Types of Frauds and Evolution of

Cyber fraud techniques – Unit 3

 Evolution of fraud
1990 – 1999
• Hawala transactions
• Ponzi schemes
• Fake currency
• Cheque forgery
• Advancing loans without adequate due diligence
• Siphoning of investors’ money through fictitious companies
• Use of fictitious government securities
2000 – 2015
• Tax evasion and money laundering
• Black money stashed abroad
• Cybercrime
• Debit/credit card fraud
• Identity theft
• Fake demat accounts
• Benami accounts
• Collusive frauds emanating kickbacks to employee of financial institutions
• Use of forged instruments such as stamp papers and shares
• Violation of Know Your Customer (KYC) norms
 Understanding fraudulent behavior
• Fraud can be defined as an intentional deception designed for either
personal gain. Fraudulent behaviour constitutes criminal activity and can
lead to significant consequences, including imprisonment.
• There are many types of fraudulent behaviour connected to companies.
They include:
– insider dealing and market abuse
– money laundering
– bribery
– fraudulent and wrongful trading, and
– general criminal activity in the management of a company
 Five tips for using behavioural
analytics to combat fraud
• Use behavioural analytics to detect suspicious customer activity
• Take advantage of advanced forensic software tools that will help you
replay website user sessions through the eyes the potential fraudster
• Act quickly to understand the full impact of the breach
• Notify the affected parties while causing minimal disruption to the brand’s
reputation
• Continue using tools to identify potential data breaches in near real time
 Types of Frauds

• Lottery Scams
• Letters from West Africa Scheme
• Money Muling
• Miracle Cure Scams
• Loan Fraud
• Psychic Scheme
• Pay-Per-Click Scam
• Pharming
• Call Tag Scheme
• Automotive Fraud
 Types of Frauds (Cont.,)
Lottery scams
• Lottery scams are a type of cyber fraud that occur when a criminal contacts
a victim through email to inform them that they won a huge amount in an
international lottery or another prize drawing. They then ask you to contact
an official with the company to begin processing your winnings. They
request personal information to confirm your identity, like copies of your
passport or birth certificate, and then steal it. The scammers then require
you to pay legal fees, bank fees, taxes, etc., prior to receiving your
winnings and continually provide excuses for why they fees need to be
paid. They may even ask to direct deposit the nonexistent winnings into
your bank account and empty it once they receive your account
information.
 Types of Frauds (Cont.,)
Letters from West Africa Scheme
• Also known as 419 frauds, the letters from West Africa scheme involves the
victim transferring money into their bank account from a foreign country,
like Iraq or a country in West Africa, to another account in exchange for a
portion of the transferred money. A criminal pretends to be a person of
authority and sends you an email requesting your assistance in moving a
significant amount of funds out of their country. They trick you by
providing well-constructed lies about where the money originated and why
they cannot make the transfer themselves. Then they begin to ask you to
pay for different legal fees or taxes for the transfer, which they promise you
will receive back after you provide your bank account information and they
transfer the funds. Cyber fraud victims never receive the money transfer
and the con artist keeps the fee money and empties your bank account.
 Types of Frauds (Cont.,)
Money Muling
• Money muling is similar to the Letters from West Africa scheme. It occurs
when a person knowingly or unknowingly transfers funds obtained illegally
between different countries. Criminals recruit third-party persons through
advertisements or posts on social media with the opportunity to make
money quickly. The victims receive the stolen money, withdraw it from
their account, and then transfer the money to the scammer’s overseas
account. They do this because the criminal allows them to keep a portion of
the funds as payment for the transfer. Even if you do not know you are
transferring stolen funds, you could be subject to prosecution for money
laundering and cyber fraud.
 Types of Frauds (Cont.,)
Miracle Cure Scams
• Many of the advertisements you see regarding miracle cures for weight loss
or super foods with amazing health benefits are simply cyber fraud scams.
Sometimes scammers pose as a pharmaceutical or alternative health
company to market products that have never been tested or approved as
medically beneficial. These fake products may even be dangerous if used.
The victim pays for the product based on fake clinical research, fabricated
testimonials, and meaningless guarantees.
Loan Fraud:
• Loan fraud is a type of cyber fraud that generally affects people in
underprivileged and desperate situations. They turn to the internet to find a
low-cost loan and end up being scammed. The con artist advertises fast
loans with approval regardless of a victim’s credit history. They ask for a
fee upfront for loan insurance or a deposit. Once the victim pays the fee,
they never receive the loan or hear from the scam artist again.
 Types of Frauds (Cont.,)
Psychic Scheme :
• Psychic or clairvoyant cyber fraud occurs when a scam artist pretends to be
a psychic with the ability to see your future. They contact a victim through
email or an advertisement and promise you the winning lottery numbers,
offer to undo a curse, or even that you may be in some kind of trouble and
they know how to get you out. The scammer fools the victim into paying
for a full report or to receive more information in exchange for money.
Pay-Per-Click Scam:
• A Pay-Per-Click scam, also known as Click Fraud, impacts businesses that
pay for a company to provide click advertising for them. The advertising
company charges the client every time someone clicks on the banner or
advert. Once the ad or link has been clicked a certain number of times, they
are no longer displayed so the client must pay the advertising company to
put up another advert. Cyber fraud occurs when the company clicks on the
adverts to drive up the cost for the client either by hand or through a
computer program.
 Types of Frauds (Cont.,)
Pharming
• One of the most effective forms of cyber fraud, pharming involves a
scammer redirecting traffic from a valid website to their own fake website
mirroring the legitimate one. They exploit the Domain Name System
(DNS) by confusing a computer’s mapping from the domain name to the IP
address. This makes a victim’s computer connect to the scammer’s server
instead of the valid one. They trick the victim into providing personal and
financial information including bank accounts, credit card numbers,
passwords, and PINs. Most companies use a Secure Sockets Layer (SSL) to
provide an encrypted verification of their site, but a victim is not protected
if they ignore their browser’s warning that an SSL certificate differs from
the server address.
 Types of Frauds (Cont.,)
Call Tag Scheme
• A call tag scheme occurs after a criminal illegally obtains someone’s credit card
information. The con artist purchases items online using the victim’s actual address
for shipping, but linking the tracking information to their own email. They commit
cyber fraud by impersonating the company and calling the owner of the credit card
to inform the victim they accidentally shipped the goods. They request to pick-up
the package once it arrives. The criminal then arranges a pick up through another
shipping company using a “call tag” to get the product. Once the victim realizes the
fraudulent charge, they request a chargeback from the unknowing merchant.
Automotive Fraud
• Automotive fraud involves a scammer selling a nonexistent vehicle through a site
like Craigslist, Cars.com, or AutoTrader.com. They choose a high-end sports car or
luxury vehicle and advertise it much cheaper than the blue book value. The
potential buyer contacts the scammer who informs them that they are out of town
and the vehicle is located overseas. The criminal offers to ship the vehicle even
while away and instructs the buyer to make a deposit or the full payment through
Western Union or another type of wire transfer. They make the cyber fraud seem
valid by also posing as a fake third-party agent guaranteeing purchase protection.
 Fraud – Internal and External
Internal Fraud – Fraud by employees:
Internal fraud includes employees undertaking any of the following
actions:
• Theft of cash or stock.
• Theft from other employees.
• Not charging friends, family or accomplices.
• Allowing accomplices to use bad credit.
• Supplying receipts for refunds.
• Allowing friends to steal, or
• Participating in delivery scams.
 Internal Fraud
• Sometimes employees will rationalise the fraud by:
• Trivialising the offence: They can afford it”, “No harm done”,
“Everyone does it”.
• Claiming unfair treatment as a justification.
o Missing out on promotion.
o Feeling remuneration is inadequate.
o Unfair treatment compared to colleagues.
o Disciplinary action.
o Resentment at lack of appreciation.
 Internal Fraud
The risk of internal fraud includes:
• Stolen, embezzled or ‘discounted’ stock.
• Loss of cash or securities.
• Loss of company funds or critical information, and/or
• Loss or damaged business reputation and custom.
Risk of internal fraud by employees who:
• Work long hours.
• Return to work after hours.
• Are unusually or overly inquisitive about the company’s payment system.
• Resist taking annual or sick leave.
• Avoid having others assist or relieve them.
• Resign or leave suddenly.
• Have a large number of voids.
• Have a low number of transactions.
 Steps to reduce the risk of internal fraud

Step 1: Develop clear policies that cover:

• Serving or processing transactions for family and friends.
• Personal purchases/transactions.
• Personal use of equipment such as telephones, lap-top computers, video
cameras etc.
• Authorised delegations.
Step 2: Have clear transaction procedures, including:
• A pre-determined ‘fl oat’.
• Petty cash limits.
• Daily banking – by two people if possible.
• Dual signatures on cheques.
• Provision of receipts and acknowledgment of transactions.
• Limited access to safe by staff .
• Keeping registers closed unless in use, and
• Segregating purchasing, receipting and paying.
 Steps to reduce the risk of internal fraud
Step 3: Provide strong, consistent supervision of staff :
• Have supervisors monitor delegations.
• Supervise employee compliance with procedures.
• Regularly review cash shortages and report instances where an explanation is
unsatisfactory.
• Have supervisors check receipts and documentation.
• Challenge suspicious transactions.
Step 4: Regularly review and monitor your register of assets and your transactions:
• Record all transactions.
• Conduct regular stock takes.
• Keep a register of your tools, equipment and assets.
• Wherever possible, engrave your business property with an identifying number.
 Steps to reduce the risk of internal fraud
Step 5: Establish strong audit procedures:
• Reconcile bank deposits with register totals regularly.
• Acquit all claims and allowances to avoid duplicate or multiple payments.
• Audit IT systems regularly.
• Conduct regular and random audits of all processes.
• Randomly check wages and allowances for overpayments.
Step 6: Maintain security of information:
• Limit access to confidential information.
• Enforce the use of employee ID.
• Regularly change passwords for computers, alarms etc.
• Review and investigate security violations.
• Cancel access promptly when people transfer or leave.
 Steps to reduce the risk of internal fraud
Step 7: Establish strong human resource management procedures:
• Undertake pre-employment screening.
• Implement equitable remuneration system.
• Provide job descriptions that segregate duties.
• Provide adequate training and education.
• Communicate policies, expectation of compliance, audit regime and
consequences of non-compliance.
 External Fraud – Fraud by suppliers
External fraud by suppliers includes:
• Short or inferior supply of goods.
• Payment for services and goods not supplied.
• Kickbacks for biased selection of suppliers.
• Payments to bogus vendors for false claims.
• Cheques written for cash only or not property authorised.
• Purchase of goods for private use.
 External Fraud – Fraud by suppliers
Fraud by suppliers can be prevented by:
• Ensuring staff are appropriately trained in accounts payable and stores
functions.
• Ensure that supervision occurs over processing receipts and payments for
expenditure.
• Ensure that purchasing, receipting and payment functions are segregated so
that no single person performs all three duties.
• Ensuring there are guidelines for relationships between your business
members and suppliers to avoid bias and inducements from suppliers
(gifts).
• Ensuring audits are conducted on all areas of purchasing including petty
cash, non-receipted items and all invoices.
 Phishing
• Phishing is a cybercrime in which a target or targets are contacted by email,
telephone or text message by someone posing as a legitimate institution to
lure individuals into providing sensitive data such as personally identifiable
information, banking and credit card details, and passwords.
• The information is then used to access important accounts and can result in
identity theft and financial loss.
• The first phishing lawsuit was filed in 2004 against a Californian teenager
who created the imitation of the website “America Online”. With this
fake website, he was able to gain sensitive information from users and
access the credit card details to withdraw money from their accounts. Other
than email and website phishing, there’s also 'vishing' (voice phishing),
'smishing' (SMS Phishing) and several other phishing techniques
cybercriminals are constantly coming up with.
 Common Features of Phishing Emails
• Too Good To Be True - Lucrative offers and eye-catching or attention-
grabbing statements are designed to attract people’s attention immediately.
For instance, many claim that you have won an iPhone, a lottery, or some
other lavish prize. Just don't click on any suspicious emails. Remember that
if it seems to good to be true, it probably is!
• Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you
to act fast because the super deals are only for a limited time. Some of them
will even tell you that you have only a few minutes to respond. When you
come across these kinds of emails, it's best to just ignore them. Sometimes,
they will tell you that your account will be suspended unless you update
your personal details immediately. Most reliable organizations give ample
time before they terminate an account and they never ask patrons to update
personal details over the Internet. When in doubt, visit the source directly
rather than clicking a link in an email.
 Common Features of Phishing Emails
(Cont.,)
• Hyperlinks - A link may not be all it appears to be. Hovering over a link
shows you the actual URL where you will be directed upon clicking on it.
It could be completely different or it could be a popular website with a
misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r'
and an 'n', so look carefully.
• Attachments - If you see an attachment in an email you weren't expecting
or that doesn't make sense, don't open it! They often contain payloads like
ransomware or other viruses. The only file type that is always safe to click
on is a .txt file.
• Unusual Sender - Whether it looks like it's from someone you don't know
or someone you do know, if anything seems out of the ordinary,
unexpected, out of character or just suspicious in general don't click on it!
 Prevent Phishing Attacks
• To protect against spam mails, spam filters can be used. Generally, the filters assess
the origin of the message, the software used to send the message, and the
appearance of the message to determine if it’s spam. Occasionally, spam filters may
even block emails from legitimate sources, so it isn’t always 100% accurate.
• The browser settings should be changed to prevent fraudulent websites from
opening. Browsers keep a list of fake websites and when you try to access the
website, the address is blocked or an alert message is shown. The settings of the
browser should only allow reliable websites to open up.
• Many websites require users to enter login information while the user image is
displayed. This type of system may be open to security attacks. One way to ensure
security is to change passwords on a regular basis, and never use the same password
for multiple accounts. It’s also a good idea for websites to use a CAPTCHA system
for added security.
• Banks and financial organizations use monitoring systems to prevent phishing.
Individuals can report phishing to industry groups where legal actions can be taken
against these fraudulent websites. Organizations should provide security awareness
training to employees to recognize the risks.
• Changes in browsing habits are required to prevent phishing. If verification is
required, always contact the company personally before entering any details online.
• If there is a link in an email, hover over the URL first. Secure websites with a
valid Secure Socket Layer (SSL) certificate begin with “https”. Eventually all sites
will be required to have a valid SSL.
 Pharming
• Pharming refers to redirecting website traffic through hacking, whereby the
hacker implements tools that redirect a search to a fake website. Pharming
may cause users to find themselves on an illegitimate website without
realizing they have been redirected to an impostor site, which may look
exactly like the real site.
• Pharming occurs when hackers locate vulnerabilities in domain name
server (DNS) software. Pharming can also occur by rearranging the host’s
file on the targeted computer. Online banking websites as well as e-
commerce organizations have become popular pharming targets. Desktops
are also vulnerable to pharming threats due to their lack of security
administration. Pharming and phishing threats have been used
simultaneously and these can cause the most potential for online identity
theft. Unfortunately, anti virus and anti-spyware software are often
incapable of protecting against this type of cybercrime.
 Pharming (Cont.,)
• When a user types a domain name into his or her Web browser's address field and
hits enter, the domain name is translated into an IP address via a DNS server. The
Web browser then connects to the server at this IP address and loads the Web page
data. After a user visits a certain website, the DNS entry for that site is often stored
on the user's computer in a DNS cache. This way, the computer does not have to
keep accessing a DNS server whenever the user visits the website.
• One way that pharming takes place is via an e-mail virus that "poisons" a user's
local DNS cache. It does this by modifying the DNS entries, or host files. For
example, instead of having the IP address 17.254.3.183 direct to www.apple.com, it
may direct to another website determined by the hacker. Pharmers can also poison
entire DNS servers, which means any user that uses the affected DNS server will be
redirected to the wrong website. Fortunately, most DNS servers have security
features to protect them against such attacks. Still, they are not necessarily immune,
since hackers continue to find ways to gain access to them.
• While pharming is not as common as phishing scams are, it can affect many more
people at once. This is especially true if a large DNS server is modified. So, if you
visit a certain website and it appears to be significantly different than what you
expected, you may be the victim of pharming. Restart your computer to reset your
DNS entries, run an antivirus program, then try connecting to the website again. If
the website still looks strange, contact your ISP and let them know their DNS server
may have been pharmed.
 Drive-by pharming
• Drive-by pharming is a specific type of outside attack on a local network
that targets a vulnerable and local IP router or similar hardware device.
According to Web security experts, it is easy for hackers to locally attack
small IP networks and redirect user traffic or infiltrate systems with
malware.
• In drive-by pharming, the design of the attack is often based on the factory
setting of most routers that are sold to consumers. Many of these routers
come with factory default passwords to control access. Hackers can exploit
this security hole and introduce a malicious JavaScript (JS) code that
redirects URLs and leads users to perilous websites. This type of attack is
common to low-end routers and products of more sophisticated hardware
providers, like Cisco.
• In drive-by pharming, the term pharming is used, in contrast to phishing -
another common type of hacking. Pharming refers to the use of URL
takeovers to access private data.
• Experts have noted that drive-by pharming may be used to simultaneously
affect many local networks. In other words, it is a less labor-intensive form
of hacking than others.
 Trojans and tool kits
• Trojans are the future of cyber fraud and are even beginning to dominate its
present. Trojans automate what had previously been done by hand; Trojans
simply download a victim's stored information or record the keystrokes,
rather than rely upon a user to enter his or her information into a phishing
page's fields. Trojan/phishing toolkits also allow users to customize
multiple variants of Trojans, which through continuous variability makes
them more successful and less immediately detectable.
• Malicious code targeting financial institutions can be broken up into two
related categories: targeted code and generic, kit-based Trojans. While
malicious code authors design specific Trojan horses to target financial
institutions with login systems with more advanced designs than standard
username and passwords, less advanced pieces of malicious code such as
generic keystroke logging Trojans and generic form-grabbing Trojans also
cause financial burdens on institutions.
• There are several basic categories of Trojans, differentiated here by their
behavioral function, rather than by their design, that is, the manner in
which they compromise a system, or distribution scheme.
 Keystroke logging
• Keystroke logging software or keyloggers are the simplest forms of
information stealing software. Keystroke logging records each key typed
on the victim's keyboard. Keystroke logging produces large amounts of
data that include spaces, line breaks, and backspace keys. The authors have
incorporated keystroke logging in Trojan and Remote Administration Tools
(RAT) toolkits since the late 1990s. Keystroke logging became widespread
with early Trojans such as BackOrifice, Netbus, and SubSeven. Today,
keystroke loggers are features found in many RATs such as Nuclear Rat,
ProRAT, and Bifrost. Many other types of Trojans have generic keyloggers
that gather large amounts of stolen data, even if the attacker is not targeting
specific sites. In addition to RATs, generic keyloggers are often present in
online game credential stealing Trojans and various IRC bot families.
Keystroke logging is not capable of grabbing forms.
 Form Grabbing
• Keystroke logging is a way to reveal all text typed by a user. Obvious
disadvantages include unmanageable amounts of data and the inability to capture
important pieces of data such as drop-down boxes, check boxes, and fields entered
without a keyboard. Form grabbing is a generic term given to the ability to capture
all fields sent via POST and GET requests by intercepting the form before the
browser sends it to the server. Attackers have two primary options to achieve this
feat. Attackers can sniff GET and POST requests directly from traffic on the system
using libraries such as Windows Packet Capture (WinPCAP). Attackers can also
inject dynamic link libraries (DLLs) into browsers to intercept requests before they
are sent to the server. Attackers most commonly achieve this by using a browser
helper object (BHO) with Internet Explorer. This method has the added advantage
of being able to capture requests before they are encrypted and retrieve the results
after they are decrypted.
• Because most sites that require authentication use Secure Sockets Layer (SSL), this
method is the only one that will work. Generic form grabbing for SiteKey users
connecting from their validated computers will likely leave attackers with
insufficient information to log in from unknown foreign computers. Many Trojans
also provide proxy access; however, this can allow attackers to connect from the
infected system where they will not be prompted for the additional questions.
 Screenshots and Mouse-Event Capturing
• Trojan authors added the ability to take
screenshots and capture mouse events around
the same time they added the ability to log
keystrokes. Despite this, many information
stealing Trojans that simply copied the
techniques of common RATs did not add this
ability until banks started using virtual
keyboards to enter credentials. If an institution
does not currently use virtual keyboards, then
the use of this feature in Trojans will not have
a significant impact. Screenshots, however,
may add value as attackers may want to
capture users' SiteKey images for future
attacks
 Phishing and Pharming Trojans
• Phishing and pharming Trojans are nearly identical. The core similarity is
that when a user intends to go to a certain Web site, their path is redirected
and an alternate site is displayed. The confusion stems mainly from the
definition of pharming and whether redirecting a user to a specific URL is
phishing or pharming, as many security companies' definitions of pharming
would count only redirection of the entire domain to a separate IP that then
must be able to accept the entire host.
• The argument is not important, because both techniques work in essentially
the same manner: a user is redirected to a set of convincing templates. The
most advanced application of this type of Trojan involves connecting to the
real site so that the real SSL exchange happens and the URL bar is left
intact while simultaneously overlaying a phishing page.
 HTML injection
• HTML injection is a way for attackers to carry out an "on-the-fly" phishing
attack. Victims visit their real banking Web site, and HTML additional code
is injected into the page after the page is finished loading. This allows
attackers to capture fields that are not part of standard forms but provide
useful information Attackers also use HTML injection to create pop-ups
with virtual keyboards as well as fields to attempt to capture entire
transaction number (TAN) sheets.
 Protected Storage Retrieval
• Windows 2000, XP, and Server 2003 provide a protected storage system
that stores passwords to applications including Internet Explorer, Outlook
Express, and MSN. Users that use the "remember my password" feature of
Internet Explorer have all of their passwords stored in this area. Firefox
also comes with a similar feature to remember form data. Protected storage
retrieval is standard in many Trojans and is extremely effective against sites
that use standard username and password authentication.
• Although exact formats vary by Trojan, it is common to have the ability to
export certificates, steal CA (certificate authority) certificates, MY A
certificates, ROOT certificates, software publisher certificates (SPCs),
personal information exchange (PFX) certificates, and potentially others.
• VeriSign iDefense encounters many drop sites with stolen certificates.
Although it is unclear how many attackers actually use the certificates they
steal, this functionality poses a threat to an institution's clients, as the
underlying technology relies on stored certificates to perform transactions
 Insider Threats
• Insider threats in cyber security are often associated with malicious users,
in truth, employees are inadvertently causing corporate data breaches and
leaks daily
• Loss of credentials due to phishing, theft, or even carelessness invites
malware into the system when an employee clicks on a link in a spam email
or unknowingly brings an infected device to work. This doesn’t include
honest mistakes like sending sensitive files to the wrong address. All of
these are only a small list of ways in which your own employees can
inadvertently compromise your data and cost your company tons of money.
• Here is the fact: when you combine the incidents involving malicious and
inadvertent insiders, you will see that they are dwarfing any other computer
security threat that your company faces. Among 874 incidents, as reported
by companies to the Ponemon Institute for its recent 2016 Cost of Data
Breach Study, 568 were caused by employee or contractor negligence; 85
by outsiders using stolen credentials; and 191 by malicious employees and
criminals.
 Danger of Insider Threats
• Insider threats can go undetected for years – The longer you take to
detect a breach or a leak, the more remediation costs go up. Insider threats
can be very tough to detect, which is why they are the most expensive to
remediate.
• It is hard to distinguish harmful actions from regular work – This is
why insider threats are so hard to detect. When an employee is working
with sensitive data, it is almost impossible to know whether they are doing
something malicious or not.
• It is easy for employees to cover their actions – While it’s hard to detect
malicious actions when they happen, it can be almost impossible to detect
them post-factum. Any tech-savvy employee will know how to clean up
after themselves by editing or deleting logs to conceal malicious action.
• It is hard to prove guilt – Even if you do manage to detect malicious
actions, employees can simply claim that they made a mistake and get
away with it. It is almost impossible to prove guilt in such cases.
 Cause of Insider Threats
• Privileged users – These are usually the most trusted users in a company but
they also have the most opportunities to misuse your data, both intentionally
and unintentionally.
• Third parties – Remote employees, subcontractors, third-party vendors and
partners all usually have access to your system. Since you know nothing about
the security of their systems and often even about the very people accessing
your data, you should treat them as a security risk.
• Terminated employees – Similar to the case mentioned at the beginning of this
article, employees can take data with them when terminated. Even more
importantly, sometimes they can access your data even after termination, either
via malware or backdoors or by retaining their access because nobody bothered
to disable it.
• Acting on opportunity – An employee sees an opportunity to use data for
personal gain or to steal it and sell it, and then decides to act on it – such
actions are rarely preceded by long-term planning and preparation. They
usually happen relatively spontaneously.
 Cause of Insider Threats (Cont.,)
• Taking revenge for perceived injustice – Disgruntled employees can steal
data or, more often than not, simply leak it online or damage it in order to
get back to you for a perceived injustice.
• Making a statement – Sometimes, an employee wants to make a political
or social statement and leaks data online or damages it in order to do so.
A good example of this is Edward Snowden, who leaked his employer’s
data in order to protest government surveillance.
• Doing competitors bidding – Corporate espionage is a thing, and even
honest trustworthy employees can be approached and offered a deal they
would be hard pressed to refuse (which often involves blackmail and/or
bribery).
• Seeing themselves as a future competition – Employees may want to
start their own competing business and decide to get ahead by using your
data. They may steal or alter your client list or even contact clients and
offer their services while still at work.
 Steps to minimize insider threats
Background checks
• The most basic thing you can do is to thoroughly research your employees
as you hire them. Background checks don’t need to be complicated; a
simple Google search of their name, a look at their social network profiles,
and a call to their previous employers can get you all the info you need.
• Sure, background checks are not the end-all be-all of fighting insider
threats, but they will help you filter out the obvious con artists and risky
applicants.
Watch employee behavior
• It is always important to keep an eye on your own employees. If your
employees are unhappy, it is a good sign that they may try something. Try
to reach out to them and understand why they aren’t happy. If you fix the
problem, you may save yourself a lot of troubles and garner their respect
and gratitude.
• Apart from that, look at the changes in employee behavior and their
monetary situation. If they suddenly pay out their debts, start traveling
more, or simply start to stay at work late or come at odd hours, chances are
there is something fishy going on. You should check it out.
 Steps to minimize insider threats (Cont.,)
Use the principle of least privilege
• The fewer privileged employees you have, the easier it is to protect your
data. Not only does it mean that fewer employees can conduct malicious
actions; it also means that there are fewer accounts to be hacked and fewer
people to make mistakes.
• To limit the number of privileged users, you should use the principle of the
least privilege if you aren’t using it already. This is a cyber security
standard that dictates that each new account in the organization be created
with the least number of privileges possible. The level of privilege is then
escalated if necessary.
• This also applies to third-parties accessing your data. Make sure that they
have the least amount of privileges possible and that their credentials are
terminated when their work is complete. A good solution for third-parties is
to grant them temporary credentials, which eliminates the need to manually
manage each and every account.
 Steps to minimize insider threats (Cont.,)
Control user access
• Strong account protection can defend against both outsider and insider
threats alike. There are several rules when it comes to protecting your
accounts:
• Your employees should use unique complex passwords that shouldn’t be
shared with any other accounts.
• Prohibit credential sharing between employees and limit the use of shared
accounts as much as possible. While sometimes shared accounts are
necessary (such as a shared admin account), you should use additional
authentication methods to distinguish between such users.
• Use two-factor authentication. Seriously, most definitely use it. It protects
your accounts by requiring a user to employ a security token or an
additional device to complete authorization. There are a tons of enterprise-
level two-factor authentication solutions out there available for free. Plus,
they are very easy to set up and get running.
• All and all, controlling access to your data not only makes sure that
external attackers wouldn’t get in but also helps prevent employees from
using the accounts of their colleagues without authorization. It can also
provide insight if employees are authorizing at odd times.
 Steps to minimize insider threats (Cont.,)
Monitor user actions
• The crown jewel of your insider threat detection and prevention arsenal is
user action monitoring software. Such tools allow you to check any
potential incident in its original context and see exactly what happened –
whether it was malicious action, inadvertent mistake, or nothing at all.
• User action monitoring software is very simple to use. It provides video
recording of all user sessions that your security specialists can review in
order to clearly see what users have done with your data. Many of these
types of solutions also provide access control and incident response
capabilities.
• Apart from being a great investigative tool, user action monitoring
solutions also provide concrete evidence, which can be used in court.
 Steps to minimize insider threats (Cont.,)
Educate employees
• It’s just as important to minimize mistakes and negligence on part of your
employees. The best way to do this is to make sure that your employees are
well-aware of the dangers your company faces and how you deal with
them.
• Educate them on why certain security practices are put in place and what
are the consequences of not following them. Tell them about phishing and
various ways to deal with it. Arm your employees and make sure that they
are an asset to your security, not a liability.
• If your employees know that their actions can affect your bottom line,
which in turn can jeopardize their income, they will be much more careful
when it comes to upholding cyber security regulations and practices.
 Pump and Dump
• Pump and dump" (P&D) is a form of microcap stock fraud that involves
artificially inflating the price of an owned stock through false and
misleading positive statements, in order to sell the cheaply purchased stock
at a higher price. Once the operators of the scheme "dump" sell their
overvalued shares, the price falls and investors lose their money. Stocks
that are the subject of pump and dump schemes are sometimes called "chop
stocks“.
• While fraudsters in the past relied on cold calls, the Internet now offers a
cheaper and easier way of reaching large numbers of potential investors
through spam email, bad data, and fake news.