Other Fraud Schemes Flashcards

Question

Maria, a successful restaurateur, has been informed of an unusually attractive investment opportunity by a recent acquaintance and decides to invest in it. Several months and a couple of underwhelming payments later, Maria grows frustrated with the diminishing disbursements and attempts to withdraw her money. After several weeks of delay, she realizes that the promoter seems to have vanished, along with her investment. Maria is the victim of which of the following fraudulent ploys? A. An illegal pyramid B. A Ponzi scheme C. A dog and pony scam D. A fly and buy scheme

Answer 1

B. A Ponzi scheme | See pages 1.1334-1.1345 in the Fraud Examiner's Manual ## Footnote A Ponzi scheme is generally defined as an illegal business practice in which new investors’ money is used to make payments to earlier investors. The investment opportunity is typically presented with the promise of uncommonly high returns. While the scam is presented as a legitimate investment, there is minimal or no actual commerce involved. When an enterprise promotes an investment opportunity that invests a minimal amount or none of the participants’ money and uses new investments to make dividend payments, the enterprise is running a Ponzi scheme.

Answer 2

D. All of the above | See pages 1.743-1.744 in the Fraud Examiner's Manual ## Footnote To prevent the loss or misuse of sensitive data or proprietary information, organizations should develop and implement risk-based information-security systems designed to detect and prevent unauthorized access to sensitive information. An information security system requires controls that are designed to ensure that data are used as intended, and such controls will depend on the combination and coordination of people, processes, technologies, and other resources. To be effective, a system for safeguarding sensitive and proprietary information should include the following: * Task force * Security risk assessments * Security policies and procedures * Awareness training * Nondisclosure agreements * Noncompetition agreements * Data classification * Data retention and destruction policies * Data minimization * Security controls * Measures to guard manual file systems * Monitoring of visitor access * Quiet room * Incident response plan The failure to include any of these measures is a poor information security practice that can contribute to the loss of proprietary information.

Answer 3

D. Smurfing | See pages 1.1205-1.1207 in the Fraud Examiner's Manual ## Footnote Fictitious services, clinical lab schemes, and fictitious providers are all types of medical provider fraud. In a fictitious services scheme, legitimate health care providers charge or bill a health care program for services that were not rendered at all. Often, the providers submit bills for patients they have never seen but whose private patient information they purchased from someone involved in identity theft or someone who otherwise improperly obtained it. In a fictitious provider scheme, corrupt providers or other criminals fraudulently obtain and use another provider’s identification information and steal or purchase lists of patients' identifying information. Thereafter, the perpetrator submits bills using the fictitious provider’s information to the insurance provider or government health care program for medical services although no services are performed. Clinical lab schemes occur when a provider advises a patient that additional medical testing is needed to diagnose a problem when the testing is not actually required or advisable. The fee for the unnecessary work is often split with physicians. In some cases, physicians own the medical testing service. Additional medical testing, which is later viewed as excessive, is not always fraud. Many doctors have a genuine fear of retaliation from their patients; they are afraid of malpractice lawsuits that might result from a delayed or erroneous diagnosis. Smurfing is a scheme to launder funds through financial institutions.

Answer 4

A. Fraudsters use botnets to send massive amounts of emails for the purpose of enticing the recipients to click on a fraudulent URL. | See pages 1.1408-1.1409 in the Fraud Examiner's Manual ## Footnote Business email compromise (BEC) is a form of spear phishing attack that directly targets employees who can make large payments or who have access to sensitive proprietary information. BEC schemes typically involve fraudulent emails that appear to be from the company’s own chief executive officer (CEO) or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain is not disturbed, but the scheme has evolved to feature other methods or requests. Common scenarios for BEC schemes include: * Business working with a foreign supplier—Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters. * Business executive requesting a wire transfer—Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account. * Direct deposit changes—Rather than asking for a wire transfer or specific payment, some fraudsters executing BEC schemes pose as company executives or other high-ranking employees and request that account information associated with the direct deposit of their payroll checks be changed, thereby redirecting the funds into a new account. * Real estate payments—Fraudsters posing as realtors, title company employees, or lawyers request a change in wire transfer payment instructions related to a sale of property, redirecting funds into a new account. * Data theft—Fraudsters use the compromised email account of a high-level executive to request employees’ tax information or other personally identifiable information from the person responsible for maintaining such information (e.g., HR personnel). The stolen data might then be used to commit a variety of fraud schemes. * Gift cards—Fraudsters pose as an executive and request that an assistant or subordinate purchase gift cards from retailers under the pretense that they will be gifts for family or employees and the executive is too busy to do the shopping themselves. These schemes are more likely to occur near holidays and typically involve the fraudsters requesting gift card numbers and personal identification numbers (PINs).

Answer 5

D. All of the above | See pages 1.1015-1.1016 in the Fraud Examiner's Manual ## Footnote One common method of producing counterfeit payment cards includes the use of blank plastic cards. This scheme uses plastic the size of a payment card that is embossed with account numbers and names. This scheme often works in conjunction with a corrupt and collusive merchant or a merchant’s employee. Other counterfeit cards are wholly manufactured using high-speed printers. Additional tools that are common in the reproduction process include desktop computers, embossers, tipping foil, and laminators.

Answer 6

B. False | See pages 1.1229 in the Fraud Examiner's Manual ## Footnote Third-party fraud involves the unauthorized use of an insured’s identity to obtain their insurance benefits. The insured usually discovers the fraud when they receive a benefit statement containing medical services they did not receive. In misrepresentations on applications schemes, patients sometimes make misrepresentations on their insurance applications to circumvent coverage restrictions. Misrepresentations can include false information or the omission of relevant information.

Answer 7

D. All of the above | See pages 1.1526-1.1527 in the Fraud Examiner's Manual ## Footnote A change order is a written agreement between the procuring entity and the contractor to make changes in a signed contract. Change order abuse is a performance scheme that involves collusion between the contractor and personnel from the procuring entity. In change order abuses, a corrupt contractor submits a low bid to ensure that it wins the contract award, but, after the procuring entity awards the contract, the corrupt contractor increases its price with subsequent change orders. Fraud examiners can detect change order abuse by engaging in the following activities: * Examining change orders that add new items to the contract * Examining change orders that increase the scope, quantity, or price of the existing contract * Analyzing change orders for red flags * Interviewing complaining contractors, unsuccessful bidders, and procurement personnel about the presence of any red flags * Searching and reviewing external records (e.g., court records, prior complaints, audit reports, investigative reports, media sources) to determine if there is any history of misconduct

Answer 8

C. Advance-fee scheme | See pages 1.1302 in the Fraud Examiner's Manual ## Footnote Advance-fee schemes are structured to obtain an illegal gain by falsely promising the delivery of a product or service. In some schemes, the product is marketed to several customers, and then the operation is shut down prior to the delivery stage. Common scenarios used to commit advance-fee scams include the following: * A home improvement contractor requires prepayment for materials. * Notice of a supposed inheritance from an unknown relative is received. * Various exorbitant fees are required prior to securing financial assistance or advice.

Answer 9

D. Mobile deposits are at low risk for new account fraud because they involve sending digital images of payment orders to financial institutions rather than providing physical copies. | See pages 1.936-1.938 in the Fraud Examiner's Manual ## Footnote Fraud is much more likely to occur in new accounts than in established accounts. New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud. Financial institutions are increasingly allowing mobile deposits, which typically involve a person sending a digital image of a check or similar payment order to the depository institution so that the paper document never has to be received or processed. There is a relatively high risk of new account fraud with mobile deposits for two main reasons. First, there is no face-to-face transaction required, and fraudsters prefer to maintain anonymity. Second, the digital image is often taken by a camera or a scanner, so it is easier to make forged or counterfeit deposits. Financial institutions should also consider the increased risk of new account fraud when offering automated teller machines (ATMs) that accept deposits. Like with mobile deposits, the fact that ATM deposits do not require in-person transactions with a teller is ideal for fraudsters. Many ATMs have cameras to help identify users, but ATMs are often enticing targets.

Answer 10

D. Bill obtains double reimbursement for his hip replacement surgery by filing claims with different insurers. | See pages 1.1228-1.1230 in the Fraud Examiner's Manual ## Footnote Bill committed a multiple claims scheme by filing multiple claims for reimbursement for the same medical service. Patients commit fraud when they make a claim for a covered expense without revealing that they have already received reimbursement for that expense. For example, patients might seek reimbursement for the same medical service from both the government and a private insurer, two different private insurers, or two different government health care programs. James committed a doctor shopping scheme in which patients “shop” (i.e., search) for multiple doctors who will provide controlled substances. Patients, such as Roberta, sometimes seek reimbursement for ineligible claimants. For example, if a primary beneficiary dies, any secondary beneficiary named in the policy is generally ineligible for benefits. However, the secondary beneficiary might fail to notify the insurer of the death and continue to submit claims. Divorced parties can also commit ineligible claimant fraud. For example, suppose that a primary beneficiary and a covered spouse file for divorce, but neither party notifies the health care program. The ex-spouse might continue to submit claims even though they are no longer eligible for benefits. Julia committed third-party fraud, which involves the unauthorized use of an insured’s identity to obtain insurance benefits. The insured usually discovers the fraud when they receive a benefit statement containing medical services they did not receive.

Answer 11

C. Over-utilization | See pages 1.1207, 1.1228 in the Fraud Examiner's Manual ## Footnote There are various fraud schemes that patients can perpetrate against government health care programs and private insurers, including: * Fictitious claims * Multiple claims * Doctor shopping * Misrepresentations on applications * Altered bills * Third-party fraud * Ineligible claimants Over-utilization occurs when a physician prescribes unnecessary or excessive patient services. This is a scheme perpetrated by providers, not patients.

Answer 12

C. Dual in-line memory modules | See pages 1.1419-1.1420 in the Fraud Examiner's Manual ## Footnote Malware can infect computer systems from many sources. Some of the more common carriers of malware include: * Unknown or unchecked application software * Infected websites * Banner ads * Software or media that employees bring to work * Files downloaded from the internet * Infected software from vendors and suppliers * Uncontrolled and shared program applications * Files uploaded from storage devices, such as USB flash drives * Demonstration software * Freeware and shareware files * Email attachments

Answer 13

C. Ransomware is a form of malware that locks a user’s operating system and restricts access to data files until a payment is made. | See pages 1.1425-1.1427, 1.1429 in the Fraud Examiner's Manual ## Footnote Ransomware, as its name implies, is a form of malware that locks a user’s operating system and restricts access to data files until a ransom is paid. To intimidate internet users into compliance, ransomware often employs a convincing professional interface, commonly emblazoned with police insignia or an official government logo. Messages sometimes consist of threatening accusations that the user has been caught viewing illegal videos, downloading pirated media, or otherwise accessing forbidden internet content, with the only remedy being to pay a fine. Other forms are far more direct and make no effort to conceal their obvious attempts at extortion. Spyware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent. A Trojan horse is a program or command procedure that appears useful but contains hidden code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming Trojan horses and spreading to other systems. Crimeware is not a type of malware but rather a classification of malware denoted by its intent to facilitate criminal behavior. Crimeware can be described as malware designed to simplify or automate online criminal activities, such as programs to fraudulently obtain financial gain from the affected user or other third parties.

Answer 14

B. Residential loan fraud | See pages 1.905-1.906 in the Fraud Examiner's Manual ## Footnote In a residential loan fraud scheme, unqualified borrowers misrepresent personal creditworthiness, overstate their ability to pay, and misrepresent characteristics of a housing unit they intend to occupy or treat as an investment property to qualify for a loan. Such acts might include reporting inflated income, moving debt into a dependent’s name, reporting inflated square footage of the collateral, or even bribing an appraiser to value the home at a higher amount than the market value. In double-pledging collateral schemes, borrowers pledge the same collateral (i.e., an item of value used to secure or guarantee a loan) with different lenders before liens are recorded without telling the lenders. In a reciprocal loan arrangements scheme, insiders in different banks cause their banks to lend funds or sell loans to other banks with agreements to buy their loans, which is done to conceal loans and sales. In a credit data blocking scheme, the perpetrator first applies for and obtains loans but intentionally defaults on the loans. Rather than allowing their credit report to reflect the defaulted loans, the perpetrator asserts that the initial loans were instances of identity theft. While the validity of the fraud claims is checked, the perpetrator’s negative credit history is temporarily removed from their credit report. This allows the perpetrator to take out more loans, which they will also intentionally default on.

Answer 15

A. True | See pages 1.1339, 1.1345 in the Fraud Examiner's Manual ## Footnote In an illegal pyramid scheme, the more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make. The difference between a Ponzi scheme and an illegal pyramid is how the operation is promoted. Illegal pyramids are promoted as pyramids whereas Ponzi schemes are promoted as investment opportunities. In an illegal pyramid, the pyramidal structure helps recruit new participants, each believing that they will rise through the ranks of the pyramid. A Ponzi scheme, however, masquerades as some type of investment.

Answer 16

A. Social engineering | See pages 1.719 in the Fraud Examiner's Manual ## Footnote Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information. In social engineering schemes, social engineers use various forms of trickery, persuasion, or threats to encourage their targets to release information that the engineers can use and exploit to achieve their goals. Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so that they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware

Answer 17

C. Scavenger | See pages 1.1306 in the Fraud Examiner's Manual ## Footnote The scavenger or revenge scheme involves the company that initially defrauded the consumer. Using a different company’s name, the outfit contacts the consumer again and asks if they would like to help put the unethical company out of business and get their money back. Naturally, an up-front fee is required to finance the investigation.

Answer 18

A. Ensuring that all personnel who have access to computing resources have the required authorizations and appropriate security clearances | See pages 1.1441, 1.1453 in the Fraud Examiner's Manual ## Footnote Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include: * Security policies and awareness training * Separation of duties * Data classification * Computer security risk assessments * Security audits and tests * Incident response plans

Answer 19

B. Administrative security control | See pages 1.1441, 1.1453 in the Fraud Examiner's Manual ## Footnote Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include: * Security policies and awareness training * Separation of duties * Data classification * Computer security risk assessments * Security audits and tests * Incident response plans

Answer 20

A. Double-pledging collateral | See pages 1.905 in the Fraud Examiner's Manual ## Footnote In a double-pledging collateral scheme, borrowers pledge the same collateral with different lenders before liens are recorded without telling the lenders.

Answer 21

D. All of the above are potential indicators of a loan fraud scheme. | See pages 1.912 in the Fraud Examiner's Manual ## Footnote An increasing trend in the number of change orders or amounts on change orders might indicate that construction changes have occurred that would alter the originally planned project to such an extent as to render the underwriting inappropriate. Alternatively, some projects—especially large projects—tend to have many change orders. It might be more abnormal in situations like these to have few or no change orders than to have many. For instance, a lack of change orders for a large project might suggest that progress is not being made. Ultimately, the key characteristic that the fraud examiner should look for in change orders is abnormality, which can happen in many ways. Fraud examiners should discover what the normal trend for change orders is in terms of both quantity and content with the particular type of industry and project, and then they can look for deviations from those trends.

Answer 22

B. Intrusion detection systems | See pages 1.1450 in the Fraud Examiner's Manual ## Footnote An intrusion detection system (IDS) is a device or software application that monitors an organization’s inbound and outbound network activity and identifies any suspicious patterns of activity that might indicate a network or system attack or security policy violations. These systems are designed to supplement firewalls and other forms of network security by detecting malicious activity coming across the monitored entity’s network or system activities. They act much like a motion sensor by detecting individuals who have bypassed perimeter security.

Answer 23

C. III and IV only | See pages 1.1437 in the Fraud Examiner's Manual ## Footnote All branches of an information system, including the e-commerce branch, strive to provide security for their users and asset holders. The following is a list of common information security goals that should be achieved to ensure the security of information systems for users and account holders: * Confidentiality of data * Integrity of data * Availability of data * Authentication * Non-repudiation

Answer 24

A. True | See pages 1.911 in the Fraud Examiner's Manual ## Footnote One red flag of loan fraud to look for, particularly in construction lending, is whether the real estate developer is experiencing a higher-than-normal employee turnover. Typically, when a developer experiences a high degree of turnover, something is wrong with the internal operation. This is often a preamble for other problems.

Answer 25

A. True | See pages 1.1028 in the Fraud Examiner's Manual ## Footnote A smart card is a plastic card, the size of a payment card, embedded with a microchip. A key advantage of smart cards is that, unlike regular magnetic stripe payment cards, they cannot be easily replicated. Similarly, smart cards cannot be easily counterfeited, which greatly reduces the potential for fraud with in-person transactions. Smart cards include a wide variety of hardware and software features capable of detecting and reacting to tampering attempts and countering possible attacks. If someone tries to tamper with a chip on a smart card, the card detects the intrusion and shuts itself down, rendering the card useless.

Answer 26

C. Upcoding | See pages 1.1217 in the Fraud Examiner's Manual ## Footnote Upcoding occurs when a provider bills for a higher level of service than actually rendered. In a typical upcoding scheme, a durable medical equipment (DME) company provides patients with an inexpensive product (e.g., a manual wheelchair) but bills the government for a more expensive product (e.g., an electric wheelchair). Another common upcoding scheme is to falsely claim that an established patient is a new patient. A new patient generally requires an extensive examination and consumes more of the provider’s time. Therefore, under some medical coding systems, providers are reimbursed more for new patients than established patients.

Answer 27

B. Rent-a-patient schemes | See pages 1.1222 in the Fraud Examiner's Manual ## Footnote So-called rent-a-patient schemes involve paying an individual to undergo unnecessary medical procedures that are then billed to the patient’s insurer or health care program. These schemes occur in countries using a third-party payer system or single-payer system that allows private providers to bill health care programs.

Answer 28

D. A corporate spy poses as a customer of a competing company to elicit information from the competitor’s salespeople. | See pages 1.707-1.708 in the Fraud Examiner's Manual ## Footnote Intelligence professionals might gather data through human intelligence (i.e., through direct contact with people). Generally, human intelligence is gathered from subject-matter experts and informed individuals. Such efforts typically target individuals who can provide the most valuable information. For example, an intelligence professional might gather intelligence by posing as a customer of the target entity. This approach exploits two weaknesses of corporate culture: (1) all salespeople want to make a sale and (2) many salespeople will do almost anything to make a sale. Other approaches include: * Employment interviews (real and fake) * False licensing negotiations * False acquisition or merger negotiations * Hiring an employee away from a target entity * Planting an agent in a target organization * Social engineering

Answer 29

D. All of the above | See pages 1.1039-1.1040 in the Fraud Examiner's Manual ## Footnote Account takeover fraud occurs when a fraudster surreptitiously takes control of a payment account. Targeted accounts can include credit cards, banking, brokerage, or any type of online retail account (e.g., Amazon). To take over an account, thieves obtain email addresses or other log-in information and use various means to obtain passwords, such as phishing emails or password-cracking botnet attacks. Once the thief overtakes an account, communication methods and contact information are altered to keep the account holder unaware of the fraudulent activity. The thief is then free—depending on the type of account—to place orders using stored payment information, transfer funds, or request duplicate payment cards.

Answer 30

A. Claimant fraud | See pages 1.1109, 1.1112, 1.1114 in the Fraud Examiner's Manual ## Footnote Elizabeth's scheme is classified as claimant fraud. Claimant fraud involves misrepresenting the circumstances of any injury or fabricating that an injury occurred. Such schemes are perpetrated by employees who stage accidents or exaggerate minor injuries, sometimes in collusion with unethical doctors, to fraudulently receive compensation benefits. Workers' compensation is essentially an employee benefit, entitling persons who are injured on the job to compensation while they heal. The primary victim of a workers' compensation scheme is not the employer but the insurance carrier for the employer. It is the insurance carrier who pays for the perpetrator's fraudulent medical bills and unnecessary absences. Nevertheless, the employer is a tertiary victim of these crimes, as the fake claims can result in higher premiums for the company in the future.

Answer 31

A. A spy hacks into a target computer and monitors an employee’s communications. | See pages 1.707, 1.729-1.735 in the Fraud Examiner's Manual ## Footnote Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques. When corporate spies resort to the use of technical surveillance, it is usually to gather nondocumentary evidence or information that cannot be found through open sources. Corporate spies might employ various forms of technological surveillance, such as aerial photography, bugging and wiretapping, video surveillance, photographic cameras, mobile phones, monitoring computer emanations, and computer system penetrations.

Answer 32

B. False | See pages 1.1001-1.1002 in the Fraud Examiner's Manual ## Footnote Many merchants overburden police and prosecutors with reports of check fraud rather than implementing effective training and controls to help prevent such schemes from the outset; therefore, law enforcement and prosecutors do not have the time or workforce to pursue all such cases and are often uneager to do so. Furthermore, check fraud perpetrators frequently migrate from one location to another, making their arrest and prosecution difficult.

Answer 33

B. False | See pages 1.803-1.804 in the Fraud Examiner's Manual ## Footnote Synthetic identity theft involves the use of entirely fabricated personal information or a combination of real and fabricated information to create a new identity. In traditional identity theft, a fraudster steals an individual’s personal information and pretends to be that individual. For example, a fraudster might use an individual’s name, government identification number, and date of birth to impersonate the individual and gain access to the individual’s bank account. This is called an account takeover. Another type of traditional identity theft is true name fraud, in which a fraudster uses an individual’s personal information to open a new account under the individual’s name. Unlike an account takeover, which involves an existing account, true name fraud involves a new account.

Answer 34

B. Automated teller machines (ATMs) are rarely targets of new account fraud because most have cameras installed. | See pages 1.936-1.938 in the Fraud Examiner's Manual ## Footnote New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud. New account criminals often use false identification to open new accounts and steal money before funds are collected by the bank. False identification is easily purchased. Some bank customers defraud business institutions by opening a new business account using checks stolen from another business. The fraudsters then withdraw the funds and close the account. Financial institutions are increasingly allowing mobile deposits, which typically involve a person sending a digital image of a check or similar payment order to the depository institution so that the paper document never has to be received or processed. There is a relatively high risk of new account fraud with mobile deposits for two main reasons. First, there is no face-to-face transaction required, and fraudsters prefer to maintain anonymity. Second, the digital image is often taken by a camera or a scanner, so it is easier to make forged or counterfeit deposits. Financial institutions should also consider the increased risk of new account fraud when offering automated teller machines (ATMs) that accept deposits. Like with mobile deposits, the fact that ATM deposits do not require in-person transactions with a teller is ideal for fraudsters. Many ATMs have cameras to help identify users, but ATMs are often enticing targets.

Answer 35

B. The purchasing entity's materials are being ordered at the optimal reorder point. | See pages 1.1514-1.1515 in the Fraud Examiner's Manual ## Footnote Generally, procurement actions begin with the procuring entity making a determination of its general needs. These initial determinations include assessments of the types and amounts of goods or services required to meet the entity’s needs. In need recognition schemes, procurement employees convince their employer that it needs excessive or unnecessary products or services. There are several red flags that might indicate a need recognition scheme. An organization with unusually high requirements for stock and inventory levels might reveal a situation in which a corrupt employee is seeking to justify unnecessary purchases from a certain supplier. Likewise, if an organization’s materials are not being ordered at the optimal reorder point, this should raise a red flag. An employee might also justify unnecessary purchases of inventory by writing off a large number of surplus items as scrap. As these items leave the inventory, they open spaces to justify additional purchases. Another indicator of a need recognition scheme is a need that is defined in a way that can only be met by a certain supplier or contractor. In addition, the failure to develop a satisfactory list of backup suppliers might reveal an unusually strong attachment to a primary supplier—an attachment that is explainable by the acceptance of bribes from that supplier.

Answer 36

B. False | See pages 1.1007 in the Fraud Examiner's Manual ## Footnote Check fraud rings thrive because the items needed to commit check fraud are easily obtainable and the cost is minimal. Often, the only necessary equipment for a check fraud ring is a scanner, printer, and personal computer.

Answer 37

A. True | See pages 1.1304 in the Fraud Examiner's Manual ## Footnote Automatic debit programs are a convenient way to pay bills, such as recurring charges for mortgages and car loans. Fraudsters exploit these programs by obtaining consumers’ bank account information through telemarketing schemes. Fraudsters then use this information to draft money from consumers’ bank accounts without their consent.

Answer 38

B. False | See pages 1.1454-1.1456 in the Fraud Examiner's Manual ## Footnote Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information systems department and between IT and business unit personnel include: * Programmers should not have unsupervised access to production programs or have access to production data sets (data files). * IT personnel’s access to production data should be limited. * Application system users should only be granted access to those functions and data required for their job duties. * Program developers should be separated from program testers. * System users should not have direct access to program source code. * Computer operators should not perform computer programming. * Development staff should not have access to production data. * Development staff should not access system-level technology or database management systems. * End users should not have access to production data outside the scope of their normal job duties. * End users or system operators should not have direct access to program source code. * Programmers should not be server administrators or database administrators. * IT departments should be separated from information user departments. * Functions involving the creation, installation, and administration of software programs should be assigned to different individuals. * Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties. * Employees’ access to documents should be limited to those that correspond with their related job tasks.

Answer 39

B. False | See pages 1.807 in the Fraud Examiner's Manual ## Footnote Business identity theft occurs when a fraudster impersonates a business to commit financial fraud. In an employment identity theft scheme, a fraudster impersonates another person to secure a job.

Answer 40

D. An unusually small number of claims for reimbursement | See pages 1.1211 in the Fraud Examiner's Manual ## Footnote Warning signs that a health care provider is engaging in fraudulent practices include: * Lack of supporting documentation for claims under review * Details in supporting documents that do not match the claim * Medical records that have been altered * Medical records that were created long after the alleged patient visit * Medical records that seem sloppy, disorganized, or otherwise unprofessional * Missing pages of medical records that would cover the period of time under review * Routine, nonspecialized treatment for patients living several hours away from the provider * An unusually high volume of patients * An unusually large number of claims for reimbursement * Unusually high profits compared to similar businesses in the same geographic region * Matching addresses on the claim form for the patient and the provider * High percentage of coding outliers * Pressure for rapid processing of bills or claims * Threats of legal action for delay in making payments

Answer 41

B. False | See pages 1.750 in the Fraud Examiner's Manual ## Footnote A noncompetition agreement is an agreement whereby employees agree not to work for competing companies within a certain period of time after leaving their current employer. While noncompetition agreements can be useful in some circumstances, there are multiple legal issues that limit their effectiveness. Because of these potential legal issues and challenges, and due to differences in employees’ geographic locations, job responsibilities, access to proprietary information, and other factors, such agreements should generally be used on an as-needed basis, rather than as a broad requirement for all employees. If management does determine that such an agreement is appropriate for certain employees, it should consult with legal counsel to ensure that the agreement is valid and enforceable under the applicable laws.

Answer 42

A. More competitors than usual submit bids on a project or product. | See pages 1.1513-1.1514 in the Fraud Examiner's Manual ## Footnote Common red flags of procurement fraud schemes involving collusion among contractors include: * The industry has limited competition. * The same contractors bid on each project or product. * The winning bid appears too high. * All contractors submit consistently high bids. * Qualified contractors do not submit bids. * The winning bidder subcontracts work to one or more losing bidders or to non-bidders. * Bids appear to be complementary bids by companies unqualified to perform the work. * Some bids fail to conform to the essential requirements of the solicitation documents (i.e., some bids do not comply with bid specifications). * Some losing bids were poorly prepared. * Fewer competitors than usual submit bids on a project or product. * When a new contractor enters the competition, the bid prices begin to decline. * There is a rotational pattern to winning bidders (e.g., geographical, customer, job, or type of work). * There is evidence of collusion in the bids (e.g., bidders make the same mathematical or spelling errors; bids are prepared using the same typeface, handwriting, stationery, or envelope; or competitors submit identical bids). * There is a pattern indicating that the last party to bid wins the contract. * There are patterns of conduct by bidders or their employees that suggest the possibility of collusion (e.g., competitors regularly socialize, hold meetings, visit each other’s offices, or subcontract with each other).

Answer 43

B. The "1-in-5" | See pages 1.1331 in the Fraud Examiner's Manual ## Footnote The most common giveaway scheme is known as the 1-in-5. In this scheme, a consumer receives a letter or postcard in the mail informing them that they have already won a prize. The prizes usually include luxurious vacations, new cars, or cash. Unfortunately, the odds of winning any of the prizes are extremely low. Victims might receive items of minimal or no value or coupons redeemable only for the company’s substandard merchandise.

Answer 44

B. False | See pages 1.913 in the Fraud Examiner's Manual ## Footnote Missing or altered documentation is a red flag for any type of fraud scheme, and it is a particular concern for loan fraud. While it is true that many loan files have missing documents, it is important to determine if the documents have been misplaced or were never received. A waiver of certain documents is a common way lenders conceal fraud schemes.

Answer 45

A. True | See pages 1.1219-1.1220 in the Fraud Examiner's Manual ## Footnote ne form of medical fraud is the billing for experimental use of new medical devices that have not yet been approved by the jurisdiction’s health care authority. Some hospitals deliberately mislead third-party payers by getting them to pay for the manufacturer’s research. Many of the doctors involved are alleged to have stock in the manufacturing companies.

Answer 46

A. A computer program that replicates itself and penetrates operating systems to spread malicious code to other computers | See pages 1.1424 in the Fraud Examiner's Manual ## Footnote A computer worm is a computer program that replicates itself and penetrates operating systems to spread malicious code to other computers.

Answer 47

D. All of the above | See pages 1.1123 in the Fraud Examiner's Manual ## Footnote Janice could look at several different types of reports to determine the validity of the tip. For instance, address similarity reports electronically compare multiple payments going to the same address. They are extremely useful because they might show a payment defalcation or funds going to another insurance company, broker, or fictitious payee. Additionally, the exception or manual override reports list all exceptions to normal electronic processing, thereby pointing out when a computer is being used outside the normal processing time, such as on the weekend.

Answer 48

C. Disparate price | See pages 1.1207-1.1208 in the Fraud Examiner's Manual ## Footnote Many government health care programs require that they receive the best available price that providers offer. In a disparate price scheme, providers charge some patients (e.g., those in direct payment situations) a lower rate than they charge the government. This disparate bill rate causes the government to pay a higher rate, in violation of regulations mandating that the government receive the lowest rate. In addition, some government health programs require that wholesale pharmacies provide the program at the average wholesale price. However, providers might manipulate their data and provide false information to the government program.

Answer 49

D. A method for acquiring sensitive information by falsely claiming through electronic communication to be from an entity with which the target does business | See pages 1.1407 in the Fraud Examiner's Manual ## Footnote Phishing is a type of social engineering scheme that involves impersonating a trusted individual or entity. Generally, phishers manipulate victims into providing sensitive information by falsely claiming to be from an actual business, bank, internet service provider (ISP), or other entity with which the target does business. In this type of scam, phishers typically use emails to direct internet users to imitation websites that look legitimate, such as log-in portals for online banks, retailers, or government agencies. Phishers control these imitation websites and use them to steal sensitive information, such as bank account details and passwords. Other phishing schemes involve corrupted files that will install malware or allow the attackers access to a computer system once the victim downloads and opens the files.

Answer 50

D. All of the above | See pages 1.1316 in the Fraud Examiner's Manual ## Footnote The following are some common red flags for elder fraud schemes. While the presence of any one of these circumstances does not necessarily indicate that elder fraud is occurring, individuals close to the older individuals should be aware of multiple occurrences of or patterns in these warning signs. * Outstanding bills * Disconnection notices for unpaid utilities * Large bank account withdrawals with no explanation * New friends who appear suddenly and without prior mention * The discovery of signed or forged legal documents (e.g., power of attorney [POA]) that the older individual is not aware of * Another caregiver asking probing or unexpected questions about the older individual’s spending habits * The older individual missing property or belongings * The discovery of financial decisions or arrangements that the older individual is unaware of (e.g., the opening of an account in the person’s name)

Answer 51

C. A fraudster offers to eliminate an individual’s credit card debt after the individual pays for the service with their card. | See pages 1.1308, 1.1313-1.1315 in the Fraud Examiner's Manual ## Footnote Elder fraud, also known as elder financial abuse, includes different types of consumer fraud schemes perpetrated against older individuals. In a tech-support scheme, a fraudster attempts to convince victims to pay for unnecessary computer services to repair nonexistent viruses or other problems. The scheme usually begins with a fraudster calling a victim and claiming to be a computer technician working for a well-known tech company (e.g., Microsoft or Apple). Alternatively, the victim might be tricked into calling the fraudster directly via pop-up messages warning about nonexistent computer problems. Once the victim is speaking to the fraudster by phone, the fraudster generally instructs the victim to download and launch software that gives the fraudster remote access to the victim’s computer. The fraudster proceeds to perform phony diagnostic tests on the victim’s computer, falsely claims to have detected viruses or other problems, and offers to fix the victim’s computer for a fee. In addition to collecting a fee for unnecessary services, the fraudster might install spyware onto the victim’s computer. In a grandparent scheme, a scammer calls an older individual and asks if the individual knows who is calling. When the grandparent guesses the name of a grandchild, the scammer pretends to be that grandchild. The scammer claims to be in a financial bind and asks if the grandparent can send money via the internet or a money transfer service. The scammer urges the grandparent to avoid telling anyone about the situation. Once scammers receive the money, they continue to contact the grandparent for more money. In a sweepstake and prize scheme, fraudsters inform older individuals they won a prize but must pay a fee to receive it. The fraudsters then convince their victims that they can eventually win the grand prize if they send them another fee. This cycle continues until the victims become aware of the scheme or are no longer able to send fees because they have depleted their savings. A scheme in which a fraudster offers to eliminate an individual’s credit card debt after the individual pays for the service with their card is an example of a credit card debt elimination scheme. Although anyone could be a target of this kind of fraud, such schemes generally do not specifically target older individuals.

Answer 52

D. Brokered loan fraud | See pages 1.947 in the Fraud Examiner's Manual ## Footnote Loan brokering applies to either packages of individual residential (consumer) loans or single commercial loans. A variation of a brokered loan is loan participation, whereby multiple parties purchase and have interests in a loan or a package of loans. The fraud schemes associated with brokered loans or loan participation generally involve selling phony loans (packages) or selling participations in loans that have not been properly underwritten. Normally, a large fee is charged for these brokered loans. With residential loan packages, the broker sells the package, takes the money, and disappears. Brokered loans are not usually sold with any recourse to the broker. Therefore, the purchaser must look to the borrower and the underlying collateral for debt satisfaction. With loan participations, the lead bank generally performs the underwriting. However, this does not relieve the participating bank from its obligation to perform due diligence.

Answer 53

A. Only programmers should be server administrators. | See pages 1.1454-1.1456 in the Fraud Examiner's Manual ## Footnote Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information systems department and between IT and business unit personnel include: * Programmers should not have unsupervised access to production programs or have access to production data sets (data files). * IT personnel’s access to production data should be limited. * Application system users should only be granted access to those functions and data required for their job duties. * Program developers should be separated from program testers. * System users should not have direct access to program source code. * Computer operators should not perform computer programming. * Development staff should not have access to production data. * Development staff should not access system-level technology or database management systems. * End users should not have access to production data outside the scope of their normal job duties. * End users or system operators should not have direct access to program source code. * Programmers should not be server administrators or database administrators. * IT departments should be separated from information user departments. * Functions involving the creation, installation, and administration of software programs should be assigned to different individuals. * Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties. * Employees’ access to documents should be limited to those that correspond with their related job tasks.

Answer 54

D. Open-source information | See pages 1.704 in the Fraud Examiner's Manual ## Footnote Open-source information is information in the public domain; it can be defined as publicly available data "that anyone can lawfully obtain by request, purchase, or observation."

Answer 55

B. Past posting | See pages 1.1105 in the Fraud Examiner's Manual ## Footnote Past posting is a scheme in which a person is involved in an automobile accident but does not have insurance. After the accident, the person gets insurance, waits a short time, and then reports the vehicle as having been damaged in some manner, thus collecting for the damage previously incurred.

Answer 56

B. Electronic funds transfer fraud | See pages 1.1036 in the Fraud Examiner's Manual ## Footnote Mario is committing an electronic funds transfer (EFT) scheme by misappropriating customers’ account and password information. There are several ways in which fraud can be perpetrated through the electronic transfer of funds. Potential sources of fraud include the following: * A biller might send a bill for services not rendered or for goods never sent. * A person who has obtained information about another person’s bank account might instruct a biller to obtain payment from the other person’s account. * A hacker might obtain passwords and usernames from an aggregator and use that information to direct transfers from a consumer’s bank account. * An employee at the site providing electronic bill presentment and payment (EBPP) services who knows consumers’ usernames and passwords might use that information to direct transfers from consumers’ bank accounts. * A bank employee might use customer information to direct transfers from a customer’s account.

Answer 57

D. All of the above | See pages 1.1208-1.1209 in the Fraud Examiner's Manual ## Footnote The term durable medical equipment (DME) refers to medical equipment that can withstand repeated use, such as wheelchairs and specialized patient beds. Fraud schemes perpetrated by DME suppliers frequently involve: * Falsified prescriptions for DME * Intentionally providing excessive DME * DME not being delivered * Billing for DME rental beyond when the DME is returned * Billing for DME not covered by the insurance policy or health care program * Scooter scams (i.e., billing for electric-powered wheelchairs that are either unnecessary or are of poorer quality than the model billed for)

Answer 58

A. The hologram | See pages 1.1016 in the Fraud Examiner's Manual ## Footnote The hologram is the most difficult aspect of a payment card to reproduce. True holograms use a lenticular refraction process; counterfeits generally consist of reflective materials, usually foil with an image stamped on it. These decals are attached to the card's surface rather than fixed into the plastic, as is the case with legitimate cards. Some fraudulent holograms do not change colors—as legitimate ones do—when viewed from various angles.

Answer 59

A. A doctor uses the identifying information of patients the doctor has never serviced to bill an insurer or health care program. | See pages 1.1206 in the Fraud Examiner's Manual ## Footnote In a fictitious services scheme, legitimate health care providers charge or bill a health care program for services that were not rendered at all. Often, the providers submit bills for patients they have never seen but whose private patient information they purchased from someone involved in identity theft or someone who otherwise improperly obtained it.

Answer 60

D. A builder, in collusion with an appraiser and other real estate insiders, fraudulently applies for a loan to construct a building on a nonexistent property and keeps the proceeds. | See pages 1.927-1.928 in the Fraud Examiner's Manual ## Footnote An air loan is a loan for a nonexistent property—with air symbolizing the loan’s fraudulent absence of collateral. Most or all of the documentation is fabricated, including the borrower, the property ownership documents, and the appraisal. This type of scheme involves a high level of collusion, and perpetrators might even set up a fictitious office with people pretending to be participants in the transaction, such as the borrower’s employer, the appraiser, and the credit agency. Usually, air loans go into early payment default. Since there are no actual properties on which to foreclose, the losses on these loans can be enormous.

Answer 61

C. A program or command procedure that appears useful but contains hidden code that causes damage | See pages 1.1425 in the Fraud Examiner's Manual ## Footnote A Trojan horse is a program or command procedure that appears useful but contains hidden code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming Trojan horses and spreading to other systems.

Answer 62

A. True | See pages 1.1338 in the Fraud Examiner's Manual ## Footnote The following are red flags of Ponzi schemes: * Sounds too good to be true—If an investment opportunity seems suspiciously better than it should be, then it is probably a Ponzi scheme. * Promises of low risk or high rewards—Promoters of Ponzi schemes typically promise implausibly high or quick returns with little risk. As all legitimate investments include some risk, any guarantee that an investment will perform in a certain way is a clear signal that it might be part of a Ponzi scheme. * History of consistent returns—Any firm that generates remarkably consistent returns regardless of market conditions should raise suspicions. * High-pressure sales tactics—Reputable investment firms and agents do not push potential investors to act immediately, and legitimate investment opportunities are rarely that time sensitive. * Pressure to reinvest—Often, fraudsters keep Ponzi schemes going by convincing investors to reinvest their profits rather than take a payout. * Complex trading strategies—Legitimate agents should be able to provide clear explanations about their investment strategies. For obvious reasons, Ponzi-scheme boosters purposefully employ complicated strategies that confound unsophisticated investors. * Lack of transparency or access—Secrecy surrounding the operations of a financial company should be an immediate warning sign. Ponzi operators are often unlicensed, and their supposed investments are typically unregistered. Additionally, a lack of access to regular statements or an online account should trigger alarm. * Lack of separation of duties—Investors should be wary of any financial manager who manages, administers, and retains custody of the fund in question.

Answer 63

D. All of the above | See pages 1.712 in the Fraud Examiner's Manual ## Footnote Often, intelligence professionals target research and development (R&D) employees because their positions generally involve the communication of information. For example, many R&D employees attend or participate in trade shows, conferences, or other industry functions where it is common to network with other professionals in their field and exchange ideas. Such events provide intelligence spies with the opportunity to learn key product- or project-related details simply by listening to a presentation or asking the right questions. R&D employees’ publications are also a good source of information for intelligence professionals. Researchers sometimes inadvertently include sensitive project details when writing articles about their findings for industry journals or other mediums. This is particularly true in the case of academic professionals who might be hired by a company to perform research or conduct a study. If a company hires an academician to conduct research, management must ensure that the academician understands the need to keep the results confidential. In addition, management must ensure that the academician’s use of teaching assistants or graduate students is minimal and that those individuals understand the confidentiality requirements.

Answer 64

B. False | See pages 1.754 in the Fraud Examiner's Manual ## Footnote Management should monitor and limit visitor access. Visitors should be required to sign in and out of an organization logbook. It is considered a best practice to issue each visitor a badge that identifies them as a nonemployee. Also, visitors should be escorted by a host for the entirety of their visit and not be allowed into areas containing sensitive information. Additionally, locks on doors leading to secure areas should be changed or reprogrammed regularly, especially if an employee has recently quit or been terminated.

Answer 65

A. True | See pages 1.1535 in the Fraud Examiner's Manual ## Footnote It is important for companies to implement a continuous, self-auditing program to monitor the performance of their procurement activities. Continuous monitoring uses data analytics on a perpetual basis, thereby allowing management to identify and report fraudulent activity more rapidly.

Answer 66

A. True | See pages 1.1339 in the Fraud Examiner's Manual ## Footnote Not all organizations with a pyramid structure are engaging in illegal activity. Some legitimate merchandising companies use a pyramid structure to rank and determine the compensation of their employee-owners. A pyramid structure becomes an illegal pyramid scheme when the recruitment of new members takes precedence over the product or service that the company is ostensibly promoting. The more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make.

Answer 67

A. True | See pages 1.1037-1.1038 in the Fraud Examiner's Manual ## Footnote The following are safeguards that banks can perform to reduce the risk that they or their customers become victimized by unauthorized electronic funds transfers (EFTs): * Confirm phone numbers and mailing addresses on the application to ensure that they are consistent with information about the applicant that is available from other sources and, with respect to existing customers, consistent with current records about these customers. This might involve obtaining credit reports about the applicant or obtaining copies of utility bills that show the applicant’s address. * Ensure that the area or city code in the applicant’s phone number matches the geographical area for the applicant’s address. * Send a welcome letter to the address on the application with the bank’s return address so that the letter is returned if the applicant does not live there. * Verify by phone or additional mailings any change of address requests in the same way that new account applications are verified. * If a customer reports the loss or theft of an access device, cancel the existing card, personal identification number (PIN), or other form of access and issue a new one. * If a customer reports that a person previously authorized to use an access device no longer has that authority, cancel all cards, PINs, or other access devices and issue new ones to the customer. * Always mail PINs separately from other information, such as usernames, with which they are associated. * Separate the responsibility of bank employees who have custody of information relating to access devices from those who have responsibility for issuance, verification, or reissuance of PINs. * Ensure that any communication concerning usernames or passwords is sent in a secure, encrypted format. * Require customers who register for electronic bill presentment and payment (EBPP) or person-to-person (P2P) systems to provide information indicating that they are authorized to use the bank account or credit card from which payments will be made. * Employ multifactor authentication to verify transfers via EBPP or P2P systems.

Answer 68

B. Unbundling | See pages 1.1215 in the Fraud Examiner's Manual ## Footnote Because health care procedures often have special reimbursement rates for a group of procedures typically performed together (e.g., blood test panels by clinical laboratories), some providers attempt to increase profits by billing separately for procedures that are actually part of a single procedure. This process is called unbundling. Simple unbundling occurs when a provider charges a comprehensive code, as well as one or more component codes.

Answer 69

A. Direct-action virus | See pages 1.1423 in the Fraud Examiner's Manual ## Footnote Direct-action viruses load themselves onto the target system's memory, infect other files, and then unload themselves.

Answer 70

A. True | See pages 1.1330 in the Fraud Examiner's Manual ## Footnote A favored device of phony charities is to send school-age children to different homes in a neighborhood, saying that they are raising money for antidrug programs or for a group that takes underprivileged kids on trips. Some of the children repeat what they are instructed to say in exchange for a few dollars. Others believe they will receive rewards and free trips even though they, too, are being scammed.

Answer 71

A. True | See pages 1.749 in the Fraud Examiner's Manual ## Footnote Often, employees are willing to abide by nondisclosure agreements, but they do not understand that the information they are communicating might be confidential. To more effectively implement nondisclosure agreements, employees must be clearly informed about what information is considered confidential upon hiring, upon signing a nondisclosure agreement, and during exit interviews.

Answer 72

D. All of the above | See pages 1.1517 in the Fraud Examiner's Manual ## Footnote In bid manipulation schemes, a procuring employee manipulates the bidding process to benefit a favored contractor or supplier. Some common ways to commit these schemes include: * Opening bids prematurely * Altering bids * Extending bid opening dates without justification

Answer 73

A. Shipping and receiving | See pages 1.712 in the Fraud Examiner's Manual ## Footnote Some of the favorite targets of intelligence gatherers include employees in the following departments: research and development (R&D), marketing, manufacturing and production, human resources (HR), sales, and purchasing.

Answer 74

A. True | See pages 1.1232 in the Fraud Examiner's Manual ## Footnote An insurance company might be guilty of fraud if it fails to apply discounts that have been negotiated with providers. The alleged overcharging occurs when an insurance company negotiates a discount on a medical bill. If the company does not provide the discount, then the consumer’s copayment is made on the full price rather than the discounted price, causing the consumer to pay a higher percentage of their bill than they should.

Answer 75

B. Encryption | See pages 1.1452 in the Fraud Examiner's Manual ## Footnote Encryption is one of the most effective methods of protecting networks and communications against attacks through technical security controls. Encryption is the deliberate scrambling of a message so that it is unreadable except to those who hold the key for unscrambling the message. Any confidential information or credit card numbers should be encrypted in their entirety.

Answer 76

A. Retainage | See pages 1.910 in the Fraud Examiner's Manual ## Footnote Retainage (sometimes called the holdback) is the amount withheld from each draw request until the construction is complete and the lien period has expired.

Answer 77

B. Application security | See pages 1.1441, 1.1445, 1.1453 in the Fraud Examiner's Manual ## Footnote Technical security involves the use of safeguards incorporated into computer hardware or systems, operations or applications software, communications hardware and software, and related devices. Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Common technical controls used to secure computer systems and communication networks include: * Logical access controls * Network security * Operating system security * Encryption * Application security Application security encompasses controls implemented at the application level to prevent data from being accessed, stolen, modified, or deleted by unauthorized users. Attackers can exploit vulnerabilities in the design, development, or deployment of applications that allow them to obtain sensitive information pertaining to the organization itself, its employees, or its customers; therefore, it is important for companies to regularly test applications for weaknesses and implement solutions for any issues discovered in their code.

Answer 78

B. Omission of developer’s personal account statements | See pages 1.908-1.909 in the Fraud Examiner's Manual ## Footnote Construction loan advances are generally supported by draw requests. A draw request is the documentation substantiating that a developer has incurred the appropriate construction expenses and is now seeking reimbursement or direct payment. Generally, a draw request is made once a month and is verified by a quantity surveyor (QS) or other authorized entity as agreed to by the financial institution. The request should be accompanied by the following documents: * Paid invoices for raw materials * Lien releases from each subcontractor * Inspection reports * Canceled checks from previous draw requests * Bank reconciliation for construction draw account for previous month * Loan balancing form demonstrating that the loan remains in balance * Change orders, if applicable * Wiring instructions, if applicable * Proof of developer contribution, if applicable Any missing or altered documentation is a red flag that something is amiss with the draw request. All advances on the loan should be adequately documented. The developer’s personal account statements would never be included with a draw request.

Answer 79

C. Using the same password or passphrase for all accounts | See pages 1.815 in the Fraud Examiner's Manual ## Footnote The following are some of the steps that individuals can take to protect their personal information and prevent identity theft: * Do not give out government identification numbers unless absolutely necessary. * Do not carry government identification cards (or numbers) in purses or wallets. * Create complex passwords or passphrases that have at least eight characters and contain upper- and lowercase letters, numbers, and symbols. * Do not reuse passwords. Use a different password for every website, account, or device. * Never send personal information, such as a password or government identification number, via email. Reputable organizations will not request personal information by email. * When available, use biometric authentication (e.g., fingerprints, voice recognition). * Create unique answers for security questions. Do not choose answers containing personal information that is publicly available (e.g., name of high school, mother’s maiden name). * Protect computers with strong and regularly updated firewall and antivirus software, and promptly install all security updates and patches. * Avoid suspicious websites. * Delete messages from unknown senders without opening them. * Only download software from trusted websites. * Avoid using unsecured, public Wi-Fi networks. * Limit the amount of personal information shared on social media. * Use software to permanently erase all data from hard drives before disposing of computers, smartphones, copiers, printers, and other electronic devices. * Secure physical mailboxes with a lock, check physical mail regularly, and instruct the postal service to suspend mail during vacations. * Shred all sensitive documents. * Opt out of unsolicited offers for pre-approved credit cards or other lines of credit. * Pay attention to billing cycles and review all bills and statements. * Check credit reports regularly.

Answer 80

D. The insured has not made many insurance claims in the past. | See pages 1.1119 in the Fraud Examiner's Manual ## Footnote Red flags of insurance fraud might include any of the following: * The claim is made soon after the policy’s inception or after an increase or change in the coverage under which the claim is made. * The insured has a history of multiple insurance claims and losses. * The insured previously asked an insurance agent hypothetical questions about coverage in the event of a loss similar to the actual claim. * In a burglary loss, the claim includes large, bulky property, which is unusual for a burglary. * In a theft or fire loss claim, the claim includes a lot of recently purchased, expensive property, but the insured cannot provide receipts, owner’s manuals, or other documentary proof of purchase. * In a fire loss claim, the claim does not include personal or sentimental items, such as photographs or family heirlooms, that would usually be listed among the lost property. * The insured cannot remember or does not know where they acquired the claimed property, especially unusual items, or cannot provide adequate documentation.

Answer 81

A. A person buying groceries at a supermarket | See pages 1.1035 in the Fraud Examiner's Manual ## Footnote Person-to-person (P2P) payment systems are an increasingly popular method for making payments between individuals or between an individual and a business. P2P payments are commonly used to make online payments but are not as common for in-person payments, such as paying for clothes at a department store or buying groceries at a supermarket. These services are also used to move money internationally and between various currencies at exchange rates that rival traditional methods of currency exchange. Wise (formerly TransferWise) and PayPal are examples of popular P2P payment systems. Mobile payment applications or digital wallets, such as Venmo or Apple Pay, might also have P2P payment features.

Answer 82

D. Creating an incident response plan | See pages 1.1441, 1.1453 in the Fraud Examiner's Manual ## Footnote Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include: * Security policies and awareness training * Separation of duties * Data classification * Computer security risk assessments * Security audits and tests * Incident response plans

Answer 83

A. The prospective contractors prepare and submit their bids. | See pages 1.1509 in the Fraud Examiner's Manual ## Footnote The solicitation phase involves the bid solicitation, bid preparation, and bid submission. During this phase, the procuring entity prepares the solicitation document, provides notices of solicitation, and issues the solicitation document. After the procuring entity issues the solicitation document, the bidders prepare and submit their bids or proposals.

Answer 84

D. All of the above | See pages 1.1020 in the Fraud Examiner's Manual ## Footnote In recent years, prepaid cards have gained popularity. Prepaid gift and debit cards are commonly used by those who do not have a bank account or who prefer relatively anonymous payment methods. Unfortunately, these consumers are often targeted with prepaid card fraud schemes that can manifest in many ways. Prepaid cards can be purchased at countless retailers and are difficult to track after they have been purchased and activated.

Answer 85

D. All of the above | See pages 1.1511-1.1512 in the Fraud Examiner's Manual ## Footnote Schemes involving collusion among contractors seek to evade the competitive bidding process. In these schemes, competitors in the same market collude to defeat competition or to inflate the prices of goods and services artificially. The following schemes are common forms of collusion between competitors: * Bid rotation—Bid rotation, also known as bid pooling, occurs when two or more contractors conspire to alternate the business among themselves on a rotating basis. * Bid suppression—Bid suppression occurs when two or more contractors enter into an illegal agreement whereby at least one of the conspirators refrains from bidding or withdraws a previously submitted bid. * Market division—Market division (or market allocation) schemes involve agreements among competitors to divide and allocate markets and to refrain from competing in each other’s designated portion of the market.

Answer 86

B. Fraudsters deceive victims into inserting data storage devices that have been infected with malware into their computers. | See pages 1.811, 1.813 in the Fraud Examiner's Manual ## Footnote In a baiting scheme, fraudsters leave flash drives, CD-ROMs, or similar items that have been infected with malware in places where people will find them, such as parking lots. The items often have a label designed to elicit curiosity or greed in the victims (e.g., “FREE PRIZE”). Alternatively, the item could be left in a workplace break room with a label that seems relevant (e.g., “Year-End Report”). When the item is inserted into the victim’s computer, the computer or network is infected, giving the identity thief access to information. In the context of identity theft, social engineering refers to the psychological manipulation of people to deceive them into revealing personal or business information. Social engineering often involves pretexting, the act of using an invented scenario (i.e., a pretext) to persuade a person to release information or perform an action. Identity thieves often engage in pretexting by impersonating the victim’s bank or another financial institution with which the victim has a business relationship. Vishing (or voice phishing) schemes involve the use of telephone calls or voice messages to deceive people into revealing personal or business information. In a pharming scheme, internet users are automatically redirected from a legitimate website to an imitation website.

Answer 87

B. False | See pages 1.1462-1.1463 in the Fraud Examiner's Manual ## Footnote Every organization should be ready to respond to a wide range of cybersecurity incidents, including cyberattacks and data breaches. The recommended methodology for responding to cybersecurity incidents can be summarized in the following steps: 1. Preparation 2. Detection and analysis 3. Containment and eradication 4. Breach notification 5. Recovery and follow-up It is critical that organizations have an incident response plan for dealing with intrusions before they occur. An incident response plan describes the actions the organization will take when a data breach occurs. The incident response plan should be created and implemented during the preparation step.

Answer 88

B. False | See pages 1.1225-1.1226 in the Fraud Examiner's Manual ## Footnote Medical facilities that offer special care services, such as nursing homes and psychiatric hospitals, and the patients in them are at a greater risk of fraud than most other medical institutions. Many health care fraud schemes are revealed after a patient reports strange charges or other red flags. Unfortunately, criminals take advantage of the fact that patients in special care facilities are more vulnerable to fraud. Many special care facilities do not have the in-house capability to provide all the services and supplies their patients need. Accordingly, outside providers market their services and supplies to special care facilities to serve the needs of their patients. Some special care facilities allow outside providers or their representatives to review patient medical records; these providers can obtain all the information necessary to order and bill for services and supplies that are not necessary or even provided.

Answer 89

A. True | See pages 1.1219 in the Fraud Examiner's Manual ## Footnote Hospitals and other medical institutions use diagnostic-related groupings (DRGs) to categorize patients based on their diagnosis, treatment, length of stay, and other factors. DRG creep occurs when a hospital or other medical institution deliberately and systematically manipulates diagnostic and procedural codes to increase reimbursement amounts or other forms of funding. In other words, DRG creep is an intentional pattern of upcoding by a hospital or other medical institution. For example, a hospital might repeatedly and incorrectly code angina (pain or discomfort in the chest due to some obstruction of the arteries) as a myocardial infarction (a more serious event, commonly known as a heart attack) and thus be reimbursed at a higher level.

Answer 90

C. Stealing an individual’s personal information and opening an account under their name | See pages 1.803-1.804 in the Fraud Examiner's Manual ## Footnote In traditional identity theft, a fraudster steals an individual’s personal information and pretends to be that individual. For example, a fraudster might use an individual’s name, government identification number, and date of birth to impersonate the individual and gain access to the individual’s bank account. This is called an account takeover. Another type of traditional identity theft is true name fraud, in which a fraudster uses an individual’s personal information to open a new account under the individual’s name. Unlike an account takeover, which involves an existing account, true name fraud involves a new account. Synthetic identity theft involves the use of entirely fabricated personal information or a combination of real and fabricated information to create a new identity.

Answer 91

D. A pyramid scheme promotes itself as a pyramid whereas a Ponzi scheme promotes itself as an investment opportunity. | See pages 1.1345 in the Fraud Examiner's Manual ## Footnote The difference between a Ponzi scheme and an illegal pyramid is how the operation is promoted. Illegal pyramids are promoted as pyramids whereas Ponzi schemes are promoted as investment opportunities. In an illegal pyramid, the pyramidal structure helps recruit new participants, each believing that they will rise through the ranks of the pyramid. A Ponzi scheme, however, masquerades as some type of investment.

Answer 92

B. Bid rotation | See pages 1.1512 in the Fraud Examiner's Manual ## Footnote Based on the facts provided, ABC Paving and XYZ Asphalt could be engaged in a bid rotation (or bid pooling) scheme, which is a form of collusion among contractors. Bid rotation occurs when two or more contractors conspire to alternate the business among themselves on a rotating basis. Instead of engaging in competitive contracting, the bidders exchange information on contract solicitations to guarantee that each contractor will win a share of the purchasing entity’s business and potentially enable them to charge inflated prices for their contracts.

Answer 93

D. An insured can provide the insurance company with documentation for claims involving expensive property. | See pages 1.1119 in the Fraud Examiner's Manual ## Footnote Red flags of insurance fraud might include any of the following: * The claim is made soon after the policy’s inception or after an increase or change in the coverage under which the claim is made. * The insured has a history of multiple insurance claims and losses. * The insured previously asked an insurance agent hypothetical questions about coverage in the event of a loss similar to the actual claim. * In a burglary loss, the claim includes large, bulky property, which is unusual for a burglary. * In a theft or fire loss claim, the claim includes a lot of recently purchased, expensive property, but the insured cannot provide receipts, owner’s manuals, or other documentary proof of purchase. * In a fire loss claim, the claim does not include personal or sentimental items, such as photographs or family heirlooms, that would usually be listed among the lost property. * The insured cannot remember or does not know where they acquired the claimed property, especially unusual items, or cannot provide adequate documentation.

Answer 94

D. The procuring employees assess the bids or proposals. | See pages 1.1509 in the Fraud Examiner's Manual ## Footnote In the bid evaluation and award phase, the procuring employees evaluate the bids or proposals, conduct discussions and negotiations, and give the bidders an opportunity to revise their proposals. Procuring employees then select the winning bid or proposal.

Answer 95

B. False | See pages 1.1443, 1.1445 in the Fraud Examiner's Manual ## Footnote Physical access controls refer to the process by which users are allowed access to physical objects (e.g., buildings). In contrast, logical access controls are tools used to control access to computer information systems and their components.

Answer 96

B. Vacation scheme | See pages 1.1313-1.1315 in the Fraud Examiner's Manual ## Footnote Elder fraud, also known as elder financial abuse, includes different types of consumer fraud schemes perpetrated against older individuals. In travel, vacation, and timeshare schemes, fraudsters post advertisements for vacation properties that are nonexistent, significantly different than promised, or not available for rent. Telemarketers sometimes target older individuals directly, promising inexpensive vacation packages or timeshares that can be easily resold. In a tech-support scheme, a fraudster attempts to convince victims to pay for unnecessary computer services to repair nonexistent viruses or other problems. The scheme usually begins with a fraudster calling a victim and claiming to be a computer technician working for a well-known tech company (e.g., Microsoft or Apple). Alternatively, the victim might be tricked into calling the fraudster directly via pop-up messages warning about nonexistent computer problems. Once the victim is speaking to the fraudster by phone, the fraudster generally instructs the victim to download and launch software that gives the fraudster remote access to the victim’s computer. The fraudster proceeds to perform phony diagnostic tests on the victim’s computer, falsely claims to have detected viruses or other problems, and offers to fix the victim’s computer for a fee. In addition to collecting a fee for unnecessary services, the fraudster might install spyware onto the victim’s computer. In a grandparent scheme, a scammer calls an older individual and asks if the individual knows who is calling. When the grandparent guesses the name of a grandchild, the scammer pretends to be that grandchild. The scammer claims to be in a financial bind and asks if the grandparent can send money via the internet or a money transfer service. The scammer urges the grandparent to avoid telling anyone about the situation. Once scammers receive the money, they continue to contact the grandparent for more money. In a home improvement scheme, the fraudster recommends a friend who can perform needed home repairs for an older individual at a reasonable price. This friend might require the homeowner to sign a document upon completion, confirming repairs were made. In some cases, the victims later learn that they signed over the title of their house to the repairperson. In other cases, not only is the victim overcharged, but the work is also performed improperly.

Answer 97

D. All of the above | See pages 1.936-1.937, 1.940 in the Fraud Examiner's Manual ## Footnote Fraud is much more likely to occur in new accounts than in established accounts. New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud. Prompt, decisive action is necessary to manage and/or close apparent problem accounts. Some of the more common red flags of potential new account schemes are: * Customer residence outside the bank's trade area * Dress and/or actions inconsistent or inappropriate for the customer's stated age, occupation, or income level * New account holder requesting immediate cash withdrawal upon deposit * Request for large quantity of temporary checks * Services included with the account that do not match the customer’s purpose * Missing or inaccurate customer application information * Invalid phone numbers or addresses in customer account information * Use of a mail drop address (a service where a non-affiliated party collects and distributes mail for individuals or entities) * Large check or automated teller machine (ATM) deposits followed by rapid withdrawal or transfer of funds (a pass-through account) * Business accounts without standard business transactions, such as payroll or transactions that would be expected in that business * Transactions without a clear purpose in jurisdictions known for high levels of corruption * Opening deposit that is a nominal cash amount * Rare customer ID type * Applicants over the age of 25 with no credit history * Customers who cannot remember basic application information (e.g., phone number or address)

Answer 98

C. A false appraisal report | See pages 1.918 in the Fraud Examiner's Manual ## Footnote Real estate transactions assume a willing buyer and a willing seller. Fraud can occur when the transaction breaks down or the expert assistance is not at arm's length (i.e., not immediately attainable). Many real estate fraud schemes have a false appraisal report as a condition precedent.

Answer 99

A. True | See pages 1.744 in the Fraud Examiner's Manual ## Footnote To coordinate a company-wide program for safeguarding proprietary information (SPI), management should establish a task force and charge it with developing the program. The task force should include managers and staff from departments that deal with proprietary information, such as research and development (R&D) and production. The task force should also include representatives from the following departments: corporate security, human resources (HR), records management, data processing, and legal. Once the task force is assembled, it must identify the information that is to be protected. To make this determination, the task force should identify those areas that give the company its competitive edge (e.g., quality of the product, service, price, manufacturing technology, marketing, and distribution). When doing so, the task force should ask, “What information would a competitor like to know?”

Answer 100

D. All of the above | See pages 1.815 in the Fraud Examiner's Manual ## Footnote The following are some of the steps that individuals can take to protect their personal information and prevent identity theft: * Do not give out government identification numbers unless absolutely necessary. * Do not carry government identification cards (or numbers) in purses or wallets. * Create complex passwords or passphrases that have at least eight characters and contain upper- and lowercase letters, numbers, and symbols. * Do not reuse passwords. Use a different password for every website, account, or device. * Never send personal information, such as a password or government identification number, via email. Reputable organizations will not request personal information by email. * When available, use biometric authentication (e.g., fingerprints, voice recognition). * Create unique answers for security questions. Do not choose answers containing personal information that is publicly available (e.g., name of high school, mother’s maiden name). * Protect computers with strong and regularly updated firewall and antivirus software, and promptly install all security updates and patches. * Avoid suspicious websites. * Delete messages from unknown senders without opening them. * Only download software from trusted websites. * Avoid using unsecured, public Wi-Fi networks. * Limit the amount of personal information shared on social media. * Use software to permanently erase all data from hard drives before disposing of computers, smartphones, copiers, printers, and other electronic devices. * Secure physical mailboxes with a lock, check physical mail regularly, and instruct the postal service to suspend mail during vacations. * Shred all sensitive documents. * Opt out of unsolicited offers for pre-approved credit cards or other lines of credit. * Pay attention to billing cycles and review all bills and statements. * Check credit reports regularly.

Answer 101

D. Scavenging | See pages 1.706, 1.721, 1.1414 in the Fraud Examiner's Manual ## Footnote Scavenging involves collecting information left around computer systems (e.g., on desks or workstations). Dumpster diving involves obtaining sensitive information by looking through someone else’s trash (e.g., via dumpsters and other trash receptacles). Shoulder surfing involves observing an unsuspecting target from a nearby location while the target enters a username and password into a system, talks on the phone, fills out financial forms, or performs some other task from which valuable information can be obtained. Spoofing refers to the process whereby an individual impersonates a legitimate user to obtain access to the target’s network.

Answer 102

A. A fraudster calls a company employee and requests sensitive information while claiming to be a coworker whose systems are down | See pages 1.719 in the Fraud Examiner's Manual ## Footnote Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information. In social engineering schemes, social engineers use various forms of trickery, persuasion, or threats to encourage their targets to release information that the engineers can use and exploit to achieve their goals. Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so that they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware.

Answer 103

A. True | See pages 1.1411 in the Fraud Examiner's Manual ## Footnote Pharming is a type of attack in which users are fooled into entering sensitive data (such as a password or credit card number) into a malicious website that imitates a legitimate website. It is different from phishing because in pharming schemes, the attacker does not have to rely on users clicking a link in an email or other message to direct them to the imitation website.

Answer 104

B. Smart cards are embedded with a microchip that is not easily replicated. | See pages 1.1028-1.1029 in the Fraud Examiner's Manual ## Footnote A smart card is a plastic card, the size of a payment card, embedded with a microchip. A key advantage of smart cards is that, unlike regular magnetic stripe payment cards, they cannot be easily replicated. Similarly, smart cards cannot be easily counterfeited, which greatly reduces the potential for fraud with in-person transactions. Smart cards include a wide variety of hardware and software features capable of detecting and reacting to tampering attempts and countering possible attacks. If someone tries to tamper with a chip on a smart card, the card detects the intrusion and shuts itself down, rendering the card useless. Although smart cards are designed to withstand different kinds of potential attacks on security, they are not immune from attacks. There are four main classes of attacks on smart cards: physical, side-channel, software, and environmental. While the adoption of smart cards has significantly reduced fraud for card-present (CP) transactions, much of the fraud has been displaced to card-not-present (CNP) transactions on the internet. Significant increases in CNP fraud have occurred globally in the years following the transition to smart cards. Large-scale data breaches and the continued increase in online spending have also contributed to the rising volume of CNP fraud.

Answer 105

A. True | See pages 1.1040-1.1041 in the Fraud Examiner's Manual ## Footnote The widespread presence of mobile devices has fostered a demand for mobile payments. These payments are typically made through contactless technology, such as digital wallets or applications—also known as in-app payments. Most mobile payments require users to authenticate themselves, and the technology available in many mobile devices allows for biometric authentication, such as a partial fingerprint or three-dimensional facial scan, which is difficult for fraudsters to bypass. Mobile payments that do not require or offer biometric authentication can be more vulnerable to cyberattacks due to the common practice of using the same log-in credentials for multiple applications. If one application is hacked, criminals might attempt to access various platforms with the same credentials.

Answer 106

D. Using text messages to obtain sensitive data | See pages 1.1410 in the Fraud Examiner's Manual ## Footnote Smishing is a hybrid of phishing and short message service (SMS), also known as text messaging. These schemes use text messages or other short message systems to conduct phishing activities. That is, in smishing schemes, the attacker uses text messages or other SMSs to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, internet service provider (ISP), or other entity with which the target does business.

Answer 107

A. True | See pages 1.1339 in the Fraud Examiner's Manual ## Footnote Pyramid schemes are designed to pay off their earliest investors but not later investors. Probability studies have shown that 93%–95% of the participants in a pyramid scheme (all but those who join at the earliest stage) will lose most of their money. Half can expect to lose all the money they invest.

Answer 108

A. True | See pages 1.905 in the Fraud Examiner's Manual ## Footnote In double-pledging collateral schemes, borrowers pledge the same collateral (i.e., an item of value used to secure or guarantee a loan) with different lenders before liens are recorded without telling the lenders.

Answer 109

D. All of the above | See pages 1.1036 in the Fraud Examiner's Manual ## Footnote There are several ways in which fraud can be perpetrated through the electronic transfer of funds. Potential sources of fraud include the following: * A biller might send a bill for services not rendered or for goods never sent. * A person who has obtained information about another person’s bank account might instruct a biller to obtain payment from the other person’s account. * A hacker might obtain passwords and usernames from an aggregator and use that information to direct transfers from a consumer’s bank account. * An employee at the site providing electronic bill presentment and payment (EBPP) services who knows consumers’ usernames and passwords might use that information to direct transfers from consumers’ bank accounts. * A bank employee might use customer information to direct transfers from a customer’s account.

Answer 110

C. Watching a customer enter a PIN at an ATM | See pages 1.810-1.811, 1.813 in the Fraud Examiner's Manual ## Footnote Shoulder surfing is the practice of observing another person (e.g., looking over the person’s shoulder) to gather personal information. Shoulder surfing is especially effective in crowded areas where a fraudster can stand close to a victim without being noticed. While in close proximity, the fraudster can eavesdrop on the victim’s telephone conversation, view the victim’s credit card number, or gather other personal information. Identity thieves often watch victims as they enter their personal identification numbers (PINs) at automated teller machines (ATMs) or fill out bank deposit slips at their banks. Leaving a flash drive that has been infected with spyware in a workplace break room is an example of a baiting scheme. The other two scenarios are examples of piggybacking.

Answer 111

D. Unauthorized disbursement of funds to outsiders | See pages 1.901, 1.903 in the Fraud Examiner's Manual ## Footnote There are various embezzlement schemes that have been used over time against financial institutions. The scheme in this scenario involves an employee abusing his authority to approve a fraudulent (i.e., counterfeit, forged, or stolen) instrument to make an unauthorized disbursement of funds to an outsider.

Answer 112

D. All of the above | See pages 1.1441, 1.1453 in the Fraud Examiner's Manual ## Footnote Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include: * Security policies and awareness training * Separation of duties * Data classification * Computer security risk assessments * Security audits and tests * Incident response plans

Answer 113

A. An airline ticket purchased through the internet with the use of a credit card | See pages 1.1031-1.1032 in the Fraud Examiner's Manual ## Footnote An electronic funds transfer (EFT) is any transfer of funds, other than one originated by a check or similar paper instrument, that is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape that orders or purports to authorize a financial institution to debit or credit an account. Because it does not result in a transfer of funds, the use of a credit card to make a payment does not constitute an EFT. Although jurisdiction-specific regulations and terminology might differ, each of the following could generally be considered an EFT: * A customer’s withdrawal of funds from the customer’s own account by use of an automated teller machine (ATM) * A customer’s transfer of funds from the customer’s checking account to the customer’s savings account at the same financial institution initiated by the customer through a personal computer * A customer’s transfer of funds from the customer’s checking account to the customer’s savings account at the same financial institution initiated by the customer through the bank’s automated telephone service * A customer’s use of a debit card to purchase goods from a merchant who swipes the card through a point-of-sale (POS) device to authorize the deduction of the amount of the sale from the customer’s checking account * A customer’s transfer of funds from the customer’s bank account to a third party initiated by the customer through a personal computer * An employer’s instruction, initiated by computer or through a magnetic tape, to a financial institution to deposit funds representing an employee’s pay into the employee’s account * A noncustomer’s instruction, initiated by computer or through a magnetic tape, to a financial institution to withdraw funds from a customer’s checking account and transfer the funds to a noncustomer’s bank account

Answer 114

B. False | See pages 1.1334, 1.1339 in the Fraud Examiner's Manual ## Footnote A Ponzi scheme is generally defined as an illegal business practice in which new investors’ money is used to make payments to earlier investors. The investment opportunity is typically presented with the promise of uncommonly high returns. While the scam is presented as a legitimate investment, there is minimal or no actual commerce involved. In contrast, an illegal pyramid scheme is unique in that the more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make.

Answer 115

B. False | See pages 1.901-1.902 in the Fraud Examiner's Manual ## Footnote There are various embezzlement schemes that have been used over time against financial institutions. In false accounting entry schemes, employees debit the general ledger to credit their own accounts or conceal a theft from a customer account. In other words, employees adjust the general ledger to conceal the stolen amount. In an unauthorized withdrawal scheme, employees simply make unauthorized withdrawals from customer accounts; they do not attempt to conceal the theft by adjusting the financial institution’s general ledger.

Answer 116

D. All of the above | See pages 1.1338 in the Fraud Examiner's Manual ## Footnote The following are red flags of Ponzi schemes: * Sounds too good to be true—If an investment opportunity seems suspiciously better than it should be, then it is probably a Ponzi scheme. * Promises of low risk or high rewards—Promoters of Ponzi schemes typically promise implausibly high or quick returns with little risk. As all legitimate investments include some risk, any guarantee that an investment will perform in a certain way is a clear signal that it might be part of a Ponzi scheme. * History of consistent returns—Any firm that generates remarkably consistent returns regardless of market conditions should raise suspicions. * High-pressure sales tactics—Reputable investment firms and agents do not push potential investors to act immediately, and legitimate investment opportunities are rarely that time sensitive. * Pressure to reinvest—Often, fraudsters keep Ponzi schemes going by convincing investors to reinvest their profits rather than take a payout. * Complex trading strategies—Legitimate agents should be able to provide clear explanations about their investment strategies. For obvious reasons, Ponzi-scheme boosters purposefully employ complicated strategies that confound unsophisticated investors. * Lack of transparency or access—Secrecy surrounding the operations of a financial company should be an immediate warning sign. Ponzi operators are often unlicensed, and their supposed investments are typically unregistered. Additionally, a lack of access to regular statements or an online account should trigger alarm. * Lack of separation of duties—Investors should be wary of any financial manager who manages, administers, and retains custody of the fund in question.

Answer 117

D. All of the above | See pages 1.1443 in the Fraud Examiner's Manual ## Footnote There are various types of physical access control devices that can be used to control access to physical objects. Some common types include: * Locks and keys * Electronic access cards * Biometric systems

Answer 118

B. Vishing | See pages 1.1410 in the Fraud Examiner's Manual ## Footnote Vishing, or voice phishing, is the act of leveraging Voice over Internet Protocol (VoIP) in using the telephone system to falsely claim to be a legitimate enterprise to scam users (both consumers and businesses) into disclosing personal information or executing an act that furthers a scheme. Government and financial institutions, as well as online auctions and their payment services, can be targets of voice phishing. A vishing scheme is generally transmitted as an incoming recorded telephone message that uses a spoofed (fraudulent) caller ID matching the identity of a misrepresented organization. The message uses an urgent pretext to direct unsuspecting users to another telephone number. The victim is invited to input their personal information using their telephone keypad. The criminals capture the key tones and convert them back to numerical format.

Answer 119

D. All of the above | See pages 1.1110-1.1113 in the Fraud Examiner's Manual ## Footnote Workers’ compensation schemes are generally broken into four categories: premium fraud, agent fraud, claimant fraud, and organized fraud schemes. * Premium fraud involves the misrepresentation of information to the insurer by employers to lower the cost of workers’ compensation premiums. For example, an employer might understate the amount of the payroll for higher-risk classifications, thus receiving lower-cost premiums. * Agent fraud schemes consist primarily of pilfering premiums and conspiring to reduce premiums. Underhanded agents sometimes issue certificates of coverage to the ostensibly insured customer while misappropriating the premium rather than forwarding it to the insurance carrier. Agents might also conspire to alter or improperly influence insurance applications to offer lower premiums to their clients. * Claimant fraud involves misrepresenting the circumstances of any injury or fabricating that an injury occurred. * Organized fraud schemes are composed of the united efforts of a lawyer, a capper, a doctor, and the claimant. This type of scheme is used not only in workers’ compensation cases but also in other medical frauds, such as automobile injuries.

Answer 120

D. All of the above | See pages 1.1513-1.1514 in the Fraud Examiner's Manual ## Footnote Common red flags of procurement fraud schemes involving collusion among contractors include: * The industry has limited competition. * The same contractors bid on each project or product. * The winning bid appears too high. * All contractors submit consistently high bids. * Qualified contractors do not submit bids. * The winning bidder subcontracts work to one or more losing bidders or to non-bidders. * Bids appear to be complementary bids by companies unqualified to perform the work. * Some bids fail to conform to the essential requirements of the solicitation documents (i.e., some bids do not comply with bid specifications). * Some losing bids were poorly prepared. * Fewer competitors than usual submit bids on a project or product. * When a new contractor enters the competition, the bid prices begin to decline. * There is a rotational pattern to winning bidders (e.g., geographical, customer, job, or type of work). * There is evidence of collusion in the bids (e.g., bidders make the same mathematical or spelling errors; bids are prepared using the same typeface, handwriting, stationery, or envelope; or competitors submit identical bids). * There is a pattern indicating that the last party to bid wins the contract. * There are patterns of conduct by bidders or their employees that suggest the possibility of collusion (e.g., competitors regularly socialize, hold meetings, visit each other’s offices, or subcontract with each other).

Answer 121

C. The procuring entity performs its contractual obligations. | See pages 1.1510 in the Fraud Examiner's Manual ## Footnote During the post-award and administration phase, the parties that were contracted fulfill their respective duties through the performance of their contractual obligations. Activities that occur during this phase include contract modifications (i.e., change orders); review of completed portions and release of monies; and assessment of deliverables for compliance with the contract terms, including quality control.

Answer 122

C. Unintentional misrepresentation of the diagnosis | See pages 1.1218 in the Fraud Examiner's Manual ## Footnote Fraud schemes perpetrated by institutions and their employees include those commonly used by doctors and other providers. However, the more common schemes in which hospitals are primarily involved include: * Filing of false cost reports * DRG creep * Billing for experimental procedures * Improper contractual and other relationships with physicians * Revenue recovery firms to (knowingly or unknowingly) bill extra charges

Answer 123

B. False | See pages 1.1007 in the Fraud Examiner's Manual ## Footnote Check fraud is considered a relatively low-risk crime; the chances of being arrested and prosecuted are low, and the penalties are relatively mild in most jurisdictions.

Answer 124

B. False | See pages 1.809 in the Fraud Examiner's Manual ## Footnote Fraudsters commonly obtain personal and business information from improperly discarded computers, media drives, copiers, printers, mobile phones, and other devices. Like computers, some copiers and printers have internal hard drives that store sensitive data. Because it is possible to recover deleted data, fraudsters might search for sensitive information on second-hand devices that they purchase online or obtain from another source. Data can be permanently erased from such devices with specialized software.

Answer 125

B. Sequential purchases under the competitive bidding limits that are followed by change orders | See pages 1.1519-1.1520 in the Fraud Examiner's Manual ## Footnote In general, procuring entities must use competitive methods for projects over a certain amount. To avoid this requirement, a dishonest employee might divide a large project into several small projects that fall below the mandatory bidding level and award some or all of the component jobs to a contractor with whom the employee is conspiring. Some common red flags of bid splitting schemes include: * Two or more similar or identical procurements from the same supplier in amounts just under upper-level review or competitive-bidding limits * Two or more consecutive, related procurements from the same contractor that fall just below the competitive-bidding or upper-level review limits * Unjustified split purchases that fall under the competitive-bidding or upper-level review limits * Sequential purchases just under the upper-level review or competitive-bidding limits * Sequential purchases under the upper-level review or competitive-bidding limits that are followed by change orders

Answer 126

A. True | See pages 1.1217 in the Fraud Examiner's Manual ## Footnote Upcoding occurs when a provider bills for a higher level of service than actually rendered. In a typical upcoding scheme, a durable medical equipment (DME) company provides patients with an inexpensive product (e.g., a manual wheelchair) but bills the government for a more expensive product (e.g., an electric wheelchair). Another common upcoding scheme is to falsely claim that an established patient is a new patient. A new patient generally requires an extensive examination and consumes more of the provider’s time. Therefore, under some medical coding systems, providers are reimbursed more for new patients than established patients.

Answer 127

A. Fill-and-split games schemes | See pages 1.1314, 1.1340 in the Fraud Examiner's Manual ## Footnote The following are common types of elder fraud schemes: * Home improvement schemes * Sweepstakes and prize schemes * Travel, vacation, and timeshare schemes * Tech-support schemes * Romance schemes * Work-at-home schemes * Grandparent schemes Fill-and-split games are a type of pyramid scheme that uses gaming elements to keep the victims’ attention and distract them from the absurdity of the scheme. Fill-and-split games are not commonly used to take advantage of older individuals.

Answer 128

A. True | See pages 1.933 in the Fraud Examiner's Manual ## Footnote Property flipping is the process by which an investor purchases a home and then resells it at a higher price shortly thereafter. For example, an investor buys a house in need of work, renovates the kitchen and bathrooms, and landscapes the yard. The investor then resells the house two months later (the time it takes to complete the renovations) for a price that is reflective of the market for a house in that condition. This is a legitimate business transaction, and many individuals and groups make an honest living flipping properties. Property flipping is not intrinsically illegal or fraudulent, but it becomes so when a property is purchased and resold within a short period of time at an artificially or unjustly inflated value, often as the result of a fraudulent appraisal. In a flipping scheme, the property is sold twice in rapid succession at a significant increase in value (also known as an ABC transaction, whereby the property moves from party A to party B to party C very quickly).

Answer 129

D. The process by which users are allowed to use computer systems and networks | See pages 1.1445 in the Fraud Examiner's Manual ## Footnote Logical access refers to the process by which users are allowed to use computer systems and networks, and logical access control refers to a process by which users are identified and granted certain privileges to information, systems, or resources. These controls are designed to protect the confidentiality, integrity, and availability of informational resources. Logical access controls can be used to verify a person’s identity and privileges before granting the person logical access to information or other online resources.

Answer 130

B. Microchip | See pages 1.1017 in the Fraud Examiner's Manual ## Footnote A card skimming scheme requires a device, often referred to as a skimmer or shimmer, that scans and stores a large amount of payment card numbers; skimmers scan magnetic strips, while shimmers read microchips in smart cards.

Answer 131

A. True | See pages 1.1324 in the Fraud Examiner's Manual ## Footnote Similar to loan scams are those that promise to repair credit. Fraudsters who pitch credit repair services claim that they can “wipe away,” “doctor,” or “cosmeticize” negative items on credit, insinuating they have ways of changing or disguising a person’s credit history. Although there is really no way to erase bad credit, many people are tricked into this scam, paying large sums of money to expunge their records.

Answer 132

D. All of the above | See pages 1.1017-1.1018 in the Fraud Examiner's Manual ## Footnote A card skimming or shimming scheme requires a device, often referred to as a skimmer or shimmer, that scans and stores a large amount of payment card numbers; skimmers scan magnetic strips, while shimmers read microchips in smart cards. Card skimming or shimming is more frequent in businesses where an employee can remove the card from the customer’s view to process the transaction before returning it to the customer. Skimming or shimming can also be performed via the attachment of covert devices to automated teller machines (ATMs), automated fuel dispensers, vending machines, point-of-sale (POS) terminals, or self-service checkout kiosks. These devices are sometimes paired with a tiny hidden camera meant to record the input of a user’s personal identification number (PIN).

Answer 133

B. Regularly update the organization’s operating systems. | See pages 1.1431-1.1432 in the Fraud Examiner's Manual ## Footnote The following measures can help avoid infection from a malicious program: * Use anti-malware software to scan all incoming email messages and files. * Regularly update virus definitions in anti-malware programs. * Use precaution when opening emails from acquaintances. * Do not open email attachments unless they are from trusted sources. * Only download files from reputable sources. * Regularly update the operating system. * Regularly update the computer with the latest security patches available for the operating system, software, browser, and email programs. * Ensure that there is a clean boot disk to facilitate testing with antivirus software. * Use a firewall and keep it turned on. * Consider testing all computer software on an isolated system before loading it. * In a network environment, do not place untested programs on the server. * Secure the computer against unauthorized access from external threats such as hackers. * Keep backup copies of production data files and computer software in a secure location. * Scan pre-formatted storage devices before using them. * Consider preventing the system from booting with a removable storage device (such as a USB flash drive); this might prevent accidental infection. * Establish corporate policies and an employee education program to inform employees of how malware is introduced and what to do if malware is suspected. * Encourage employees to protect their home systems as well. Many malware infections result from employees bringing infected storage devices or files from home.

Answer 134

A. True | See pages 1.929 in the Fraud Examiner's Manual ## Footnote Fraudulent second liens are a variation of the fraudulent sale scheme. In a second lien scheme, a person assumes a homeowner’s identity and takes out an additional loan or a second mortgage in the homeowner’s name. If there is not enough equity in the home to warrant a second loan, an inflated appraisal is obtained. This scheme often involves a high level of collusion between a loan officer, an appraiser, and a title agent (or other real estate document service provider).

Answer 135

D. All of the above | See pages 1.907 in the Fraud Examiner's Manual ## Footnote Construction lending has different vulnerabilities than other permanent or interim lending. More risks are associated with construction projects than with already-built projects. Construction loan fraud schemes are numerous; the more common ones are related to estimates of costs to complete, developer overhead, draw requests, and retainage/holdback schemes.

Answer 136

A. Instituting procedures to detect fraudulent claims when acting as an intermediary for a government health care program | See pages 1.1231-1.1232 in the Fraud Examiner's Manual ## Footnote An insurance company might be guilty of fraud if it fails to apply discounts that have been negotiated with providers. The alleged overcharging occurs when an insurance company negotiates a discount on a medical bill. If the company does not provide the discount, then the consumer’s copayment is made on the full price rather than the discounted price, causing the consumer to pay a higher percentage of their bill than they should. When an insurance company acts as an intermediary administering a government health care program, the insurance company has a duty to try to detect false claims by providers and beneficiaries. Although it is impossible to detect every fraudulent claim, if a company bypasses its own claims verification procedures, it can be found guilty of fraud in some jurisdictions. Additionally, the insurance company or carrier is required to pay a claim if there are benefits available, the claim is properly submitted and contains all of the required information, and there is no fraud. An insurance company might commit fraud when claims are consistently rejected even though the required information has been submitted. Denying a claim because material information is missing is not fraud in itself. Insurance companies or carriers needing regulatory approval for rate increases may use cost data to justify their increases. The act is fraudulent if they purposefully submit false cost data to get a raised rate.

Answer 137

B. A method for gaining unauthorized access to a computer system in which an attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker’s intended scheme | See pages 1.1407 in the Fraud Examiner's Manual ## Footnote Social engineering is a method for gaining unauthorized access to a computer system in which the attacker deceives victims into disclosing personal information, such as their password, or convinces them to commit acts that facilitate the attacker’s intended scheme.

Answer 138

B. A customer buys a small number of expensive items at one time. | See pages 1.1022-1.1023 in the Fraud Examiner's Manual ## Footnote While any of the following can occur in a perfectly legitimate transaction, these characteristics are frequently present during fraudulent transactions. Tellers and merchants should be advised to be alert for customers who: * Purchase an unusually large number of expensive items. * Make random purchases, selecting items with little regard to size, quality, or value. * Do not ask questions on major purchases. * Sign the sales draft slowly or awkwardly. * Charge expensive items on a newly valid card. * Cannot provide a photo identification when asked. * Rush the merchant or teller. * Purchase a large item, such as a television, and insist on taking it at the time even when delivery is included in the price. * Make purchases and leave the store but then return to make more purchases. * Become argumentative with the teller or merchant while waiting for the transaction to be completed. * Make large purchases just as the store is closing.

Answer 139

C. Determining if the costs of the contract have exceeded or are expected to exceed the value of the contract | See pages 1.1523, 1.1525-1.1526, 1.1531 in the Fraud Examiner's Manual ## Footnote Determining if the costs of the contract have exceeded or are expected to exceed the value of the contract is a technique for detecting a cost mischarging scheme involving materials, not a nonconforming goods or services scheme. Nonconforming goods or services fraud, also known as product substitution or failure to meet contract specifications, refers to attempts by contractors to deliver goods or services to the procuring entity that do not conform to the underlying contract specifications. Once contractors deliver goods that do not conform to the contract, they bill and receive payment for conforming goods or services without informing the purchaser of the deficiency. To detect nonconforming schemes, the fraud examiner should, at a minimum, examine the following for red flags: * Contract or purchase order (PO) specifications * Contractor’s statements, claims, invoices, and supporting documents * Received product * Test and inspection results for the relevant period, searching for discrepancies between tests and inspection results and contract specifications To detect nonconforming schemes through more extensive methods, the fraud examiner should: * Review correspondence and contract files for indications of noncompliance regarding specifications. * Request assistance from outside technical personnel to conduct after-the-fact tests. * Inspect or test questioned goods or materials by examining packaging, appearance, and description to determine if the items are appropriate. * Segregate and identify the source of the suspect goods or materials. * Review inspection reports to determine whether the work performed and materials used in a project were inspected and considered acceptable. * Review the contractor’s books, payroll, and expense records to see if they incurred necessary costs to comply with contract specifications. * Review the inspection and testing reports of questioned goods or materials. * Conduct routine and unannounced inspections and tests of questioned goods or materials. * Examine the contractor’s books and manufacturing or purchase records for additional evidence, looking for discrepancies between claimed and actual costs, contractors, etc. * Interview procurement personnel about the presence of any red flags or other indications of noncompliance. * Search and review external records (e.g., court records, prior complaints, audit reports, investigative reports, media sources) to determine if there is any history of misconduct.

Answer 140

B. Design changes were requested. | See pages 1.912 in the Fraud Examiner's Manual ## Footnote Change orders are often submitted along with draw requests. Although many times the change orders represent legitimate construction changes (e.g., for design or cost), they can also indicate fraud schemes. For example, an increasing trend in the number of change orders or amounts on change orders might indicate that construction changes have occurred that would alter the originally planned project to such an extent as to render the underwriting inappropriate. Change orders might have the same impact on a project as altering the original documents; with anything that is contracted on a bid basis, change orders could indicate collusive bidding. Furthermore, change orders might indicate that the original project was not feasible and that shortcuts are uncovering other problem areas. Change orders should be approved by the architect and engineer on the project in addition to the lender's inspector.

Answer 141

C. A type of software that collects and reports information about a computer user without the user’s knowledge or consent | See pages 1.1426 in the Fraud Examiner's Manual ## Footnote Spyware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent.

Answer 142

C. Reviewing the number of qualified bidders who submitted proposals | See pages 1.1523, 1.1525-1.1526 in the Fraud Examiner's Manual ## Footnote Nonconforming goods or services fraud, also known as product substitution or failure to meet contract specifications, refers to attempts by contractors to deliver goods or services to the procuring entity that do not conform to the underlying contract specifications. Once contractors deliver goods that do not conform to the contract, they bill and receive payment for conforming goods or services without informing the purchaser of the deficiency. To detect nonconforming schemes, the fraud examiner should, at a minimum, examine the following for red flags: * Contract or purchase order (PO) specifications * Contractor’s statements, claims, invoices, and supporting documents * Received product * Test and inspection results for the relevant period, searching for discrepancies between tests and inspection results and contract specifications To detect nonconforming schemes through more extensive methods, the fraud examiner should: * Review correspondence and contract files for indications of noncompliance regarding specifications. * Request assistance from outside technical personnel to conduct after-the-fact tests. * Inspect or test questioned goods or materials by examining packaging, appearance, and description to determine if the items are appropriate. * Segregate and identify the source of the suspect goods or materials. * Review inspection reports to determine whether the work performed and materials used in a project were inspected and considered acceptable. * Review the contractor’s books, payroll, and expense records to see if they incurred necessary costs to comply with contract specifications. * Review the inspection and testing reports of questioned goods or materials. * Conduct routine and unannounced inspections and tests of questioned goods or materials. * Examine the contractor’s books and manufacturing or purchase records for additional evidence, looking for discrepancies between claimed and actual costs, contractors, etc. * Interview procurement personnel about the presence of any red flags or other indications of noncompliance. * Search and review external records (e.g., court records, prior complaints, audit reports, investigative reports, media sources) to determine if there is any history of misconduct.

Answer 143

C. Operating capital | See pages 1.908 in the Fraud Examiner's Manual ## Footnote It is not uncommon in construction financing to have a budget line item for developer overhead. This creates an opportunity for the developer to use it to their advantage. The purpose of developer overhead is to supply the developer with operating capital while the project is under construction. This overhead allocation should not include a profit percentage, as the developer realizes profit upon completion.

Answer 144

A. True | See pages 1.1301 in the Fraud Examiner's Manual ## Footnote Consumer fraud schemes involve a range of fraudulent conduct, usually committed by professional scammers, against unsuspecting victims. Scammers are skilled fraudsters who develop strategies, select targets, and use an appropriate method of delivery to lure their victims. Scammers usually act alone, but they might group together for a particularly complex endeavor. Some examples of consumer fraud schemes include advance-fee schemes, debt consolidation schemes, and diploma mills.

Answer 145

A. True | See pages 1.752 in the Fraud Examiner's Manual ## Footnote Organizations should practice data minimization. Data minimization refers to collecting and storing the minimal amount of information necessary to perform a given task. Data minimization is important to data security because thieves cannot steal what an entity does not have.

Answer 146

B. Consumers using the same log-in and password information on multiple accounts | See pages 1.1039-1.1040 in the Fraud Examiner's Manual ## Footnote Account takeover fraud occurs when a fraudster surreptitiously takes control of a payment account. Targeted accounts can include credit cards, banking, brokerage, or any type of online retail account (e.g., Amazon). Because consumers often use the same username and password for multiple accounts, hackers commonly write code that can run credentials obtained from a data breach at one company to see if they are valid at another. Account takeover fraud has increased significantly in recent years. Consumers should opt for multifactor authentication when available, request notification of account access or changes when offered, and regularly check any online accounts that hold payment information.

Answer 147

C. Double duty fraud | See pages 1.1110-1.1113 in the Fraud Examiner's Manual ## Footnote Workers’ compensation schemes are generally broken into four categories: premium fraud, agent fraud, claimant fraud, and organized fraud schemes. * Premium fraud involves the misrepresentation of information to the insurer by employers to lower the cost of workers’ compensation premiums. For example, an employer might understate the amount of the payroll for higher-risk classifications, thus receiving lower-cost premiums. * Agent fraud schemes consist primarily of pilfering premiums and conspiring to reduce premiums. Underhanded agents sometimes issue certificates of coverage to the ostensibly insured customer while misappropriating the premium rather than forwarding it to the insurance carrier. Agents might also conspire to alter or improperly influence insurance applications to offer lower premiums to their clients. * Claimant fraud involves misrepresenting the circumstances of any injury or fabricating that an injury occurred. * Organized fraud schemes are composed of the united efforts of a lawyer, a capper, a doctor, and the claimant. This type of scheme is used not only in workers’ compensation cases but also in other medical frauds, such as automobile injuries.

Answer 148

D. All of the above | See pages 1.749 in the Fraud Examiner's Manual ## Footnote Often, employees are willing to abide by nondisclosure agreements, but they do not understand that the information they are communicating might be confidential. To more effectively implement nondisclosure agreements, employees must be clearly informed about what information is considered confidential upon hiring, upon signing a nondisclosure agreement, and during exit interviews.

Answer 149

B. Skimming or shimming | See pages 1.1017 in the Fraud Examiner's Manual ## Footnote A card skimming or shimming scheme requires a device, often referred to as a skimmer or shimmer, that scans and stores a large amount of payment card numbers; skimmers scan magnetic strips, while shimmers read microchips in smart cards. Card skimming or shimming is more frequent in businesses where an employee can remove the card from the customer’s view to process the transaction before returning it to the customer. This scam might occur in a retail situation in which a payment card is processed behind a concealable counter or in a restaurant scenario wherein a server walks away with a customer’s card to process the transaction.

Answer 150

A. True | See pages 1.1009 in the Fraud Examiner's Manual ## Footnote Frequent deposits in round numbers or for the same amount and checks issued to individuals for large, even amounts are both indicators of check fraud.

Answer 151

A. True | See pages 1.702 in the Fraud Examiner's Manual ## Footnote Competitive intelligence can be defined as the process by which competitor data are assembled into relevant, accurate, and usable knowledge about competitors’ positions, performance, capabilities, and intentions. Competitive intelligence is a legitimate business function that aligns with marketing and research and development (R&D), as well as general business strategy and the newer discipline of knowledge management. It helps businesses to anticipate competitors’ R&D strategies and to determine their operating costs, pricing policies, financial strength, and capacity.

Answer 152

A. A type of program that monitors and logs the keys pressed on a system’s keyboard | See pages 1.1428 in the Fraud Examiner's Manual ## Footnote Keyloggers monitor and log (or track) the keys pressed on a system’s keyboard, and they can be either software or hardware based. Accordingly, some keyloggers are malware, but others are not.

Answer 153

C. The procuring entity issues the solicitation document. | See pages 1.1508-1.1509 in the Fraud Examiner's Manual ## Footnote In the presolicitation phase, the procuring entity identifies its needs, develops the bid specifications (what, how much, and how good), determines the method to use for acquiring the goods or services, and develops the criteria used to award the contract. Bid specifications are a list of elements, measurements, materials, characteristics, required functions, and other specific information detailing the goods and services that a procuring entity needs from a contractor. The procuring entity issues the solicitation document in the solicitation phase of the procurement process.

Answer 154

B. False | See pages 1.1339 in the Fraud Examiner's Manual ## Footnote Not all organizations with a pyramid structure are engaging in illegal activity. Some legitimate merchandising companies use a pyramid structure to rank and determine the compensation of their employee-owners. A pyramid structure becomes an illegal pyramid scheme when the recruitment of new members takes precedence over the product or service that the company is ostensibly promoting. The more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make.

Answer 155

A. A system that blocks unauthorized or unverified access to network assets by surveying incoming and outgoing transmissions | See pages 1.1449 in the Fraud Examiner's Manual ## Footnote Firewalls are network hardware and software that block unauthorized or unverified access to computer systems and network assets. These tools survey incoming and outgoing transmissions and decide what type of traffic to permit onto an organization’s internal network based on factors such as origination or destination address, content of the message, protocol used to transmit the message, and other filtering methods.

Answer 156

D. Competitive awards vary among several suppliers. | See pages 1.1515-1.1517 in the Fraud Examiner's Manual ## Footnote Bid tailoring schemes (also known as specifications schemes) occur during the presolicitation phase. In these schemes, an employee with procurement responsibilities, often in collusion with a contractor, drafts bid specifications in a way that gives an unfair advantage to a certain contractor. Some common red flags of bid tailoring include: * Weak controls over the bidding process * Only one or a few bidders respond to bid requests * Contract is not rebid even though fewer than the minimum number of bids are received * Similarity between specifications and the winning contractor’s product or services * Bid specifications and statements of work are tailored to fit the products or capabilities of a single contractor * Unusual or unreasonably narrow or broad specifications for the type of goods or services being procured * Requests for bid submissions do not provide clear bid submission information (e.g., no clear time, place, or manner of submitting bids) * Unexplained changes in contract specifications from previous proposals or similar items * High number of competitive awards to one supplier * Socialization or personal contacts among contracting personnel and bidders * Specifications developed by or in consultation with a contractor who is permitted to compete in the procurement * High number of change orders for one supplier

Answer 157

A. True | See pages 1.809 in the Fraud Examiner's Manual ## Footnote Dumpster diving involves looking through someone else’s trash. Fraudsters often engage in dumpster diving to find the personal and business information that makes identity theft possible. Most people do not destroy their personal financial data; they simply throw away the information with the rest of their trash. Dumpster diving can yield bills, credit card receipts, bank statements, and other items that contain a person’s name, address, and telephone number. Solicitations for pre-approved credit cards are especially valuable to identity thieves, but even nonfinancial information can be useful. For example, a discarded birthday card might contain a potential victim’s name, birthdate, and address.

Answer 158

D. Bid tailoring | See pages 1.1515-1.1516 in the Fraud Examiner's Manual ## Footnote Bid tailoring schemes (also known as specifications schemes) occur during the presolicitation phase. In these schemes, an employee with procurement responsibilities, often in collusion with a contractor, drafts bid specifications in a way that gives an unfair advantage to a certain contractor. Bid specifications are a list of elements, measurements, materials, characteristics, required functions, and other specific information detailing the goods and services that a procuring entity needs from a contractor. Specifications assist prospective contractors in the bidding process, informing them of what they are required to do and providing a firm basis for making bids, and they provide procurement officials with a firm basis for selecting bids. There are three primary methods used to commit bid tailoring schemes. One method involves drafting narrow specifications. In these schemes, a corrupt employee tailors the bid specifications to accommodate a vendor’s capabilities and to eliminate other competitors so that the favored contractor is effectively guaranteed to win the contract. For instance, the tailored bid might require potential contractors to have a certain percentage of female or minority ownership. Such a requirement is not illegal, but if it is placed in the specifications as a result of a bribe, then the employee has sold their influence to benefit a dishonest vendor. A second method involves drafting broad specifications. In these schemes, a corrupt employee of the buyer designs unduly broad qualification standards to qualify an otherwise unqualified contractor. A third method involves drafting vague specifications. In these schemes, the buyer’s personnel and the contractor collude to write vague specifications or intentionally omit bid specifications. This enables subsequent contract amendments, allowing the contractor to increase the contract’s price.

Answer 159

A. Determine what information should be protected. | See pages 1.744 in the Fraud Examiner's Manual ## Footnote To coordinate a company-wide program for safeguarding proprietary information (SPI), management should establish a task force and charge it with developing the program. The task force should include managers and staff from departments that deal with proprietary information, such as research and development (R&D) and production. The task force should also include representatives from the following departments: corporate security, human resources (HR), records management, data processing, and legal. Once the task force is assembled, it must identify the information that is to be protected. To make this determination, the task force should identify those areas that give the company its competitive edge (e.g., quality of the product, service, price, manufacturing technology, marketing, and distribution). When doing so, the task force should ask, “What information would a competitor like to know?”

Answer 160

A. True | See pages 1.714 in the Fraud Examiner's Manual ## Footnote Publications such as newsletters or reports to shareholders and speeches or papers that are presented at conferences can inadvertently provide valuable information to competitors. A company’s website might also contain accidental leaks. Corporate spies frequently visit their targets’ websites to gather information that these companies have unknowingly made public. Employee telephone and email directories, financial information, key employees’ biographical data, product features and release dates, details on research and development (R&D), and job postings can all be found on many corporate websites.

Answer 161

A. True | See pages 1.1334-1.1345 in the Fraud Examiner's Manual ## Footnote A Ponzi scheme is generally defined as an illegal business practice in which new investors’ money is used to make payments to earlier investors. The investment opportunity is typically presented with the promise of uncommonly high returns. While the scam is presented as a legitimate investment, there is minimal or no actual commerce involved. When an enterprise promotes an investment opportunity that invests a minimal amount or none of the participants’ money and uses new investments to make dividend payments, the enterprise is running a Ponzi scheme.

Answer 162

D. All of the above | See pages 1.716-1.717 in the Fraud Examiner's Manual ## Footnote Corporate spies might use physical infiltration techniques to obtain sensitive information. Physical infiltration is the process whereby an individual enters a target organization to spy on the organization’s employees. One common infiltration technique is to secure a position, or pose, as an employee or contract laborer of the target organization. For example, a spy might obtain work as a security officer or a member of the maintenance staff for the target organization. Another common physical infiltration technique is to steal or fabricate employee badges belonging to the target organization.

Answer 163

A. Corporate espionage | See pages 1.702, 1.707 in the Fraud Examiner's Manual ## Footnote Espionage is the term used to describe the use of illegal, covert means to acquire information; therefore, it does not cover legitimate intelligence collection and analysis using legal means. Espionage can be further subdivided into two categories: traditional and corporate. Traditional espionage refers to government-sanctioned espionage conducted to collect protected information from a foreign government. Corporate espionage (also known as industrial espionage) is the term used to describe the use of illegal, covert means to acquire information for commercial purposes. Competitive intelligence can be defined as the process by which competitor data are assembled into relevant, accurate, and usable knowledge about competitors’ positions, performance, capabilities, and intentions. Competitive intelligence is a legitimate business function that aligns with marketing and research and development (R&D), as well as general business strategy and the newer discipline of knowledge management. It helps businesses to anticipate competitors’ R&D strategies and to determine their operating costs, pricing policies, financial strength, and capacity. Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques.

Answer 164

B. False | See pages 1.755 in the Fraud Examiner's Manual ## Footnote Management can prevent corporate spies from listening to meetings through the use of a quiet room. A quiet room is an area that is acoustically and radio-frequency shielded so that conversations that occur within the room cannot be monitored or heard outside the room.

Answer 165

B. False | See pages 1.707, 1.729 in the Fraud Examiner's Manual ## Footnote Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques. When corporate spies resort to the use of technical surveillance, it is usually to gather nondocumentary evidence or information that cannot be found through open sources.

Answer 166

A. True | See pages 1.816 in the Fraud Examiner's Manual ## Footnote The following are some of the steps that businesses can take to protect personal information and prevent identity theft: * Limit the personal information collected from customers. For example, do not collect government identification numbers from customers unless there is a legal requirement to gather that information. * Restrict employees from accessing the personal information of customers and coworkers. * Use network-security tools to monitor who accesses personal information. * Do not retain personal information for longer than necessary. * Adopt a policy regarding the handling of information that governs how personal information is stored, protected, and disposed of. Strictly enforce the policy, and discipline employees who violate it. * Conduct regular employee training on the company’s policy regarding the handling of information and best practices for preventing identity theft. * Ensure the security of buildings by using locks, access codes, and other security features. * Keep physical documents containing personal information in locked rooms or locked file cabinets. * Secure all computer networks and electronic information. * Use encryption to protect all personal information stored by the company or sent to third parties. Encryption should also be used to protect information sent over the company’s wireless network. * Restrict the use of laptops to those employees who need them to do their jobs. * Require employees to use complex passwords or passphrases. * Where permitted by law, perform background checks on prospective employees. * Thoroughly investigate contractors and vendors before hiring them. * Do not use government identification numbers as employee identification numbers or print them on paychecks. * Perform regular audits of practices involving the handling of information, network security, and other internal controls. * Create a data breach response plan.

Answer 167

D. All of the above | See pages 1.1123 in the Fraud Examiner's Manual ## Footnote Data analysis is an effective tool used to detect insurance fraud schemes. By using data analytics, fraud examiners can generate reports that provide good leads to possible fraud. For example, address similarity reports electronically compare multiple payments going to the same address. These reports are extremely useful because they might show a payment defalcation or funds going to another insurance company, broker, or fictitious payee.

Answer 168

B. False | See pages 1.1410 in the Fraud Examiner's Manual ## Footnote Smishing is a hybrid of phishing and short message service (SMS), also known as text messaging. These schemes use text messages or other short message systems to conduct phishing activities. That is, in smishing schemes, the attacker uses text messages or other SMSs to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, internet service provider (ISP), or other entity with which the target does business. In vishing schemes, the attacker leverages Voice over Internet Protocol (VoIP) in the telephone system to falsely claim to be a legitimate enterprise to scam users into disclosing personal information or executing an act that furthers a scheme.

Answer 169

D. All of the above | See pages 1.714 in the Fraud Examiner's Manual ## Footnote Publications such as newsletters or reports to shareholders and speeches or papers that are presented at conferences can inadvertently provide valuable information to competitors. A company’s website might also contain accidental leaks. Corporate spies frequently visit their targets’ websites to gather information that these companies have unknowingly made public. Employee telephone and email directories, financial information, key employees’ biographical data, product features and release dates, details on research and development (R&D), and job postings can all be found on many corporate websites.

Answer 170

D. A procurement employee has drafted bid specifications in a way that gives an unfair advantage to a certain contractor. | See pages 1.1515-1.1517 in the Fraud Examiner's Manual ## Footnote Bid tailoring schemes (also known as specifications schemes) occur during the presolicitation phase. In these schemes, an employee with procurement responsibilities, often in collusion with a contractor, drafts bid specifications in a way that gives an unfair advantage to a certain contractor. Some common red flags of bid tailoring include: * Weak controls over the bidding process * Only one or a few bidders respond to bid requests * Contract is not rebid even though fewer than the minimum number of bids are received * Similarity between specifications and the winning contractor’s product or services * Bid specifications and statements of work are tailored to fit the products or capabilities of a single contractor * Unusual or unreasonably narrow or broad specifications for the type of goods or services being procured * Requests for bid submissions do not provide clear bid submission information (e.g., no clear time, place, or manner of submitting bids) * Unexplained changes in contract specifications from previous proposals or similar items * High number of competitive awards to one supplier * Socialization or personal contacts among contracting personnel and bidders * Specifications developed by or in consultation with a contractor who is permitted to compete in the procurement * High number of change orders for one supplier

Answer 171

D. All of the above | See pages 1.1037-1.1038 in the Fraud Examiner's Manual ## Footnote The following are safeguards that banks can perform to reduce the risk that they or their customers become victimized by unauthorized electronic funds transfers (EFTs): * Confirm phone numbers and mailing addresses on the application to ensure that they are consistent with information about the applicant that is available from other sources and, with respect to existing customers, consistent with current records about these customers. This might involve obtaining credit reports about the applicant or obtaining copies of utility bills that show the applicant’s address. * Ensure that the area or city code in the applicant’s phone number matches the geographical area for the applicant’s address. * Send a welcome letter to the address on the application with the bank’s return address so that the letter is returned if the applicant does not live there. * Verify by phone or additional mailings any change of address requests in the same way that new account applications are verified. * If a customer reports the loss or theft of an access device, cancel the existing card, personal identification number (PIN), or other form of access and issue a new one. * If a customer reports that a person previously authorized to use an access device no longer has that authority, cancel all cards, PINs, or other access devices and issue new ones to the customer. * Always mail PINs separately from other information, such as usernames, with which they are associated. * Separate the responsibility of bank employees who have custody of information relating to access devices from those who have responsibility for issuance, verification, or reissuance of PINs. * Ensure that any communication concerning usernames or passwords is sent in a secure, encrypted format. * Require customers who register for electronic bill presentment and payment (EBPP) or person-to-person (P2P) systems to provide information indicating that they are authorized to use the bank account or credit card from which payments will be made. * Employ multifactor authentication to verify transfers via EBPP or P2P systems.

Answer 172

D. An investment that has a history of inconsistent returns coinciding with fluctuations in financial markets | See pages 1.1338 in the Fraud Examiner's Manual ## Footnote The following are red flags of Ponzi schemes: * Sounds too good to be true—If an investment opportunity seems suspiciously better than it should be, then it is probably a Ponzi scheme. * Promises of low risk or high rewards—Promoters of Ponzi schemes typically promise implausibly high or quick returns with little risk. As all legitimate investments include some risk, any guarantee that an investment will perform in a certain way is a clear signal that it might be part of a Ponzi scheme. * History of consistent returns—Any firm that generates remarkably consistent returns regardless of market conditions should raise suspicions. * High-pressure sales tactics—Reputable investment firms and agents do not push potential investors to act immediately, and legitimate investment opportunities are rarely that time sensitive. * Pressure to reinvest—Often, fraudsters keep Ponzi schemes going by convincing investors to reinvest their profits rather than take a payout. * Complex trading strategies—Legitimate agents should be able to provide clear explanations about their investment strategies. For obvious reasons, Ponzi-scheme boosters purposefully employ complicated strategies that confound unsophisticated investors. * Lack of transparency or access—Secrecy surrounding the operations of a financial company should be an immediate warning sign. Ponzi operators are often unlicensed, and their supposed investments are typically unregistered. Additionally, a lack of access to regular statements or an online account should trigger alarm. * Lack of separation of duties—Investors should be wary of any financial manager who manages, administers, and retains custody of the fund in question.

Answer 173

C. An invalid address or phone number is listed in the customer’s account information. | See pages 1.936-1.937, 1.940 in the Fraud Examiner's Manual ## Footnote Fraud is much more likely to occur in new accounts than in established accounts. New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud. Prompt, decisive action is necessary to manage and/or close apparent problem accounts. Some of the more common red flags of potential new account schemes are: * Customer residence outside the bank's trade area * Dress and/or actions inconsistent or inappropriate for the customer's stated age, occupation, or income level * New account holder requesting immediate cash withdrawal upon deposit * Request for large quantity of temporary checks * Services included with the account that do not match the customer’s purpose * Missing or inaccurate customer application information * Invalid phone numbers or addresses in customer account information * Use of a mail drop address (a service where a non-affiliated party collects and distributes mail for individuals or entities) * Large check or automated teller machine (ATM) deposits followed by rapid withdrawal or transfer of funds (a pass-through account) * Business accounts without standard business transactions, such as payroll or transactions that would be expected in that business * Transactions without a clear purpose in jurisdictions known for high levels of corruption * Opening deposit that is a nominal cash amount * Rare customer ID type * Applicants over the age of 25 with no credit history * Customers who cannot remember basic application information (e.g., phone number or address)

Answer 174

A. Clinical lab | See pages 1.1207 in the Fraud Examiner's Manual ## Footnote Clinical lab schemes occur when a provider advises a patient that additional medical testing is needed to diagnose a problem when the testing is not actually required or advisable. The fee for the unnecessary work is often split with physicians. In some cases, physicians own the medical testing service. Additional medical testing, which is later viewed as excessive, is not always fraud. Many doctors have a genuine fear of retaliation from their patients; they are afraid of malpractice lawsuits that might result from a delayed or erroneous diagnosis.

Answer 175

C. Large corporations | See pages 1.1320 in the Fraud Examiner's Manual ## Footnote Affinity fraud targets groups of people who have some social connection. Neighborhoods chiefly populated by racial minorities, especially immigrant groups, are often the site of affinity frauds, and older individuals and language minorities are frequent targets as well. In addition, religious and professional affiliations are often exploited.

Answer 176

A. Business email compromise | See pages 1.1408 in the Fraud Examiner's Manual ## Footnote Business email compromise (BEC) is a form of spear phishing attack that directly targets employees who can make large payments or who have access to sensitive proprietary information. BEC schemes typically involve fraudulent emails that appear to be from the company’s own chief executive officer (CEO) or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain is not disturbed, but the scheme has evolved to feature other methods or requests. Increasingly, these emails are paired with an insistent phone call from someone posing as the email sender or as the sender’s attorney.

Answer 177

B. Nonconforming goods or services fraud | See pages 1.1523 in the Fraud Examiner's Manual ## Footnote Nonconforming goods or services fraud, also known as product substitution or failure to meet contract specifications, refers to attempts by contractors to deliver goods or services to the procuring entity that do not conform to the underlying contract specifications. Once contractors deliver goods that do not conform to the contract, they bill and receive payment for conforming goods or services without informing the purchaser of the deficiency. These schemes can involve a wide variety of conduct, but, generally, they include any deliberate departures from contract requirements to increase profits or comply with contract time schedules.

Answer 178

A. True | See pages 1.1441, 1.1445 in the Fraud Examiner's Manual ## Footnote Technical security involves the use of safeguards incorporated into computer hardware or systems, operations or applications software, communications hardware and software, and related devices. Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Common technical controls used to secure computer systems and communication networks include: * Logical access controls * Network security * Operating system security * Encryption * Application security

Answer 179

C. Creating an incident response plan after a data breach occurs | See pages 1.751, 1.754-1.755 in the Fraud Examiner's Manual ## Footnote All organizations should have an incident response plan that describes the actions the organization will take when a data breach occurs. To be effective, an incident response plan must be in place and communicated to all relevant employees before a breach occurs. According to the CERT (Computer Emergency Response Team) Division, organizations should implement a data classification policy that establishes what protections must be afforded to data of different value and sensitivity levels. Data classification allows organizations to follow a structured approach for establishing appropriate controls for different data categories. Moreover, establishing a data classification policy will help employee awareness. In short, classifying an organization’s data involves (1) organizing the entity’s data into different security levels based on the data’s value and sensitivity and (2) assigning each level of classification different rules for viewing, editing, and sharing the data. Management should monitor and limit visitor access. Visitors should be required to sign in and out of an organization logbook. It is considered a best practice to issue each visitor a badge that identifies them as a nonemployee. Also, visitors should be escorted by a host for the entirety of their visit and not be allowed into areas containing sensitive information. Additionally, locks on doors leading to secure areas should be changed or reprogrammed regularly, especially if an employee has recently quit or been terminated. Management can prevent corporate spies from listening to meetings through the use of a quiet room. A quiet room is an area that is acoustically and radio-frequency shielded so that conversations that occur within the room cannot be monitored or heard outside the room.

Answer 180

D. Consistently low percentage of coding outliers present | See pages 1.1211 in the Fraud Examiner's Manual ## Footnote Warning signs that a health care provider is engaging in fraudulent practices include: * Lack of supporting documentation for claims under review * Details in supporting documents that do not match the claim * Medical records that have been altered * Medical records that were created long after the alleged patient visit * Medical records that seem sloppy, disorganized, or otherwise unprofessional * Missing pages of medical records that would cover the period of time under review * Routine, nonspecialized treatment for patients living several hours away from the provider * An unusually high volume of patients * An unusually large number of claims for reimbursement * Unusually high profits compared to similar businesses in the same geographic region * Matching addresses on the claim form for the patient and the provider * High percentage of coding outliers * Pressure for rapid processing of bills or claims * Threats of legal action for delay in making payments

Answer 181

D. Unbundling | See pages 1.1215 in the Fraud Examiner's Manual ## Footnote Because health care procedures often have special reimbursement rates for a group of procedures typically performed together (e.g., blood test panels by clinical laboratories), some providers attempt to increase profits by billing separately for procedures that are actually part of a single procedure. This process is called unbundling. Simple unbundling occurs when a provider charges a comprehensive code, as well as one or more component codes.

Answer 182

B. False | See pages 1.1301 in the Fraud Examiner's Manual ## Footnote Consumer fraud schemes involve a range of fraudulent conduct, usually committed by professional scammers, against unsuspecting victims. Scammers are skilled fraudsters who develop strategies, select targets, and use an appropriate method of delivery to lure their victims. Scammers usually act alone, but they might group together for a particularly complex endeavor. The victims can be organizations but more commonly are individuals. Victims can be old or young, male or female, or wealthy or poor, and they are usually dispersed geographically. Many victims who become the targets of consumer fraud are considered to be in the naïve segments of the population, such as older individuals. It is important to note, however, that even the savviest consumers can become targets if they are not aware of the schemes involving consumer fraud.

Answer 183

A. True | See pages 1.1536 in the Fraud Examiner's Manual ## Footnote Procurement entities must maintain an accurate and up-to-date vendor master file. An inaccurate or incomplete vendor master file can result in greater risks of duplicate payments, unfavorable payment terms, and noncompliance regarding regulations. Thus, the vendor master file should be updated continuously and reviewed on a regular basis for inaccurate or incomplete records.

Answer 184

A. True | See pages 1.753 in the Fraud Examiner's Manual ## Footnote Organizations must take reasonable measures to protect manual file systems, which are composed of all human-readable files and documents. These include items like contact lists, schedules, and calendars located at employees’ workstations. To attack a manual file system, an information thief might pilfer trash, act as a cleaning crew member, or commit theft or burglary.

Answer 185

B. In a flopping scheme, the value of the first transaction is deflated instead of inflating the second transaction. | See pages 1.933-1.934 in the Fraud Examiner's Manual ## Footnote Property flipping is the process by which an investor purchases a home and then resells it at a higher price shortly thereafter. For example, an investor buys a house in need of work, renovates the kitchen and bathrooms, and landscapes the yard. The investor then resells the house two months later (the time it takes to complete the renovations) for a price that is reflective of the market for a house in that condition. This is a legitimate business transaction, and many individuals and groups make an honest living flipping properties. Property flipping is not intrinsically illegal or fraudulent, but it becomes so when a property is purchased and resold within a short period of time at an artificially or unjustly inflated value, often as the result of a fraudulent appraisal. In a flipping scheme, the property is sold twice in rapid succession at a significant increase in value (also known as an ABC transaction, whereby the property moves from party A to party B to party C very quickly). Property flopping is a variation on property flipping, but it generally involves a property subject to a short sale (meaning the owner sells the property at a lower value than the unpaid mortgage amount on the property). This variation is typically conducted by industry insiders or unscrupulous entrepreneurs rather than the homeowner. Property flopping involves a rapid transfer of property with an unjustified, significant change in value (like the ABC transaction in flipping schemes), but instead of inflating the value on the second transaction, the value on the first transaction is deflated. To prevent problematic short sale flopping, some lenders require all interested parties to sign an affidavit requiring disclosure of an immediate subsequent sale.

Answer 186

C. Fraudulent sale | See pages 1.929 in the Fraud Examiner's Manual ## Footnote Fraudulent sale scams are particularly harmful because they involve the fraudulent acquisition of real estate by filing a fraudulent deed or respective real estate document that makes it appear that the property legally belongs to the criminal. This scam does not happen at the origination of the loan; it might occur without the homeowner’s knowledge decades after the property was originally sold. The perpetrator identifies a property—typically belonging to an estate or nonresident owner—that is owned free and clear. They then create fictitious property transfer documents that claim to grant all rights and title on the property to the fraudster. The true owner’s signature is forged on the documents, and the scammer files them in the jurisdiction’s real property records. Once the ownership documents are filed, they apply for and execute a loan on the property (using a straw borrower). Often, the value is inflated. The perpetrator absconds with 100% of the loan proceeds.

Answer 187

B. False | See pages 1.1317 in the Fraud Examiner's Manual ## Footnote Telemarketing offenses are classified as consumer fraud, yet many businesses are affected by office supply and marketing services scams. The nature of phone rooms, the geographical distances between the perpetrators and their victims, and the resources and priorities of law enforcement agencies make enforcement efforts difficult.

Answer 188

D. All of the above | See pages 1.816 in the Fraud Examiner's Manua ## Footnote The following are some of the steps that businesses can take to protect personal information and prevent identity theft: * Limit the personal information collected from customers. For example, do not collect government identification numbers from customers unless there is a legal requirement to gather that information. * Restrict employees from accessing the personal information of customers and coworkers. * Use network-security tools to monitor who accesses personal information. * Do not retain personal information for longer than necessary. * Adopt a policy regarding the handling of information that governs how personal information is stored, protected, and disposed of. Strictly enforce the policy, and discipline employees who violate it. * Conduct regular employee training on the company’s policy regarding the handling of information and best practices for preventing identity theft. * Ensure the security of buildings by using locks, access codes, and other security features. * Keep physical documents containing personal information in locked rooms or locked file cabinets. * Secure all computer networks and electronic information. * Use encryption to protect all personal information stored by the company or sent to third parties. Encryption should also be used to protect information sent over the company’s wireless network. * Restrict the use of laptops to those employees who need them to do their jobs. * Require employees to use complex passwords or passphrases. * Where permitted by law, perform background checks on prospective employees. * Thoroughly investigate contractors and vendors before hiring them. * Do not use government identification numbers as employee identification numbers or print them on paychecks. * Perform regular audits of practices involving the handling of information, network security, and other internal controls. * Create a data breach response plan.

Answer 189

C. Coin miners | See pages 1.1429 in the Fraud Examiner's Manual ## Footnote Coin miners, or cryptojacking malware, are programs that, upon infecting a computer, use that computer’s processing power to mine for cryptocurrencies without the owner’s knowledge or consent. Coin miners are relatively simple programs, so there is a low barrier of entry for cyberfraudsters. Cryptojacking can slow infected devices due to the processing power required for cryptocurrency mining and potentially cause serious or permanent damage. Victims, including companies or corporate networks, can also incur exorbitant costs for power usage or cloud storage related to coin miners. Internet of things (IoT) devices could be of particular risk due to their frequent lack of security or monitoring.

Answer 190

B. The purchase and procurement phase | See pages 1.1508 in the Fraud Examiner's Manual ## Footnote For the purpose of fraud detection, procurement processes that employ competitive bidding mechanisms can be reduced to four basic stages: * The presolicitation phase * The solicitation phase * The bid evaluation and award phase * The post-award and administration phase

Answer 191

D. Guard manual file systems. | See pages 1.753-1.754 in the Fraud Examiner's Manual ## Footnote Organizations must take reasonable measures to protect manual file systems, which are composed of all human-readable files and documents. These include items like contact lists, schedules, and calendars. To attack a manual file system, an information thief might pilfer trash, act as a cleaning crew member, or commit theft or burglary. Reasonable measures to protect manual file systems include the following: * Place sensitive documents in high-grade locked filing cabinets. It is advisable to lock sensitive documents in a safe when not in use. * Use a cross-cut shredder for sensitive documentary waste, or have sensitive trash disposed of by a bonded waste-disposal company. * Receive and send mail at a secure site (e.g., mail drops, post office boxes, or locked mailboxes). The key is that the site remains secure. * Provide reasonable perimeter security for offices by using an alarm system and securing locks to doors and windows. * Pay attention to securing auxiliary materials.

Answer 192

A. Inspecting questioned goods or materials by examining packaging, appearance, and description | See pages 1.1525, 1.1533-1.1534 in the Fraud Examiner's Manual ## Footnote Inspecting questioned goods or materials by examining packaging, appearance, and description is a technique for detecting a nonconforming goods or services scheme, not a cost mischarging scheme involving labor. Labor cost mischarges can be detected by engaging in the following activities: * Examining labor cost records for the presence of red flags * Reviewing audit reports, reimbursement requests, construction reports, engineering reports, and so on * Conducting site visits to verify that selected employees’ labor costs are being properly charged to the work actually being performed * Examining time cards, totaling the hours expended on the contract, and comparing them to the hours billed * Noting, in particular, repeated instances or a pattern of labor charges that increase the cost of cost-plus contracts * Reviewing journal entries used to transfer labor costs * Comparing labor costs over a specific period to identify any unusual changes and determining the reason for the changes * Reviewing the standard and actual labor rates to determine if there are any significant differences between the two * Calculating the percentage of total direct labor charged to each contract to determine which had the highest percentage of direct labor charges * Reviewing and comparing the labor distribution summaries with payroll records to determine whether the total labor distributions agree with the total labor charges * Comparing the direct and indirect labor account totals from the prior year to the current year and noting the percentage change * Determining the percentage of total direct labor charged to each contract or work order to reveal which charge numbers had the highest percentage of direct labor charges * Analyzing the labor charges to determine if there were any shifts in charging pattern * Preparing a schedule of salary or wage changes and comparing it to contract award dates and labor rates * Looking for terminated employees who are charged to contracts * Comparing employee personnel records to contract position qualification requirements * Interviewing individuals who changed their charging patterns during the year * Searching and reviewing external records (e.g., court records, prior complaints, audit reports, investigative reports, media sources) to find any history of misconduct

Answer 193

A. True | See pages 1.1325 in the Fraud Examiner's Manual ## Footnote Real estate scams are easily recognized. There is almost always an element of time pressure, with the victims being convinced they are participating in a deal that is extremely rare. Perpetrators mislead victims into thinking they will miss the opportunity to make a large sum of money if they do not agree to participate immediately.

Answer 194

C. Profiling | See pages 1.1014-1.1016 in the Fraud Examiner's Manual ## Footnote Advance payments, card counterfeiting, and skimming are all forms of payment card fraud; profiling is not a type of payment card fraud.

Answer 195

B. False | See pages 1.1229 in the Fraud Examiner's Manual ## Footnote This scenario can best be described as third-party fraud. Third-party fraud involves the unauthorized use of an insured’s identity to obtain their insurance benefits. The insured usually discovers the fraud when they receive a benefit statement containing medical services they did not receive. In misrepresentations on applications schemes, patients sometimes make misrepresentations on their insurance applications to circumvent coverage restrictions. Misrepresentations can include false information or the omission of relevant information.

Answer 196

D. Authorization | See pages 1.1462-1.1467 in the Fraud Examiner's Manual ## Footnote Every organization should be ready to respond to a wide range of cybersecurity incidents, including cyberattacks and data breaches. The recommended methodology for responding to cybersecurity incidents can be summarized in the following steps: 1. Preparation 2. Detection and analysis 3. Containment and eradication 4. Breach notification 5. Recovery and follow-up Authorization is a step required when allowing a user to gain logical access to computer systems and networks. It is not a step in the recommended methodology for responding to cybersecurity incidents.

Answer 197

B. Non-repudiation | See pages 1.1437-1.1439 in the Fraud Examiner's Manual ## Footnote Non-repudiation is an information security goal that an e-commerce system should strive to provide its users and asset holders. It refers to a method used to guarantee that the parties involved in an e-commerce transaction cannot repudiate (deny) participation in that transaction. Non-repudiation is obtained by digital signatures, confirmation services, and time stamps. Additional information security goals that should be achieved to ensure the security of information systems for users and account holders include: * Confidentiality of data * Integrity of data * Availability of data * Authentication

Answer 198

D. All of the above | See pages 1.1402-1.1403 in the Fraud Examiner's Manual ## Footnote Regardless of the technical labels a cybersecurity professional might use to describe an indication of intrusion, it is important for fraud examiners and other computer system users to recognize signs that intruders have accessed or affected the system, which can include unusual inbound or outbound network traffic, anomalies in user access to network files, or unusual network or computer performance. Every day, organizations’ networks experience inbound and outbound traffic as part of normal business operations. Among the typical types of traffic are emails sent to and from employees, as well as data transmitted to or from the internet. Abnormal traffic, either higher or lower than usual, could be an indication that an attacker has gained access to an organization’s network and is manipulating traffic by sending malicious software to the network or exfiltrating data from it. Common signs of unusual network traffic might include: * Geographical irregularities related to network access and traffic * Mismatched port-application traffic * Unusual domain name system (DNS) requests * Web traffic with unhuman behavior * Contacts receiving strange messages from email accounts * Redirected web searches

Answer 199

B. False | See pages 1.702 in the Fraud Examiner's Manual ## Footnote Competitive intelligence can be defined as the process by which competitor data are assembled into relevant, accurate, and usable knowledge about competitors’ positions, performance, capabilities, and intentions. Competitive intelligence is a legitimate business function that aligns with marketing and research and development (R&D), as well as general business strategy and the newer discipline of knowledge management. It helps businesses to anticipate competitors’ R&D strategies and to determine their operating costs, pricing policies, financial strength, and capacity. Espionage, which is subdivided into both traditional espionage and corporate or industrial espionage categories, is the term used to describe the use of illegal, covert means to acquire information; therefore, it does not cover legitimate intelligence collection and analysis using legal means.

Answer 200

C. Confidentiality, integrity, availability, authentication, and non-repudiation | See pages 1.1437 in the Fraud Examiner's Manual ## Footnote All branches of an information system, including the e-commerce branch, strive to provide security for their users and asset holders. The following is a list of common information security goals that should be achieved to ensure the security of information systems for users and account holders: * Confidentiality of data * Integrity of data * Availability of data * Authentication * Non-repudiation

Answer 201

A. A thief steals a health care provider’s identification information and bills a government health care program under the name of a fake clinic. | See pages 1.1205 in the Fraud Examiner's Manual ## Footnote In a fictitious provider scheme, corrupt providers or other criminals fraudulently obtain and use another provider’s identification information and steal or purchase lists of patients' identifying information. Thereafter, the perpetrator submits bills using the fictitious provider’s information to the insurance provider or government health care program for medical services although no services are performed.

Answer 202

B. Need recognition schemes | See pages 1.1514 in the Fraud Examiner's Manual ## Footnote Generally, procurement actions begin with the procuring entity making a determination of its general needs. These initial determinations include assessments of the types and amounts of goods or services required to meet the entity’s needs. In need recognition schemes, procurement employees convince their employer that it needs excessive or unnecessary products or services.

Answer 203

A. Many patients in special care facilities are less likely to report fraud because they are often not responsible for their own financial affairs | See pages 1.1225-1.1226 in the Fraud Examiner's Manual ## Footnote Medical facilities that offer special care services, such as nursing homes and psychiatric hospitals, and the patients in them are at a greater risk of fraud than most other medical institutions. Many health care fraud schemes are revealed after a patient reports strange charges or other red flags. Unfortunately, criminals take advantage of the fact that patients in special care facilities are more vulnerable to fraud. There are several features unique to special care facilities that make them particularly vulnerable to fraud: * Unscrupulous providers can operate their schemes in volume because the patients are all in the same facility. * Many patients in special care facilities do not have the legal capacity or ability to be responsible for their own financial affairs and, consequently, are not as likely to report fraud involving their care. * In some instances, special care facilities make patient records available to outside providers who are not responsible for the direct care of the patient (sometimes in violation of regulations). * In automated claims environments, scrutiny of the claims at the processor level is inadequate because the automated systems used do not accumulate data that would promptly flag indications of improbably high charges or levels of service. * Even when abusive practices are detected and prosecuted, repayment is rarely received from wrongdoers because they usually go out of business or deplete their resources so that they lack any resources to repay the funds. * Patient personal funds are often controlled by the facility’s administration and are an inviting target for embezzlement. Individually, patients generally maintain a relatively small balance in their personal funds accounts. Collectively, however, these funds generate a considerable source of income for an unscrupulous special care facility operator or employee.