Fraud in the Crosshairs · Micho Schumann Principal, Cyber Security Services KPMG in the Cayman...

1© 2016 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Fraud in the Crosshairs

November 2016

kpmg.ky

For more information please contact Brid Verling or Micho Schumann @ KPMG


Presenters

Micho SchumannPrincipal, Cyber Security ServicesKPMG in the Cayman Islands+ 1 345 815 [email protected]

@MichoSchumann

Brid VerlingSenior Manager, Forensic KPMG in the Cayman Islands+ 1 345 914 [email protected]



About Profiles of the fraudster

2010348 cases in 69 countries





Background

2016— 750 fraudsters from 81 countries. Up from 596 in

prior survey.

— Frauds investigated from March 2013 to August 2015.

— Survey expanded to explore certain topics more deeply

— New in 2016 — delved into technology (enabler and detector) and added a series of questions around the characteristics of the cyber‐fraudsters.



Fundamental characteristics

Autocratic,3x more likely to be regarded as

friendly as not

Well respected

(38%), nearly 4x more likely than someone with a low reputation

Has a sense of superiority

79% male

Has unlimited authority

44%

36–55years of age

Holds an executive level position

(38%)Manager (32%);

Staff (20%)

65% of fraud lasted between 1 and 5 years

Type of Fraud:Misappropriation of Assets (47%); Financial reporting fraud (22%).

Cost of Fraud:Cost to company exceeding $1M (27%).

Source: Global Profiles of the Fraudster, KPMG International, 2016



Age of the fraudster

36–45Years old

18–25Years old

46–55 Years old

Older than55 Years

*The age of the remainder is unknown


26–35Years old

8%

31%

37%

14%

1%



Gender

Remainder unknown gender


Genderof fraudster

17%

79%



Level of seniority


Management (no executive capacity)

Executive — Director

32%

26%

20%

5%

3%3%

2%

Staff member

Executive — Corporate Officer

Non‐Executive Director

Other

Owner/Shareholder



Years of service


2%

19%14%

38%

Less than 1 year 1 to 4 years 4 to 6 years More than 6 years



Fundamental characteristics

Primary FunctionFinance

Level of SeniorityStaff member

Alone or in CollaborationAlone

Has debt20%

Primary FunctionVaried

Level of SeniorityExecutive

Alone or in CollaborationCollaboration

Has debt8%




5M+ 1M–5M 200K–1M < 200K

5M+ 1M–5M 200K–1M <200K

Colluders

Solo

Cost of Fraud




Fraud by industry Industries should have unique fraud risks, but in the industries listed below the most common type of fraud was misappropriation of assets.

Mostly embezzlement

Financial services

Pharmaceuticals

Consumer & industrial markets

Mostly procurement

fraud

Energy & natural resources

Public sector & information

Communications & entertainment



Fraud triangle

Pressure/ Motivation

Opportunity

Rationalization



Motivation


66% 27% 13% 12%

For personalfinancial gainand greed

Eager/”BecauseI can”

Organizationalculture driven

Desire to meettargets/hide lossesto receive bonus

12% 11% 10% 5%

Desire to meetbudgets/hide

losses to retain job

Desire to meet targets/hide losses to

protect the company

Other notlisted above

Other motives (less than 5%) include: Loss of confidence, avoidance of

regulatory compliance, ratings driven, publicity driven, disruption of

operations



Cyber fraud Characteristics

Tend to be younger

Less years of service

More likely to act alone

More likely to have a sophisticated Modus operandi

More likely to have conducted the fraud over shorter span (83% less than one year)




Was technology used as an enabler to perpetrate the fraud?


16%

26%

47%8%

Yes, the fraud could nothave been perpetratedwithout using technology

Somewhat, but the fraud could likely have occurred without

technology

Technology was not used to perpetrate the

fraud

Yes, to a large degree technology was used to enable the fraud



Means of detection

Tips offs and complaints, other than

formal hotline

Management review

Formal whistle blowing

report/hotline

Accidental Internal audit Suspicious superior

Other internal control

External audit

Self-reported/admitted

Proactive fraud-focused data analytics

27%24% 22% 20% 14% 14% 10% 7% 6% 3% 3%




• Weak internal control environment

• Management decisions dominated by an individual or small group

• Manager has very aggressive attitude

• Manager’s place great emphasis on earnings projections

• Consistently late reports

• Company has significant and unusual related-party transactions

• Company profit lags the industry

• Company is decentralized without much monitoring

• Auditors have doubt about company as a going concern

• Company has many difficult accounting measurement and presentation issues

• Company has significant transactions or balances that are difficult to audit

• Evasive when responding to auditor’s inquiries

• Company accounting personnel are lax or inexperienced in their duties

Red flags



Take away points - PREVENT, DETECT & RESPOND

Be vigilant with internal threats — Investigations— Forensic D&A— Whistleblowing programs/outsourcing

Know your business partners & third parties

— 3rd Party Risk Management— Corporate intelligence/ KYC reports

Perform risk assessments— Fraud Risk Management— Regulatory positioning services

Fight back with technology— Forensic technology— Cyber security— D&A



Cyber Security



The CIA Triad - the balancing act

Data

Availability

Conf.

Integrity



Cyber Security has become a conversation in every boardroom

March 2016 – Phishing attack leads to breach of employee tax data

Source: KrebsOnSecurity

November 2016 – 400 Million accounts breached

Source: BBC.com

March 2016 – Data breach results in leak of 1.5M client contact details

Source: CNBC

August 2015 – Thousands of users email addresses and passwords compromised.

Source: Cayman Compass

April 2016– 2.6 Terabytes of client data is leaked to the media.

Source: The Guardian

February 2016 – Data affected by Ransomware. Paid 17,000$ to regain access.

Source: PRI



Regulators in the mix

Source: ZDNet. Sept 2015

April 2016



New “vectors” of threats are accelerating the concern

Bad “Actors” Isolated criminals “Script Kiddies”

YESTERDAY… TODAY…

Targets Identity Theft Self Promotion

Opportunities Theft of Services

Bad “Actors” Organized criminals Foreign States Hactivists

Targets Intellectual Property Financial Information Strategic Access

“Target of Opportunity”

“Target of Opportunity”

“Target of Choice”

“Target of Choice”



Our audit approachPRIVATE & CONFIDENTIAL

New “vectors” of threats are accelerating the concern

WHO ARE THEY?

HACKTIVISM

ORGANISED CRIME

THE INSIDER

STATE-SPONSORED

THE

THREATACTORS



Hacktivism

• Will attack companies, organizations and individuals who are seen as being unethical or not doing the right thing

• Hacking for fun … !



Organised Crime Traditionally based in former Soviet

Republics (Russia, Belarus, Ukraine)

Common attacks: Theft of PII for resale and misuse or resources for hosting of illicit material

Employ blackmail in terms of availability (Threats of denial of service attacks to companies and threats of exposing individuals to embarrassment)



State Sponsored• Nations where commercial and state interests

are very aligned

• Military or Intelligence assets deployed in commercial environments

• Main aim to achieve competitive advantage for business

• Theft of commercial secrets (Bid information, M&A details)



The Insider

Source: Prism Magazine

Who has access to what? Recent finds: Administrator passwords, payroll, passports & databases!Access to the CEO’s desktop PC

“Any user with access to valuable assets can act maliciously”



Missing the basics

Did not install a simple security fix on an overlooked

server



Weak passwords

Source: Cayman Compass

Popular passwords0 111111 Cayman

123456 Password Cayman1

1234567 Password1 Ecaytade



PRIVATE & CONFIDENTIALFree WiFi

Source: Gizmodo.com



Free WiFi



PRIVATE & CONFIDENTIALSocial engineering

The art of manipulating people into performing actions or divulging confidential information.



PRIVATE & CONFIDENTIALSocial engineering – four elements

Four elements used in combination

Impersonation & persuasion

Sanitation reconnaissance

Internet & e‐mail spoofing

Unauthorized physical access



Social engineering – real world example

Attack



RansomWare



Dumpster diving



Physical security

It’s underrated!



Security while traveling

Source: ABCNews. 2012

Source: CNN.com



Key takeaways Cyber Security is an increasingly “Top of House” issue that

is being discussed in the Boardroom and the C-Suite. It is NOT simply a technology issue.

When it is a technology issue, it often comes down to the basics.

Physical Access = Logical Access

Employee training and awareness is a key part of Information Security.



Thank youkpmg.ky

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2016 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

kpmg.com/socialmedia kpmg.com/app


Date post:	13-Feb-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Fraud in the Crosshairs · Micho Schumann Principal, Cyber Security Services KPMG in the Cayman...

Documents