FRAUD & CYBER AWARENESSGavin Dyche – Manager Risk, Public Sector Victoria & TasmaniaMay 2017

MY EXPERIENCE

AKA -

Strategic & Operational RiskFraud Prevention & ManagementBusiness ContinuityInformation SecurityAuditPhysical SecurityContinuous Improvement & LEANCustomer Service

FRAUD IN THE NEWS

Change of Bank Details Scam

FRAUD IN THE NEWS

MANDATORY REPORTING

IS IT ON YOUR LIST?

5% = Average of *$3m per Victorian Council* Based on 64 Victorian Councils at 2015/2016

5% RULE

CURRENT SCAMS

Some impersonators are easy to spot…..

Others are not!

PHISHING

CONTACTLESS TECHNOLOGY

RANSOMWARE

DARKWEB

$114bn USD

$85bn USD

VALUE OF FRAUD

HAVE YOU BEEN HACKED?

HAVE YOU BEEN HACKED?

SCAM STATISTICS - VICTORIA

Scam Category ReportedLoss

Reports Reports withLoss

<$10k Lost >$10k Lost Conversion %

Investment schemes $5,290,665 384 88 38 50 22.9%

Dating & romance $4,543,037 659 187 128 59 28.4%

Other upfront payment &advanced fee frauds

$3,734,310 3800 197 179 18 5.2%

Other buying/selling scams $852,492 2058 375 355 20 18.2%

Inheritance scams $683,174 535 19 14 5 3.6%

Scratchie scams $251,838 228 10 4 6 4.4%

Computer prediction &sports investment

$235,937 54 18 10 8 33.3%

Fake trader websites $231,550 981 435 432 3 44.3%

Classified scams $184,820 617 82 79 3 13.3%

Job & employment $144,796 566 50 48 2 8.8%

Nigerian scams $107,686 243 26 24 2 10.7%

Prize & Lottery scams $103,696 1368 57 55 2 4.2%

Psychic & clairvoyant $65,070 37 4 2 2 10.8%

Hitman scams $16,199 264 6 6 0 2.3%

Health & medical products $9,193 124 27 27 0 21.8%

Mobile premium services $8,687 476 190 190 0 39.9%

Fake charity scams $5,001 248 18 18 0 7.3%

Grand Total $18 838 055 31 667 2 357 2 127 230 7.4%

Visit www.scamwatch.gov.au for more info

USEFUL RESOURCE

ü Male

ü 41-50 years

ü Qualified Graduate

ü Junior or Middle Management

ü 3-5 years service

ü No previous criminal record

Typical profile of a fraudster 2016 (incl. % changes from 2014)

1%

12%

11%

15%

7%

PROFILE OF FRAUDSTERS

5%

Source: Fighting Fraud in the Public Sector IV PWC

§ Lack of governance/strategy for fraud prevention (Fraud Control Plan)

§ Lack of training and awareness

§ Lack of clear protocol or choice for fraud reporting

§ No ‘Control Effectiveness’ checking regime

§ Minimal reports of potential fraud & corrupt behaviour

§ Railroading operational staff to act outside protocol

§ Culture accepting of fraud & corruption (i.e. cost of what we do)

§ Increased line item budgets with no clear rationale

ORGANISATIONAL RED FLAGSS

DO WE QUESTION THINGS

FRAUD PREVENTION FRAMEWORK

FRAUDCONTROL

PLAN

THE FOUNDATION

WHAT IS HAPPENING / WHERE ARE THE GAPS?

WHAT IS POSSIBLE?

§ We all too readily focus on our perception of what we thinkmay go wrong as opposed to establishing what exactly could gowrong

§ Invariably, what you think or believe is happening may not alignwith reality.

• Fleet coordinator disposed of 274 vehicles over 11 years, 152of which Council received no proceeds.

• Misappropriation occurred over 11 years

• Estimated loss in excess of $1.6m

• Individual passed away shortly into investigation

BALANCING TRUST AND CONTROL

13 Control checks failed to recognise the scam

BALANCING TRUST AND CONTROL

ESSENTIAL 1ST LINE OF DEFENCE

The purpose of a control is to:

Ø Stop a risk from occurringØ Reduce the likelihood and/or consequence

Do you have controls that appear to do neither?

Controls cost the organisation time, resource and money so have tobe effective.

INTERNAL CONTROLS - REMINDER

o Policieso Procedureso Manual delegationso Signature checkso Tone from the topo Training

Weak Controlso System-based segregationo System-based delegationso Data Analytics

Strong Controls

HOW ROBUST ARE YOUR CONTROLS?

Due Diligence / Management Overview

§What are the relevant ‘red flags’ to look out for?

§ Are you relying on others in the approval process?

§ Have you considered ‘usualness’ factors?

§ How long did it take you to perform ‘management overview’?

§When did you last ask questions of items you are ‘authorising’?

If you don’t ask the questions, somebody else will after the incident!

CONTROL EFFECTIVENESS

Check 1

Check 2

Check 3

TRANSACTION

WHEN CONTROLS FAIL

THE NO BRAINER

q There is no substitute for regular face to face training for allemployees

q Consistently a key finding in Fraud and Corruption investigations,Audit reports and reviews

q Online training component can be a good interim measure inbetween biennial face to face training.

FRAUD & CYBER AWARENESS TRAINING

2nd Line of Defence

v Risk Managementv Governancev Compliance--------------------------------------------------------------------------------------------------------

1st Line of Defence

v Operational employeesv Controlsv Policy & Procedurev Fraud Reporting/Protected Disclosure--------------------------------------------------------------------------------------------------------

3rd Line of Defence

v Audit Committeev Internal Auditorsv External Auditors

LINES OF DEFENCE

EXAMPLES OF EXTERNAL FRAUDRISK REGISTERS

o Failure to effectively identify and manage internal fraud riskso Disclosure of confidential information during tender processo Lack of segregation of financial dutieso Inadequate management of IT user profiles and privilegeso Inappropriate use of delegationso Unauthorised purchase and disposal of assetso Lack of monitoring of items under asset register threshold

Fraud & Corruption Risks - Examples

KICKING THE TYRES

Fraud Losses

$0

Bad debt write-offs

$11m

WHEN I KICKED THE TYRES…

Some of the bad-debt in the names of……..

üMs Anita BathüMr Rippen YouoffüMr Hugh Jass

üMr R SwyperüMrs R Slickerü Lord Van Hugendong

WHEN I KICKED THE TYRES…

PEE N LEARN

CYBER CRIME

WHAT IS YOUR RISK?

Ø Easy targetØ Not a ‘loved brand’

Ø Perceived deep pocketsØ Lack of consequence if discovered

Ø Lacking controls compared to private sector

Ø Can go undetected (poor identificationmethodology)

Ø Not a financial institutionØ Data may not be lucrative or highly sensitive

WHY HACK/ ATTACK A COUNCIL

qDropped USBs and Optical Drives in staff carpark

qPhishing emails & Malware on USB

qFollow-up through fake IT support calls

GOVERNMENT HACKING

60% plugged inUSB Drive

90% wherebranded with an

official logo

22% clicked onURL in phishing

email

40% providedpasswords over

the phone

OUTCOME

q Strong IT Controls (firewall, malware/protection)

q Cyber Risk Assessment – What data is critical? Where is it located?

q Employee vigilance and awareness(i.e. not clicking links, not sharing passwords, reporting, etc.)

q Incident Response Plan (ICT Plan)

q Restrictions /guidelines on portable devices andunsecured/unknown WiFi networks

CYBER CRIME - PROTECTIONS

Ø Ensure all staff have knowledge, training and awareness to protectthemselves and the organisation.

Ø Fraud Risk Assessments can check for gaps and what is happening

Ø Remember the importance of due diligence/ managementoverview and ‘kicking the tyres’.

Ø Talk about fraud & cyber risks – encourage openness

Ø Effective Fraud & Cyber Prevention is about foresight. There areno prizes for hindsight….

IN SUMMARY

If you are yet to experience Fraud, Corruption or Cyber incidentswithin your unit or organisation, is it because:

A. Your controls are fully effective in fraud prevention

B. You have an impeccably honest workforce

C. It’s happening but you just don’t know it yet…

Where are you placing your wager?

AND FINALLY

WE ARE HERE TO HELP

THANK YOU FOR YOUR TIME

Gavin Dyche – Manager Risk, Public Sector Victoria & TasmaniaGavin.Dyche@jlta.com.au