FRAUD PREVENTION, DETECTION, INVESTIGATION, SECURITY

AWARENESS & DIGITAL FORENSICS

Qu ar ter ly Ne ws le tte r
Au tumn 2020

Welcome to the Autumn 2020 issue!

“It Could Happen to You” may have been one of the

cheesiest movies of the 1990’s but in making our
fraud predictions for 2020, the title has an ominous
ring to it.

Unlike the movie’s lucky lottery-winning Nicolas

Cage, “it could happen to you” means that you, and
your organisation, have a greater chance of
becoming fraud victims this year than you did last
year.

Our fraud predictions are driven by two factors that

we believe will merge into each other in 2020 and
dramatically ramp up fraudsters’ success:
1. White-collar
criminals and
hackers are getting
incredibly good at
duping their victims
and are using the
latest technology
to defraud.

And, their victims

are not just small
businesses but also
the large
corporates – look at
the Liberty Life
ransomware hack
in 2018…!

Editor: Mario Fazekas Mobile: +27 (0)83 611 0161 Office: +27 (0)11 475 2525
www.exactech.co Email: mario.fazekas@exactech.co
2. Information security and fraud prevention tend to not be regarded as executive or board issues
and therefore we often see corners cut and budgets restricted. This leads to system deficiencies, (that
are a result of management or human deficiencies – e.g., the ‘we don’t have fraud mindset’), which
criminals exploit to their advantage.

Some of the press articles discussing the Liberty hack, where 40 terrabytes of client data was stolen
without the company knowing, brings this into sharp focus with comments such as:

• “It's clear that Liberty didn't have a predefined strategy on how to respond in the event of an
attack of this nature”
• “How did the hackers know where to find the data? If it was an inside job they might have
been tipped off, but if it wasn’t, someone with the correct privileges was hacked, which means
that they spent enough time on the infrastructure to know where to look, which is alarming,”
• “The Liberty hack also illustrates the misdirection that financial institutions propagate. The
emphasis is that no financial loss has occurred, and it was "only e-mails". This does not take
into account that the failure has led to the violation of the constitutional right of privacy that is
supposed to be protected by the Protection of Personal Information Act. Our personal
information is the raw material that criminals use to perpetrate cybercrimes [and identity theft].
Whether there is a loss is irrelevant - the failure to adequately protect personal information [of
around 3 million clients] is a breach of this obligation”
• A cybersecurity specialist said that — “contrary to claims made by Liberty Holdings, the recent
major data breach demonstrates that the financial services company is actually not fully in
control of its data infrastructure”. He also noted a relative lack in corporate South Africa when
it comes to knowledge on cybersecurity. While the country is certainly progressing in this area,
many companies are unaware of the most basic security measures, he added. He called on
South African companies to educate themselves on how best to protect their data systems.

So, the above Liberty scenario is not a pleasant experience, but could it happen to you?

The City Press article, ‘3 things CEOs need to know following the Liberty hack’, provides some
excellent advice if you want to be proactive and ensure you are
one-step ahead of the criminals.

The three things are:

1. “Cyber-attacks are making headlines - The first thing to

understand is that a cyber-attack is not just an IT problem, it’s also a
PR problem and simply put, if you don’t protect yourself against the
latest cybersecurity threats, your clients will punish you for it and your
reputation might take years to rebuild.

2. Educate your executives and test your employees - While

there are many great cybersecurity products and services out
there, it will all be for nothing if your executives or staff are tricked
into giving their passwords away or clicking on phishing links.

To be fully protected means that a cultural shift needs to take place in your organisation. And it has
to start at the top, with your executives. Remember, people are your last line of defense, so invest in
security training to ensure your staff will be able to spot a wolf in sheep’s clothing. Then, once
employees have been trained, you need to regularly test them and run refresher courses to keep
them on their toes.
3. Understand what you have and use it - One of the prevailing myths around cybersecurity is that it
costs millions of Rands to implement. This is simply not true.

Many companies already have infrastructure in place that just needs to be optimised and tweaked
in order to block attacks. (The Equifax breach was caused by one employee who did not implement
a security patch when it came out, just like the Liberty hack with just one employee allegedly clicking
on a phishing link).

And if you still feel lost, just ask for help. It doesn’t cost much to get a forensic or cybersecurity firm to
come and look at your infrastructure – it might just be a critical decision that saves your company
millions of Rands’ worth of damage.”

So, we’ve seen that all it takes for the bad guys to gain access to your systems is just one uneducated
employee or executive! Can you now answer these questions…

• When last did you train all your staff members on fraud and cyber risks?
• Did you know that 91% of successful data breaches started with a phishing attack?
• Did you know that recent research showed that half of IT decision-makers in SA felt their
organisations were vulnerable to cyberattacks?
• When last did you test your systems to see if an employee would click on a suspicious link?

We can help you find out what percentage of your employees are Phishprone™ with your free
phishing security test. Exactech have partnered with Knowbe4 to extend our service offering to
include phish tests @ automated security awareness training – it’s a 3-stage process:

1. Train Your Users - Old school Security Awareness Training doesn’t

hack it anymore. Today, your employees are frequently exposed to
sophisticated phishing and ransomware attacks and now you will
have access to the world's largest library of security awareness
training content.

2. Phish Your Users - Best-in-class, fully automated simulated phishing

attacks, thousands of templates with unlimited usage, and
community phishing templates.

3. See The Results - Enterprise-strength reporting, showing stats and

graphs for both security awareness training and phishing, ready for
management. Show the great ROI!

Executives have realized that simulated phishing tests are urgently needed as an additional security
layer. Today, phishing your own users is just as important as having antivirus and a firewall. It’s fun and
an effective cybersecurity best practice to patch your last line of defense: Your USERS!

Why should you phish your staff members? Two good reasons:

• If you don't do it yourself, the bad guys will.

• If your employee Phish-prone percentage turns out to be higher than you expect, it’s
great ammo to get the budget you need!

• Contact Mario (+27 (0) 83 611 0161) / mario.fazekas@exactech.co for more details
In the last two editions we looked at three of four red flag categories, namely ‘Internal Control
Weaknesses’, ‘Accounting anomalies’ and ‘Operational anomalies’. In this issue we look at
‘Behavioural anomalies’.

The vast majority of fraudsters display some sort of behavioural symptoms of their scheme –
symptoms that co-workers or supervisors might have picked up on without realising that they
were connected to fraudulent actions. According to the ACFE 2018 Report to the Nations on
Occupational Fraud and Abuse, these are the top six red flags that fraud perpetrators
displayed at the time of their frauds:

It is important to note that the presence of these behaviours does not, in itself, mean that
fraud is occurring. Nonetheless, compliance professionals and managers should be educated
about their frequent connection to fraud and advised to take note of them or other
unexpected changes in employee behaviour that might be consistent with a pressure or
opportunity to engage in wrongdoing.

(The next newsletter issue will focus on part 9, Addressing Fraud Indicators, which is the final part of this article).

“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection

systems and encryption and other security technologies, but if an attacker can call one
trusted person within the company, and that person complies, and if the attacker gets in,
then all that money spent on technology is essentially wasted”
- Kevin Mitnick (the world’s most famous hacker)