What’s your fraud IQ?

By Zach Capers and Andi McNeal, CPA

What's your fraud IQ?
Illustrations by weerapatkiatdumrong/iStock

For many companies, the information developed, stored, and collected as a part of doing business represents a growing share of their organizational value. But this information—including trade secrets, authorization credentials, employee personal information, and customer payment data—also represents an attractive target for potential data thieves. With the average data breach costing $3.5 million, most organizations cannot afford to take a reactive approach to managing this risk. How well-versed are you in the methods used to steal and the measures used to protect an organization’s intellectual property? Do you have what it takes to help companies prevent, detect, and effectively respond to data breaches? Take this quiz to find out.

1. Which of the following is the most common motive for malicious data breaches?

a.       Espionage.

b.      Entertainment.

c.       Financial.

d.      Ideology.

2. Gray Co. is in the process of enacting an official bring-your-own-device (BYOD) policy. To help protect the company from data leaks resulting from company data being stored on employee-owned devices, management wants to ensure the policy is based on BYOD best practices. Which of the following requirements should NOT be included in Gray Co.’s BYOD policy?

a.       All BYOD devices should be set to lock automatically after timeout and should require a passcode to unlock.

b.      Manufacturer operating system restrictions should be removed to ease company software installation.

c.       Mobile device management software should be used to allow remote data wiping.

d.      The use of BYOD devices to access company data on unsecured Wi-Fi networks should be prohibited.

3. Which of the following is the most likely red flag of a potential data breach by a malicious insider?

a.       A finance employee who telecommutes from another time zone routinely logs in to the company network via the VPN each evening for several hours.

b.      A business development manager secures market research data in a network drive that disallows access by employees of other departments.

c.       A company sales representative makes several errors in entering customer payment information while taking telephone sales orders.

d.      A customer service employee repeatedly attempts to access a restricted company accounting database using various log-in credentials.

4. Management at Palm Co. received a credible tip from an employee that two midlevel supervisors are conspiring to sell customer payment information to an outside party. Which of the following is NOT among the steps that Palm Co.’s management should take upon learning this information?

a.       Notify potentially affected customers immediately.

b.      Contact legal counsel for guidance on the situation.

c.       Interview the employee who reported the breach.

d.      Secure any physical areas affected by the breach.

5. You are investigating a situation involving an employee suspected of leaking company trade secrets to a competitor in exchange for kickbacks. While attempting to retrieve archived emails from the employee’s company email account, you are informed by the IT director that all archived emails are stored with a public cloud service provider. Which of the following might complicate your attempt to obtain the emails from the cloud provider?

a.       A lack of direct physical access to cloud servers might result in a reliance on the employees of a third party to relay important data.

b.      The data stored with the cloud service provider might be located in various and numerous jurisdictions.

c.       Your lack of technical knowledge about the cloud service provider’s infrastructure could inhibit your ability to conduct a thorough examination.

d.      All of the above.

6. The web browser Tor (formerly known as The Onion Router) is used for all of the following EXCEPT:

a.       Anonymizing user web-browsing activity.

b.      Accessing portions of the internet known as the “deep web.”

c.       Eliminating web-browsing risks such as malware.

d.      Concealing the location of web users.

7. Samuel is a few hours into his shift at the call center where he performs customer support for Teal Investment Inc.’s website. After resolving a payment issue for a customer, his next call is from someone claiming to be with technical support at another Teal Investment call center. The caller tells Samuel that all of the company’s technical support systems are down and asks if Samuel could help him with a customer’s account. Samuel agrees and provides the account details sought by the caller. After the call is concluded, Samuel feels faintly uncomfortable and contacts Teal Investment’s main technical support team, only to find that the team has not had any problems with its systems and that Samuel was likely manipulated into providing sensitive information to a potential criminal. The social engineering tactic employed by the caller is known as which of the following?

a.       Whaling.

b.      Pretexting.

c.       Phishing.

d.      Penetration testing.

8. Which of the following applications has proved to be the most vulnerable target for exploitation by malicious attacks?

a.       Oracle Java.

b.      Adobe Reader.

c.       Google Chrome.

d.      Microsoft Internet Explorer.


1. (c) According to the Verizon 2014 Data Breach Investigations Report, financial motives underlie the bulk of intentional data breaches; more than half of the reported data breaches in Verizon’s most recent study were driven by monetary interests. The study also shows that, relatedly, bank and payment card data are the types of information most widely sought by data thieves. The second most commonly reported motive for data breaches was espionage, which was the reason cited for about a quarter of the cases in Verizon’s most recent study. These breaches typically involve the theft of trade secrets or other proprietary internal data for political, economic, or competitive advantage.

2. (b) As the proportion of employees who rely on their own devices to accomplish work-related tasks has increased, so have the risks of potential data breaches due to these devices’ being used to access organizational data. Additionally, because the organization does not own the devices, management has limited control over when, where, and how employees use them. Consequently, a formal BYOD policy is necessary to mitigate the increased risks while still allowing organizations to achieve the benefits of the BYOD trend. The following best practices should be incorporated into BYOD policies to help protect company data:

  • Prohibiting the removal of a manufacturer’s restrictions regarding the operating system and software installations (commonly known as jail-breaking). Removing these restrictions allows users to download unauthorized applications from the internet, bypass digital protection measures, and circumvent network security measures. This makes devices far more vulnerable to malware and other threats to company data.
  • Requiring automatic device locking. This can alleviate problems resulting from lost or stolen devices and can allow time for remote data wiping if necessary. Ideally, devices should be set to lock with a passcode requirement after a short period of nonuse or after several failed log-in attempts.
  • Using mobile device management (MDM) software and services. These enable organizations to secure, monitor, and manage mobile devices deployed across mobile operators, service providers, and enterprises. MDM software typically provides the ability to remotely wipe data and disable device hardware. This allows more control and protection over company data on employee-owned devices in case those devices are lost or stolen.
  • Directing employees to access sensitive information only through secure networks. Employees who use their personal device to conduct business might connect to the internet through an open, unsecured wireless (Wi-Fi) network. Unsecured wireless networks are common in coffee shops, hotels, airports, and restaurants; however, information sent over these networks is unencrypted and easily intercepted by cybercriminals. Furthermore, hackers can set up fake Wi-Fi networks disguised as legitimate networks to steal information from unsuspecting users who connect to them.

3. (d) Data breaches perpetrated by malicious insiders pose an extremely high information-security risk for many organizations. The severity of this threat is due to insiders’ knowledge of both the organization’s information assets and its security controls (and their related flaws); additionally, the risk is compounded when the perpetrator is in a position of trust and access. There is no standard profile for the malicious insider who intentionally breaches company data. Therefore, detecting potential breaches perpetrated by employees requires identifying behaviors that are outside of what would be expected for the particular individual in question. Examples of such red flags include:

  • An employee who repeatedly accesses information in a database, program, or part of the organization’s information system that is outside of the requirements for his or her line of business or for which the employee has no clear, legitimate business need.
  • An employee who belittles or mocks security policies and procedures or who brags about his or her ability to circumvent security policies or to sabotage company systems.
  • An employee in a technical position (e.g., IT or R&D personnel) who is notably outspoken about his or her “ownership” of projects being worked on; for example, a software programmer who believes that he or she “owns” or is “entitled to” the source code written on behalf of the company.
  • An employee who downloads or transmits large amounts of company data within a short period of time before leaving the company.

4. (a) As of this writing, all but three U.S. states had enacted laws requiring organizations that have experienced a breach involving personally identifiable information to notify affected individuals. Generally, companies have about 60 days from the time a breach is discovered to inform those affected by the incident; however, some regulations provide less time for this notification—and some breaches might not require notification at all, depending on the circumstances and jurisdiction. Consequently, companies should respond to a suspected breach with due diligence and should work closely with legal counsel to determine the appropriate timeline for notification, to avoid sounding the alarm bells prematurely.

Additionally, conducting a quick but focused preliminary assessment of the situation, including interviewing the individuals who discovered the breach, can also help determine the legitimacy, scope, and approximate impact of the potential breach. During this initial response, the individuals collecting evidence must ensure they are doing so in a sound manner so that nothing that might be relevant to a criminal investigation is inadvertently destroyed. If the breach involved any physical areas, securing those areas immediately is an important part of protecting potential evidence.

5. (d) Fraud investigators can face numerous challenges accessing data stored on the cloud. Some of these complications include the following:

  • Clients of cloud service providers usually do not have physical access to data stored on the cloud. Additionally, cloud customers generally have limited or no access to their cloud data’s log files and metadata. Consequently, investigators often must rely on the service provider’s employees to relay the information sought.
  • Cloud service providers often store data on servers in different locations around the world. As a result, relevant evidence might be in several jurisdictions, and evidence related to individuals within the same organization might be segregated in different physical locations. Furthermore, the location of a cloud provider’s servers and data storage might not be clear.
  • Even if an investigator were to gain complete access to a cloud provider’s storage systems, it could prove difficult to interpret the data obtained from the system. To effectively understand the evidence collected, the investigator might need to have detailed technical knowledge about the providers’ operating system, servers, and levels of virtualization.

All these factors should be considered carefully before an organization chooses to store critical data in the cloud.

6. (c) Tor is used to perform private web browsing and to obscure the location of users and websites connected to the Tor network. The Tor network resides in a part of the internet known as the “deep web,” which consists of content that cannot be reached by conventional means such as through a search engine. While Tor is useful for dissidents or journalists living under oppressive regimes, it can also be used to access a virtual criminal underworld including sales of drugs and illegal arms, as well as the exchange of stolen information obtained from malicious data breaches. Although it facilitates anonymous web browsing, the use of the Tor browser does not necessarily preclude typical internet risks such as malware or man-in-the-middle attacks.

7. (b) Pretexting is the act of impersonating someone else or making false or misleading statements to persuade a target to release information or perform some action. Pretexting can occur in person, over the phone, or through some other form of communication. Social engineers often engage in pretexting by posing as the owner of a targeted account. As customer accounts typically are secured by a password, many social engineers are adept at distracting or manipulating customer service agents during the security verification phase of a pretexting incident.

To conduct a successful social engineering attack, social engineers must gather information about the target and the target’s environment. The more information a social engineer has about his or her target, the greater the chances that his or her attack will be successful. For example, a social engineer will have a greater chance of success if he or she knows the internal processes, jargon, and organizational structure of his or her target. Therefore, employees at call centers and in customer service roles should be educated on the tactics used by data thieves both to gather information for use in future social engineering ploys and to dupe unsuspecting employees into revealing confidential customer or organizational data.

8. (a) According to the IBM X-Force Threat Intelligence Quarterly 1Q 2014, half of the application exploits studied involved perpetrators who took advantage of vulnerabilities in Oracle Java. Attackers use malicious Java code to distribute malware and gain access to users’ systems. Disabling Java is the most effective way to protect against such schemes, but many common business applications, such as GoToMeeting and WebEx, rely on Java. In fact, Java’s ubiquity among applications for almost every operating system makes it an attractive target for attackers. The combination of Java’s inherent security vulnerabilities and its wide use means that it presents a particularly high risk for many organizations. Consequently, management must contend with how to best protect the organization from falling victim to this susceptibility without limiting the organization’s productivity.


If you answered all eight questions correctly, congratulations. Your thorough knowledge about the dangers of data breaches will go a long way in protecting organizations’ information assets. Keep up the good work.

If you answered six or seven questions correctly, you’re on the right track. Continue to build your knowledge of the threats to company data and the methods used to prevent and detect such attacks.

If you answered fewer than six questions correctly, you may want to brush up on your data-protection knowledge. Enhancing your understanding of the ways information is stolen will help ensure that you are able to effectively address this risk.  

Zach Capers is a research specialist, and Andi McNeal is director of research, both for the Association of Certified Fraud Examiners.

To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at jdrew@aicpa.org or 919-402-4056.


JofA articles

What’s Your Fraud IQ?” Oct. 2014, page 34

What’s Your Fraud IQ?” Aug. 2014, page 38

What’s Your Fraud IQ?” June 2014, page 40


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.