Monday, January 25, 2010

Are You Ready to Red Flag?


The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat
of identity theft.

First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of your business. Your board of directors (or a committee of the board) has to approve your first written Program.

If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and administering it effectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could have a more streamlined Program.

Technorati Tags:

Wednesday, January 20, 2010

Breaking the "Fraud Triangle" to Enhance Security

Coined by Fraud expert Donald Cressey in 1950, the "Fraud Triangle" highlights the three elements that need to be in place for Fraud to occur. The Fraud Triangle describes three factors that are present in every situation of fraud:

  1. Motive (or pressure) – the need for committing fraud (need for money, etc.);
  2. Rationalization – the mindset of the fraudster that justifies them to commit fraud; and
  3. Opportunity – the situation that enables fraud to occur (often when internal controls are weak or nonexistent).

Breaking the Fraud Triangle is the key to fraud deterrence. Breaking the Fraud Triangle implies that an organization must remove one of the elements in the fraud triangle in order to reduce the likelihood of fraudulent activities. “Of the three elements, removal of Opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to deterrence of fraud” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

In order for fraud to occur, all three elements have to be present. Individuals or institutions can takes steps to influence all three legs:


Pressure is what causes a person to commit fraud. Pressure can include almost anything including medical bills, expensive tastes, addiction problems, etc. Most of the time, pressure comes from a significant financial need/problem. Often this need/problem is non-sharable in the eyes of the fraudster. That is, the person believes, for whatever reason, that their problem must be solved in secret. However, some frauds are committed simply out of greed alone.


Opportunity is the ability to commit fraud. Because fraudsters don’t wish to be caught, they must also believe that their activities will not be detected. Opportunity is created by weak internal controls, poor management oversight, and/or through use of ones position and authority. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities fraud for to occur. Of the three elements, opportunity is the leg that organizations have the most control over. It is essential that organizations build processes, procedures and controls that don’t needlessly put employees in a position to commit fraud and that effectively detect fraudulent activity if it occurs.


Rationalization is a crucial component in most frauds. Rationalization involves a person reconciling his/her behavior (stealing) with the commonly accepted notions of decency and trust. Some common rationalizations for committing fraud are:

  • The person believes committing fraud is justified to save a family member or loved one.
  • The person believes they will lose everything – family, home, car, etc. if they don’t take the money.
  • The person believes that no help is available from outside.
  • The person labels the theft as “borrowing”, and fully intends to pay the stolen money back at some point.
  • The person, because of job dissatisfaction (salaries, job environment, treatment by managers, etc.), believes that something is owed to him/her.
  • The person is unable to understand or does not care about the consequence of their actions or of accepted notions of decency and trust.

Managers and employees responsible for stewardship of resources should be aware of red flags of fraud. These are only warning signs that may indicate the fraud risk is higher, they are not evidence that fraud is actually occurring. Also, the existence of one or two flags is not something to be overly concerned about. Many employees demonstrate one or more of flags on the list.

Common Personality Traits Of Fraudsters
  • Wheeler and Dealer
  • Domineering/Controlling
  • Don’t like people reviewing their work
  • Strong Desire for Personal Gain
  • Have a “Beat the System Attitude”
  • Live Beyond Their Means
  • Close relationship with customers or vendors
  • Unable to Relax
  • Often have a “too good to be true” work performance
  • Don’t take vacation or sick time or only take leave in small amounts
  • Often work excessive overtime
  • Outwardly, appear to be very trustworthy
  • Often display some sort of drastic change in personality or behavior
Common Sources of Pressure
  • Medical Problems – Especially for a loved one
  • Unreasonable performance goals
  • Spouse loses a job
  • Divorce
  • Starting a New Business or Current Business is Struggling
  • Criminal Conviction
  • Civil Lawsuit
  • Purchase of a new home, a second home, or a home remodel
  • Need to Maintain a Certain Lifestyle
  • Excessive Gambling
  • Drug or Alcohol Addiction
Changes in Behavior

  • Suddenly appears to be buying more material items – houses, cars, boats, clothes, jewelry, electronics, etc.
  • Brags about new purchases
  • Starts to carry unusual amounts of cash
  • Creditors/Bill Collectors show up at work or call frequently
  • Borrows money from coworkers
  • Becomes more irritable or moody
  • Becomes unreasonably upset when questioned
  • Becomes territorial over their area of responsibility
  • Won’t take vacation or sick time or only takes it in small increments
  • Works unneeded overtime
  • Turns down promotions
  • Start coming in early or staying late
  • Redo or Rewrite work to “make it neat”
  • May start to mention family or financial problems
  • Exhibits signs of a drug or gambling addiction
  • Exhibits signs of dissatisfaction
While corporations have traditionally relied on operational controls to detect fraud, most fraudulent behavior is caught through whistle blowers who call out suspicious behavior.

Several studies are now being conducted using regression analysis to see if fraudulent activity can be detected through the use of email keywords before the crime becomes significant.

Technorati Tags:

Thursday, January 14, 2010

Facebook and McAfee Team Up

Facebook has announced today that they have signed a deal with McAfee that will give all 350 million members a free six-month license for Internet security software.

"Now, if your computer is infected, you will be asked to run a scan ... and clean it before accessing Facebook," added Facebook project manager Jake Brill. "We're not aware of another free Internet service that takes this much responsibility for helping people keep their accounts secure."

After the six months, you will have to pay to continue using the license, but McAfee says the fee will be cheaper than the annual subscription price for the software in stores.

The software will run on Windows PCs only, with no expected Mac OS X or Linux deal coming anytime soon.

Technorati Tags: