Much attention is given to safeguarding financial and physical assets from fraud, but proprietary information can also be a target for theft. How much do you know about protecting personal and corporate information from would-be fraudsters? Take this Fraud IQ quiz to find out.
1. Ferdinand’s personal financial information recently was compromised. As a result, he is considering freezing his credit report to protect his credit from potential misuse. A freeze on Ferdinand’s consumer credit report would result in which of the following?
a. Ferdinand would have difficulty obtaining instant credit.
b. Prospective credit card issuers and lenders would be blocked from issuing new credit in Ferdinand’s name without his specific approval.
c. Access to Ferdinand’s credit report and score would be blocked.
d. All of the above
2. Which of the following is the LEAST likely to result in a data breach?
a. Compromised passwords
b. Thefts of encrypted laptops
c. Unsecured wireless networks
d. Outdated network security systems
3. Anastasia, the bookkeeper at a local law firm, received a voice mail, purportedly from the law firm’s bank, requesting that she call back to address an important matter. Anastasia returned the call but hung up immediately upon receiving an automated prompt to provide the law firm’s account number and PIN. Anastasia might have suspected which of the following types of schemes?
4. The Fair and Accurate Credit Transactions Act (FACTA) of 2003 attempts to reduce opportunities for identity theft through:
a. Requiring free credit reports for consumers annually from each of the three major credit reporting agencies
b. Requiring that third-party preparers of consumer reports, such as credit reports and employee background checks, dispose of such documents by burning, pulverizing or shredding them
c. Providing victims of identity theft or other fraud or crimes with the right to have fraud alerts placed on their accounts by the three major credit reporting agencies
d. All of the above
5. As a frequent business traveler, Horace spends much time in airports working on his laptop, which contains large amounts of confidential client data. The airports he frequents are public wireless hotspots. Although Horace appreciates the convenience of these hotspots, he has concerns about their security. Which of the following is NOT a step Horace should take to minimize his exposure to the dangers of public wireless networks?
a. Avoid connecting to an unknown public wireless network
b. Disable his laptop’s wireless network capabilities when he is not using them
c. Allow his computer to automatically select the wireless network to which to connect
d. Ensure that his anti-spyware software is up to date
6. Which of the following statements about pharming is false?
a. Pharming is used by hackers to redirect a legitimate website’s traffic to a phony site they control.
b. Pharming relies on social engineering to trick the victim into clicking on a link to a spoofed site.
c. Pharming directly attacks and alters domain name servers.
d. Pharming can be difficult to detect because the victim’s browser will show he or she is at the correct site.
7. A fraudster recently stole Griselda’s personal identifying information and used this information to seek medical treatment under Griselda’s health insurance policy. Which of the following is NOT a risk faced by Griselda as a result of the fraud?
a. Damage to her credit rating
b. Threats to her health
c. Difficulty accessing her medical records through the U.S. Central Source for Medical Records
d. Increases in her health insurance premium
8. Humphrey is interested in obtaining a new Social Security number because his original one was stolen and used to perpetrate identity fraud. Which of the following statements regarding obtaining a new Social Security number is false?
a. If Humphrey obtains a new Social Security number, he would still be able to use his old number.
b. To obtain a new Social Security number, Humphrey would need to prove that he is currently being disadvantaged by the misuse of his number.
c. Humphrey might have a difficult time obtaining credit under his new Social Security number.
d. Humphrey likely would not be able to obtain a new Social Security number unless the use of his stolen number was so extensive that there is little chance of repairing his credit history.
9. Which of the following is NOT a common network security feature?
a. A maximum number of logon attempts
b. Restriction of users to specific terminals
c. Logical security
d. Automatic logoff of inactive terminals
10. Which of the following devices is the most effective for controlling physical access to restricted areas?
a. Biometric locks
b. Key locks
c. Cipher locks
d. Access cards
1. (d) Consumer credit report freezes are an effective means of protecting credit from potential misuse. By placing a freeze on his credit report, Ferdinand would block access to his credit report and credit score, effectively impeding the issuance of instant credit. In addition, prospective credit card issuers and lenders would be blocked from issuing new credit in his name without his specific approval. Requirements for placing, temporarily lifting or removing a freeze vary by state. Ferdinand can learn about his state’s requirements by contacting each of the major consumer credit reporting agencies—Equifax, Experian and TransUnion—to which he must submit a freeze request. The freeze will remain on Ferdinand’s credit report until (1) he requests that it be removed or (2) he requests a temporary lifting of the freeze for a specific party or period of time.
2. (b) The mobility of laptops makes them especially vulnerable to data breaches. One measure organizations can take to reduce their exposure is to encrypt laptops. Encryption encodes data so that it can be accessed only with special passwords and keys. For encryption to be effective, employees must be educated about its use and held accountable if they fail to use it.
3. (a) In a vishing scheme, the victim receives a voice message, purportedly from a bank, credit card issuer or other organization, stating that there is an important matter to be addressed and requesting a callback. The message often sounds legitimate, but the phone number left is that of the fraudster. When the call is returned, the caller is asked to enter sensitive information, such as an account number, PIN or Social Security number, which is then collected by the fraudster.
4. (d) FACTA amended the Fair Credit Reporting Act, providing improvements intended to prevent identity theft. Provisions of FACTA include:
- Each of the three major credit reporting agencies is required to provide free credit reports to consumers annually.
- Consumers who have been the victim of identity theft or other fraud or crimes have the right to have fraud alerts placed on their accounts by the three major credit reporting agencies.
- Third parties who prepare consumer reports, such as credit reports and employee background checks, must dispose of them by burning, pulverizing or shredding them.
- Electronic receipts may include no more than the last five digits of a credit card or debit card number, and they may not contain card expiration dates.
5. (c) Because public wireless networks are not always effectively secured, the dangers of accessing them include unauthorized data access, hacking and identity theft. Automatic connections to wireless networks increase these risks, as the user might think that he has connected to a public wireless network when he actually has picked up a wireless signal that was set up by a hacker. To protect himself from these threats, Horace should avoid automatically connecting to wireless networks by configuring his laptop settings so that he must manually select the wireless network to which he is connecting. Other measures that Horace can take to minimize his exposure to the dangers of public wireless networks include:
- Avoid connecting to an unknown public wireless network.
- Disable his laptop’s wireless network capabilities when he is not using them.
- Ensure that his operating system, firewall, Web browser, and antivirus and anti-spyware software are up to date.
- Avoid conducting sensitive transactions over a public wireless network.
6. (b) Pharming schemes do not rely on social engineering to trick the victim into clicking on a link to a spoofed site; rather, hackers directly attack and alter domain name servers to redirect a legitimate website’s traffic to a spoofed site controlled by the hackers and designed to entice victims into entering vital information. Pharming can be difficult to detect because the spoofed site often appears identical or very similar to the true site and because the address bar (also known as the location bar or URL bar) of the victim’s browser shows the true site’s URL, even when he or she is on the spoofed site. Social engineering was used in the recently exposed spear-phishing scheme, dubbed “Operation Shady RAT.” In that scheme, hackers sent emails tainted with malicious software to specific people at targeted organizations. When a victim clicked on an infected link, the hackers were able to access his or her computer and use it to infiltrate the network.
7. (c) Griselda is the victim of medical identity theft, which occurs when a fraudster uses a victim’s personal information to obtain medical care and file fraudulent insurance claims. Her medical records would be essential to figuring out the facts in her case. Unfortunately, obtaining these records might be very time-consuming, as there is no central source for medical records. Griselda would need to contact her health care insurer and each of her providers, hospitals, pharmacies and laboratories to obtain her records. In addition to this inconvenience, Griselda faces potential financial burdens as a result of the fraudulent insurance claims, including increased health insurance premiums and damage to her credit rating from unpaid bills. Even more serious are the threats to Griselda’s health that could occur when her medical history becomes intertwined with that of the identity thief.
8. (a) If the fraudulent use of Humphrey’s stolen Social Security number was so extensive that there is little chance of repairing his credit history, he might be able to obtain a new number. In order to get a new Social Security number, Humphrey must provide evidence that he is being disadvantaged by the misuse of his number. If Humphrey obtained a new Social Security number, he would not be able to use his old one anymore, and he might have difficulty getting credit due to the absence of any credit history under the new number.
9. (c) Common network security features include a maximum number of logon attempts, restriction of users to specific terminals and automatic logoff of inactive terminals. Logical security is not a feature of network security but rather the overall method for protecting information stored on a computer system. Implementing network security features is necessary for achieving logical security.
10. (a) Areas of organizations that house significant proprietary information, such as server rooms or research and development labs, should be secured using effective physical safeguards. Because biometric locks provide access based on physiological or behavioral characteristics such as fingerprints, hand geometry, face, iris, voice and signature, they are difficult to compromise. In contrast, the nature of key locks, cipher locks (that is, push-down combination locks) and access cards makes them quite vulnerable to breach through loss, theft, duplication and/or sharing, and therefore, they are not nearly as secure as biometric locks.
If you answered seven questions correctly, congratulations. Your arsenal of antifraud knowledge is well armed and ready to aid in the fight against fraudulent conduct. Keep up the good work.
If you answered five or six questions correctly, you’re on the right track. Use the resources on the previous page to continue to build on your knowledge of fraud detection and investigation.
If you answered fewer than five questions correctly, you might want to brush up on your antifraud knowledge. Enhancing your understanding of fraud prevention, detection and investigation concepts will help ensure that you have what it takes to keep fraud from slipping by on your watch.
Dawn Taylor (email@example.com) is a research specialist, and Andi McNeal (firstname.lastname@example.org) is director of research, both for the Association of Certified Fraud Examiners. To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at email@example.com or 919-402-4056.
Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.
More from the JofA:
Find us on Facebook | Follow us on Twitter | View JofA videos