Speaker Spotlight—Jon McDowall, CFE, PCI, CIFI, CII

Jon McDowall, CFE, PCI, CIFI, CII, is chief executive officer of the Fraud Resource Group. For the past 20 years, Jon has conducted thousands of identity-related, economic, insurance, and fraud investigations. He is also the chairman of the ASIS Economic Crime Council. An educator as well as an expert, Jon has delivered workshops and training sessions to individuals and businesses on four continents. Winner of the “Outstanding Achievement in Anti-Fraud Education” from the Association of Certified Fraud Examiners, Jon’s seminar session will show businesses how to protect themselves against fraud in uncertain economic times.

 

Studies show that about seven percent of corporations’ annual revenues are lost to fraud each year. From my perspective, that seven percent could be the difference between solvency and, potentially, bankruptcy for businesses in today’s economy. What this session is designed to do is lay the foundation for some of the emerging risks that I’m seeing facing businesses as well as traditional risks and frauds. Then it will provide a sort of top-ten approach to assessing those risks and dealing with them.

So there are new threats and old threats. Discuss some of the new, dangerous threats that have hit corporations over the last year or so?

Traditional threats are embezzlement, payroll schemes, expense account schemes, and financial statement frauds—nothing new there. The new risks I’m concerned about often times revolve around social engineering attempts that come at corporations of all sizes through various means: phone, e-mail, instant message, off the Web site, and actually in person. I’m concerned with the continued evolution of phishing schemes and how they’re used to compromise trade secrets and company-sensitive data.

 

 

A couple of ways: We’re seeing a lot of targeted attacks directed at a senior manager or an officer of an entity. They’re not sending out spam. They’re targeting these people by name, doing online research about them in advance. Unfortunately, our LinkedIn, our Spoke, and various other means out there also provide quite a bit of information for fraudsters to do their homework. They do that homework, target an attack—often times at the executive level of an organization—and use those social engineering techniques to either infer they already know or had a discussion with these individuals to get them to lower their guard.

 

The other thing that’s happening with a lot of these attacks is malicious code introduced into the business environment without the person’s knowledge. So they may receive an e-mail or a link, or an attachment and as a result that malicious code is “keylogging” or  tracking data and stealing information. We have two breach sources: the unwitting, voluntary disclosure of sensitive information on the part of employees, and then you have the unknown disclosure of sensitive information through the use of malicious code and keylogging programs.

 

We’re seeing in the targeted attacks the two-pronged approach. They’re using both. They’re getting people to divulge the information and they’re using malicious code. One example is a complaint against the business purportedly filed with the Department of Justice. I’ve seen quite a few of these. They’re addressed to only one person within that corporation, usually the CEO or CFO. So an e-mail addressed to the CEO or the CFO of the organization puts them on notice that there has been a complaint filed against their company with the Department of Justice, references a complaint number, talks about the DOJ’s process of dealing with these complaints, and says “for your reference, we’ve included a copy of the complaint.”

 

Now who isn’t going to click on that link? They’re going to go to that attachment and open it up and they’re going to unleash that malicious code without their knowledge. The most important part is getting them to open up that attachment to install the malicious code on the computer. Studies show that about 80 percent of these malicious codes are not being detected by antivirus programs. So they are successful a majority of the time.

So what are scamsters looking for besides trade secrets? What’s the easiest way for them to make a quick buck?

One of the trends that I’m seeing is that they’re expanding their horizons. They used to just look for personally identifying information (PII), or would-be victims’ Social Security numbers, dates of birth, addresses, phone numbers, things that can be marketed on these online forums that barter, trade, sell, and buy compromised data. On the other hand, the trend I want to convey here is that they’re looking for trade secrets, for company sensitive information, even for correspondence that indicates a pending sale or acquisition. Things like that that in the right hands are worth money and can give an unfair competitive advantage.

 

 

I would think that most people approached by a nefarious sort would want to vet this information: “Where did it come from? How did you get it?” But there are shades of gray in these things. The reality is that once information is compromised and out there, it can cause problems for businesses on a number of levels.

 

Not only information getting in a competitor’s hands but in the public or press’ hand.

 

 

The insider risk has always been there. Studies show that major frauds in organizations are conducted by tenured employees—long-term, trusted employees with no prior criminal history. Over and over and over again, studies show that. So you have a trusted person, who has been with your organization for a long time, and they’ve been in a position where they have identified the weaknesses of that organization, perhaps a long time ago. But now, because of new pressures that he or she is feeling, perhaps a foreclosure on their home or credit card debt that is unmanageable, that person succumbs to that weakness, that temptation.

 

This is one of the most difficult because they are trusted employees. They’re not easy to discover. I’ve been doing these investigations for about 21 years. When you go back and do the investigation and you interview coworkers and things like that, you’ll find coworkers that say, “I thought he or she was acting differently.” “I felt like he was snooping around at information that he never did before.” “He was asking inappropriate questions.” And yet they don’t report it. They don’t send their concerns to management. They don’t use the toll-free hot line to report concerns. So in my mind the single best resource is to ensure that they have a means to report their concerns in a semi-anonymous manner. I don’t like complete anonymity because you can’t go back and interview these people and ask them what they’re concern was.

They have to be confident when they give information that the rest of the corporation isn’t going to find out, right?

Exactly, that the information will be kept confidential. But anonymous leads, unfortunately, often go nowhere. They might give a little bit of information on a hot line or a toll-free number but there is no way to follow up that lead. It is really important they be treated in confidence and with dignity and then have that discretion maintained after the investigation and perhaps after the insider’s termination. If it all drags out and everybody knows who ratted this person out, it’s not going to go well the next time.