Professional Documents
Culture Documents
The Top 5 Cybercrimes: October 2013
The Top 5 Cybercrimes: October 2013
CYBERCRIMES
October 2013
AUTHOR:
Tommie Singleton, CPA/CITP/CFF, Ph.D.
Director of Consulting Services
Carr Riggs & Ingram
Enterprise, AL
CONTRIBUTOR:
Randal Wolverton, CPA/CFF, CFE
Randal A. Wolverton CPA LLC
Kansas City, MO
EDITOR:
Mark Murray
New York, NY
REVIEWERS:
Barbara Andrews
Project Manager
Forensic and Valuation Services
AICPA
Durham, NC
Jeannette Koger
Vice President
Member Specialization and Credentialing
AICPA
Durham, NC
DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American Institute of CPAs, its divisions and
its committees. This publication is designed to provide accurate and authoritative information on the subject covered. It is distributed with the
understanding that the authors are not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance
is required, the services of a competent professional should be sought.
For more information about the procedure for requesting permission to make copies of any part of this work, please email copyright@aicpa.org with your
request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
TABLE OF CONTENTS
Executive Summary.. ................................................................. . . . . . . . 2
Introduction............................................................................ . . . . . . . 3
Conclusion.............................................................................. . . . . . . . 13
Resources.. .......................................................................... . . . . . . . 14
EXECUTIVE SUMMARY
There is no doubt today that virtual environments have introduced new levels of
efficiency, connectivity and productivity to businesses of all types the world over.
However, along with these undisputed benefits has come an equally real and serious
threat that each year results in hundreds of millions of dollars in measurable and
unmeasurable losses to businesses — aggressive invasions by criminals into a
business’s virtual environment.
Among the victims of these cybercrimes are CPAs in public practice and their clients
as well as CPAs and the entities they serve in business and industry. The prevalence of
cybercrime, and the escalating fervor and inventiveness of perpetrators, have led to a
harsh reality: it is not a matter of if CPAs, their clients or their organizations will become
a victim, but when.
In the midst of such a demonstrated, multi-faceted threat, CPAs have a pressing need for
resources and straightforward strategies that can help them avoid the risk of cybercrime,
detect and recover from these crimes when they occur, and safeguard the interests of
their firm, clients and organization.
The Top 5 Cybercrimes is among the resources that the AICPA offers to assist CPAs in
addressing cybercrime. It identifies not only the top five cybercrimes that are of greatest
concern to CPAs but also the nature of each crime, the manner in which it is committed
and remedial steps that can be taken.
The paper concludes with a list of resources offered by the AICPA, cybersecurity/cybercrime
organizations, federal government agencies and federal/public partnerships.
3. C
rime itself that is the end result of those plans and activities
(a cybercrime is the ultimate objective of the criminal’s activities)
1
For instance, Consumer Reports, June 2011 issue online, states this fact and produces the actual prices paid on the black market to gangs in
Eastern Europe, in particular, that enable theft of credit cards and other cybercrimes. Last viewed Oct. 10, 2012 at consumerreports.org.
2
Florida Cyber-Security Manual, Secure Florida, November 2004, p. 150. Available from secureflorida.org.
Credit-card fraud was up 32 percent from 2009 to 2010. The average dollar
amount of fraudulent transactions also increased by 34 percent.4 Federal
Reserve statistics place credit-card fraud costs to U.S. businesses at
$52.6 billion annually.5
3
Cybersource, 2012 Online Fraud Report (13th annual report), 2012, cybersource.com. Last viewed Oct. 8, 2012.
4
“Online Credit Card Fraud Jumps 32 Percent as U.S. Economic Woes Continue,” Oct. 12, 2012, Kikabink News, kikabink.com. Last viewed Oct. 12, 2012.
5
Fox News, “Mastercard Warns of Possible Security Breach, Visa Also Reportedly Affected,” March 30, 2012, online at foxnews.com. Last viewed Oct. 12, 2012.
6
C
onsumer Reports, June 2011. Last viewed Oct. 10, 2012 at consumerreports.org.
7
Ponemon Institute, 2012 Cost of Cyber Crime Study, Oct. 8, 2012. Available from ponemon.org.
1 Tax-refund
Fraud
Center (IC3),9 IBM,10 SANS,11 Computer Emergency Response Team
(CERT),12 Computer Security Institute (CSI),13 Ponemon Institute,14
Microsoft, Verizon and Secure Florida.15
2 Corporate
Account
Once the cybercrimes were identified, they were ranked in the following
order by relevance to CPAs in public practice and business and industry.
Takeover
3 Identity
Theft
4 Theft of
Sensitive
Data
5 Theft of
Intellectual
Property
C
8
ybersource Corporation is a worldwide eCommerce payment-management company. It publishes annual, statistics-based online fraud reports. At
cybersource.com.
IC3 is the Internet Crime Complaint Center, sponsored by the National White Collar Crime Center, the Bureau of Justice Assistance and the FBI. It accepts
9
complaints from the public regarding Internet-related crimes and scams. At ic3.gov.
10
IBM publishes a security report titled Trend and Risk Report. The March 2012 report was used as a source for this paper.
11
ANS has a global scope, with a focus on information security (InfoSec). It has a certification, Global Information Assurance Certification (GIAC), related to
S
InfoSec. SANS’s services and resources are generally free to the public.
12
omputer Emergency Response Team (CERT) is a partnership between Homeland Security and public and private sectors with the objective of
C
coordinating responses to security threats. At cert.org.
13
omputer Security Institute (CSI), for information security professionals, provides an annual survey of cybercrime, CSI Computer Crime & Security Survey,
C
since about 1999. At gocsi.com.
14
Ponemon Institute conducts independent research on privacy, data protection and information security policy. It has one of the best cybercrime studies,
its annual Cost of Cyber Crime Study. The second study was published in August 2011. At ponemon.org.
15
he state of Florida has a department, Secure Florida, that focuses on cybersecurity. It published Florida Cyber-Security Manual in 2007. The Florida
T
Department of Law Enforcement, Florida Cybersecurity Institute and Secure Florida contributed to the manual. At secureflorida.org.
A second Journal of Accountancy article quotes a U.S. The criminal then simply waits for either a check to be
Treasury Inspector General of Tax Administration (TIGTA) mailed, a direct deposit to be made to a “safe” bank
report that suggests the IRS failed to notice 1.5 million account or, most commonly, a credit to be posted to
tax returns associated with (potentially identity theft-related) a debit card. The debit card is bought specifically for
fraudulent tax refunds in excess of $5.2 billion for the accepting the fraudulent refunds. Often, multiple refunds
2011 tax season. The IRS simultaneously reported that are sent to the same address, bank account or debit card
it detected nearly 1 million tax returns with fraudulent because the cybercriminal will complete dozens, if not
refunds of $6.5 billion in the same tax season.18 The city hundreds, of fraudulent tax returns.
of Tampa, FL, alone estimates that in the past two years,
cybercriminals have cashed in $450 million in fraudulent THE OPPORTUNITY FOR CYBERCRIMINALS
tax refunds.19 All taxpayers are at some risk of becoming victims of
tax-refund fraud. It is not difficult for cybercriminals to
THE CRIME’S COURSE use one or more of their tools and techniques to search
Cybercriminals first obtain a valid name and Social for and fraudulently obtain personally identifiable
Security number, preferably from someone who will not information from the Internet or other sources.
be filing a tax return. That person could be a deceased Surprisingly, the cybercriminals usually do not use a
taxpayer. They will obtain this information using social deceased person’s personally identifiable information but
engineering or email phishing, purchasing the data on rather that of a living person. Reports indicate that when
the black market, or using other avenues. Sellers on the a legitimate taxpayer’s personally identifiable information
black market typically have some degree of access to the is used, it can take about 12 months for the IRS to resolve
necessary personally identifiable information — person’s the issue and release the refund to the taxpayer.
name, Social Security number, address and date of birth —
If a cybercriminal can obtain the relevant personally
from their workplace. They usually are insiders at high-traffic
identifiable information, carrying out tax-refund fraud is
businesses such as hospitals, doctors’ offices or car
fairly straightforward and somewhat detection-proof. In
dealerships that capture such information.
addition, tax-refund fraud is exacerbated by the number
The cybercriminal next makes up wage and withholding of entities that have personally identifiable information
information, claims standard deductions or a few and the extent of exposure it presents. CPAs engaged in
itemized deductions, and perhaps tax credits, and tax work should assess their privacy and security policies,
completes a return that generates a large refund. He or and establish internal controls to keep client data secure.
16
Also see Identity Theft section.
17
chreiber, Sally P., “Dozens Indicted on Stolen Identity Tax Refund Fraud Charges,” Journal of Accountancy (online), Oct. 11, 2012. Last viewed Oct. 11, 2012,
S
at journalofaccountancy.com.
18
Schreiber, Sally P., “TIGTA Recommends Identity Theft Safeguards,” Journal of Accountancy (online), October 2012. Last viewed Oct. 11, 2012, at
journalofaccountancy.com.
19
CNN, “IRS Policies Help Fuel Tax Refund Fraud, Officials Say,” March 20, 2012, CNN online. Last viewed Oct. 10, 2012, at cnn.com.
20
There is a full article in the Journal of Accountancy addressing this cybercrime. Singleton & Ursillo Jr., “Guard Against Cybertheft,” Journal of Accountancy, Vol. 210,
No. 4 (October 2010), pp. 42-44, 46, 48-49.
21
Savage, Marcia, “FDIC: ACH Fraud Losses Climb Despite Drop in Overall Cyberfraud Losses,” Financial Security, March 8, 2010, online at searchfinancialsecurity.
At techtarget.com.
22
To ensure security of customer accounts, financial institutions create login “fingerprints” of the computer system when customers open their accounts and for all future
logins. The fingerprint verifies that the person logging into the account is the legitimate account holder, a process known as authentication. When the fingerprint does
not match, the process triggers an additional layer to the login, such as a security question or temporary PIN.
23
Yurcan, Brian, “Fraud on the Decline, But Still a Concern,” Bank Systems & Technology, Aug. 26, 2011, online at niceactimize.com.
24
Javelin Strategy & Research, 2011 survey. Reported by Digital Trends, Feb. 22, 2012, online at digitaltrends.com.
25
Florida Cyber-Security Manual, Secure Florida, 2007, available online at secureflorida.org.
26
Bonner, Paul, “S.C. Taxpayers Social Security Numbers, Credit Cards Hacked,” Journal of Accountancy, Nov. 1, 2012.
27
“Hackers from China Resume Attacks on U.S. Targets,” The New York Times, May 19, 2013. Last accessed online July 18, 2013, at nytimes.com.
28
Intellectual Property Theft. Last accessed July 18, 2013, at fbi.gov.
87%
cybercrime that has occurred.
BUSINESS INSURANCE
In an age of financially motivated cybercrimes, every entity should have
sufficient business insurance coverage to recover any financial losses.
Executive management team members, especially the CFO, must
evaluate the entity’s insurance coverage to ensure that it could recover
estimated losses from any cybercrime.
29
“Least-access privileges” is a security concept that grants a person the least amount of access to systems, technologies and data needed to perform his/her
duties or that first grants a person no access but then adds privileges to provide access only to needed information.
30
Verizon’s 2009 Data Breach Investigations Report. At securityblog.verizonbusiness.com.