.

COVID-19 FRAUDS

COVID-19 FRAUDS

COVID-19 Prevention Scams:

Fraudsters selling fake COVID-19 prevention devices or drugs online, over the phone, or door to door

https://www.foxnews.com/world/fake-coronavirus-prevention-devices-spain-arrest-record-daily-deaths-reported-outbreak

COVID-19 FRAUDS

Treatment Scams:

Fraudsters selling fake cures for COVID-19 online, over the phone, or door to door

COVID-19 FRAUDS

https://www.foxnews.com/entertainment/actor-keith-middlebrook-arrested-fbi-allegedly-bogus-coronavirus-cure

Polling Question #2

True or False

Criminals use famous people to help con victims

COVID-19 FRAUDS

Supply Scams:

Scammers creating fake shops, websites, and email addresses claiming to sell medical supplies that are in high demand.

Also, selling toilet paper, hand sanitizer, and other high demand household goods.

COVID-19 FRAUDS

https://www.cnn.com/2020/04/14/us/coronavirus-mask-scam-hospitals-seiu-california-trnd/index.html

COVID-19 FRAUDS

App Scams:

Mobile apps that appear to be designed to track the spread of the COVID-19 virus, but which insert malware that will compromise the victim’s devices and personal & business information

COVID-19 FRAUDS

Phishing Scams:

Phishing emails that appear to be sent from entities such as the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), or the Food & Drug Administration (FDA)

COVID-19 FRAUDS

Provider Scams:

Scammers are contacting people by phone, text messages, and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19, and demanding payment for that treatment

COVID-19 FRAUDS

Funeral & Cremation Scams:

Scammers are contacting people by phone, text messages, and email, pretending to be from funeral homes asking for money to bury or cremate friends or relatives who died.

Also, fraudsters set up Gofundme accounts indicating the family is asking for help with final expenses for victims of the virus.

COVID-19 FRAUDS

Investment Scams:

Fraudsters conducting online or phone promotions claiming that the products or services of publicly traded companies can prevent, detect, or cure COVID-19, and that the stock of these companies will dramatically increase in value as a result.

COVID-19 FRAUDS

Bailout Scams:

Fraudsters pretending to be from the IRS or Treasury Department contacting individuals claiming they need to verify their bank account information to send them their government bailout money.

COVID-19 STIMULUS CHECK SCAM

COVID-19 FRAUDS

COVID-19 Business Loan Scams:

Fraudsters pretending to be from the government are contacting businesses to get them to apply for government stimulus loans, allowing them to gather sensitive information.

Also, they will ask for personal information on employees who are currently working, have been laid off, or who might be laid off in the future.

COVID-19 BUSINESS RISK FRAUDS

COVID-19 FRAUDS

Robocall Scams:

While working from home, your employees are hearing a new crop illegal robocalls. These automated calls are trying to gather personal and business information.

COVID-19 FRAUDS

COVID-19 Asset Sale Scams

Fraudsters pretending to be owners of small businesses or representatives of small government entities are advertising assets for sale to raise money due to the COVID-19 cash crunch

COVID-19 FRAUDS

Data Breaches:

With more employees telecommuting, hackers are hoping companies will drop their online defenses, or that IT departments will be overwhelmed, making it easier to infiltrate company IT systems to steal data.

Polling Question #3

True or False

Fraudsters are taking advantage of the COVID-19 pandemic to increase cyber fraud scams

Phishing, Vishing, & Smishing

Used to gain personal or business information, such as usernames, passwords, Social Security numbers, and credit card numbers, health insurance information, etc.

Also, used to get victims to make payments or donations to fraudulent organizations.

DISGUISING A VOICE

When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”

SPOOFING A PHONE NUMBER

https://www.spoofcard.com/apps

SOCKPUPPETS

COMPUTER GENERATED PHOTOS

https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/

DENIAL OF SERVICE ATTACKS

This cybercrime occurs when the criminals use botnets or networks of infected computers to bring down a website by overloading the server.

Oftentimes criminals follow up with an attempt to hack the system and put malware on the server when the victim is busy repairing the damage.

MALWARE

Malware is placed on computers or cell phones to hijack the computers, steal data, or encrypt the data for ransom.

CRYPTOLOCKER

RANSOMWARE ATTACKS EMAIL

https://www.knowbe4.com/

Polling Question #4

True or False

Fraudsters use COVID-19 pandemic scams to infect computers for data breaches and ransomware.

Cybersecurity Risk Management

Managing IT assetsEmployee awareness & trainingBusiness continuationChange managementIT configuration managementData securityDisaster recovery planIncident response plans & teams

Cybersecurity Risk Management

Access controlMonitoring issuesSending alertsManaging media & dataPhysical securityEnvironmental considerationsHardware & software maintenance

Cybersecurity Risk Management

Vendor managementEmployee trainingAssessing new hardware & softwareMobile devicesWork-at-home employeesCustomer accessLegal & regulatory requirementsBacking up data

Polling Question #5

True or False

It is important to control access to IT systems

Cybersecurity Frameworks

COSO Framework for Internal ControlCOBITISO 27001NISTCIS Critical Security ControlsHITRUST

KEY INTERNAL CONTROLS FOR REMOTE EMPLOYEES

• Employee Training

• Virtual Private Network (VPN)

• Multi-factor authentication

• Anti Virus, Ransomware, Malware software

• Email verifications for payments (CEO Spoofing)

• Don’t give information to unverified callers, emailers, or text messagers

• IT hotline for employee questions or issues

BASIC INTERNAL CONTROLS

• Router & Switch

• Firewall (Hardware & Software)

• Virtual Private Network (VPN)

• Encryption

• Proxies

• Network Intrusion Prevention System (NIPS)

• Network Intrusion Detection System (NIDS)

• Security Information and Event Management (SIEM)

BASIC INTERNAL CONTROLS

• Limit access with user IDs and passwords

• Require complex passphrases

• A minimum of 24 characters

• Require password changes ever 90 days

• Reset the default local administrator password

• Spam filters

• SOC for Cybersecurity (Vendors & others with access)

BASIC INTERNAL CONTROLS

• Install a good anti-virus program on your computer and keep it up-to-date.

• Encrypt your office wireless networks using WPA2.

• Do not send company information over public WiFi networks.

• Enroll in a back-up or wiping program that backs up smartphones and will allow you to remotely erase the information on a lost or stolen phone.

BASIC INTERNAL CONTROLS

• Do not reply to e-mails or click on links in e-mails from unknown sources.

• Use a separate computer for bank and financial transactions

• Monitor user activity on your IT system

• Cyber Insurance

BASIC INTERNAL CONTROLS

• Have real time monitoring of security events on your IT system

• Update all software when vendor updates are made available

• Use multi-factor authentication or biometrics

• Conduct regular penetration & phishing tests

Polling Question #6

True or False

Internal controls over a company’s IT system and data are essential.

Any Questions?