Despite heightened awareness about hackers and increased expenditures for cyber security, major businesses and financial institutions continue to fall victim to hackers.  Businesses can bolster their fraud deterrence measures in this area by being aware of the non-computer system exploits that allow hackers to successfully attack computer systems and taking steps to prevent them.

“Most companies refuse to explain how they were hacked, so no one can say with any certainty that a particular exploit was used in any one instance of hacking,” said David Anderson, principal of David Anderson & Associates, a Philadelphia forensic accounting firm that provides a full range of fraud investigation and fraud deterrence programs in the Delaware  Valley.  “But because of the risk these exploits present, it’s important for businesses to understand how hackers can circumvent their computer system security and what steps can be taken to help stop them.”

Anderson, a Certified Fraud Examiner in Philadelphia who recommends that every organization enact a comprehensive fraud deterrence program created by an experienced firm that provides forensic accounting services in Philadelphia and the Delaware Valley, said business should be on the lookout for three key exploits as outlined below:

Social Engineering

A social engineering “hack attack” relies on the willingness of company employees to share their user IDs and passwords with someone they don’t know, Anderson said, a forensic accountant with extensive experience in fraud investigation and fraud deterrence initiatives.

In this type of attack, he said, the hacker identifies a target employee who has high level access to financial systems and/or confidential information.  The hacker also uncovers the names of several IT employees, usually by calling into the IT Department and posing as an executive recruiter.  Next, the hacker calls the company (usually the sales or purchasing department) and asks for the target employee, who the hacker knows works in a different department.  The employee who answers the phone transfers the hacker to the target employee, who sees a call coming from what appears to an inside line and assumes the caller is another company employee.  The hacker then identifies himself as an IT employee by using one of the previously obtained IT employee names, and informs the target employee that they are having systems problems.  He asks the employee to log out of the computer system and then log back in.  He tells the employee to inform him of what he is entering as the user ID and password, which he then tells the target employee matches what the IT Department has on file.  After the employee successfully logs back in to the system, the hacker indicates that there does not appear to be a problem with the employee’s access, advises the employee to contact IT if there are any future access problems, and thanks the employee for his assistance.

“It doesn’t take much effort to obtain the confidential user ID and password of an employee with high level access,” explained Anderson, a forensic accounting expert in Philadelphia whose Philadelphia forensic accounting firm provides a full range of fraud investigation and fraud deterrence services.  “Most companies experience occasional computer problems so users are accustomed to being contacted by the IT Department to resolve the problem.  As a result, it is unfortunately not uncommon for an employee to unwittingly provide key information that allows the hacker to penetrate the company’s systems.”

Forensic accountants such as Anderson recommend that companies defend against this type of hack attack by establishing a set of written procedures specifically related to dealing with computer access problems and by training employees not to give out user IDs and passwords unless they know the IT employee personally or unless they call back the IT employee at that person’s internal system phone number.

Loose Lips Sink Ships

Another easy way hackers or their associates obtain employee passwords is simply to walk through an employee’s work space, Anderson said.  Fearing they will forget their passwords, many employees write the password down and post it in plain sight on their monitor, a cork board, or on their desk near the monitor.  Anderson recommends that employers perform occasional spot checks to make sure that their employees are not displaying their passwords for all to see.

Employees also sometimes willingly share user IDs and passwords with others, Anderson said, a forensic accountant in Philadelphia and the Delaware Valley.  For example, if an employee is out of the office and unable to access information in their computer, the employee may provide his/her user ID and password to a colleague to access the needed information.  Companies should always prohibit the sharing of user IDs and passwords, advises Anderson, forensic accounting expert in Philadelphia.

Similarly, companies often provide a temporary employee with the regular employee’s user ID and password to avoid having to set up the temporary employee in the computer system.  Others provide a guest user ID and password, but fail to change the access information after the temporary employee leaves.  In both cases, the temporary employee has a valid user ID and password that can be passed on to a hacker.  Companies should establish unique user IDs and passwords for temporary employees, and immediately disable them once the temporary employee has left, Anderson notes.

Click on This Link

Another common exploit occurs when hackers send employees of a targeted company an email that encourages them to click on a link.  For example, click on this link to see a nude picture of a certain well-known actress/singer/athlete, or an unbelievable athletic feat/kitten playing the piano/skier in an avalanche, etc.  When the employee clicks on the link, a malicious program is inserted into the user’s computer, thereby allowing user information to be transmitted to a hacker, Anderson said.

A company’s fraud deterrence measures for this type of exploitation should include the use of special software or third-party services to screen e-mail from unknown senders, Anderson said, adding that employers also must educate employees about the dangers of clicking on links in emails from unknown senders or in unusual emails from known senders.  For example, he said, if your sister doesn’t normally send you emails about body part enhancement, receiving such an email from her should raise a red flag.

“Enhancing computer system security to prevent access by hackers requires more than just hardware and software,” said Anderson, a forensic accounting expert in Philadelphia whose company provides forensic accounting services in Philadelphia and the Delaware Valley.  “It also requires being aware of the non-computer system exploits that hackers use and taking steps to prevent these exploits.”

If you aren’t sure that your fraud deterrence measures adequately protect you and your company, it may be time to contact a Certified Fraud Examiner in Philadelphia to conduct a computer security analysis and create a comprehensive fraud deterrence program that will keep hackers at bay.

If you require the services of a Certified Fraud Examiner in Philadelphia or any other forensic accounting services in Philadelphia and the Delaware Valley, please contact the Philadelphia forensic accounting firm of David Anderson & Associates by calling David Anderson at 267-207-3597 or emailing him at  david@davidandersonassociates.com.

About David Anderson & Associates

David Anderson & Associates is a Philadelphia forensic accounting firm that provides a full range of forensic accounting services in Philadelphia and the Delaware Valley.  The experienced professionals at David Anderson & Associates provide forensic accounting, business valuation, fraud investigation, fraud deterrence, litigation support, economic damage analysis, business consulting and outsourced CFO services.  Company principal David Anderson has more than 30 years of experience in financial and operational leadership positions and is a Certified Public Accountant, a Certified Valuation Analyst and a Certified Fraud Examiner in Philadelphia.