Identity Theft! by spu52219


									Syracuse University AMAS Newsletter                                                                    SPRING 2004

Message from the Director:                                           Identity Theft!
T    he Office of Audit and Management Advisory
     Services (AMAS) is pleased to provide the SU
campus with the 3rd quarterly issue of our Audit
                                                           D     uring the course of a day, you may
                                                                 write a check at the grocery store,
                                                           charge tickets to a ball game, rent a car,
                  Insights newsletter. We have             mail your tax returns, call home on your
                  received many positive comments          cell phone, order new checks or apply
                  on the newsletter format from our        for a credit card. Chances are you don’t give these
                  first 2 issues, indicating to us it is   everyday transactions a second thought, but
                  filling an important need. We hope       someone else may! Identity thieves prey on
                  you agree.                               unsuspecting people doing ordinary activities.
    This issue contains several timely articles we             Identity theft is a serious crime. People whose
hope you will find helpful in both your work and           identities have been stolen can spend months or
home environments. These days, protecting                  years – and thousands of dollars – cleaning up the
confidential personal or business information is           mess that a thief has made of their good name.
more important than ever!
    In future issues of Audit Insights we’ll tell you      How thieves get your personal information:
about a new campus-wide confidential hotline that          • They steal wallets and purses containing your ID and
will be available to employees for anonymously               bank cards
reporting suspected inappropriate or unethical             • They steal your mail
activity. We’ll also inform you about a set of             • They complete a “change of address form” to divert
ethical guidelines for those SU employees in                 your mail to another location
business/financial positions recently approved by          • They rummage through your trash for personal data
the SU Board of Trustees Audit Committee.                  • They find personal information in your home
                                                           • They scam you by posing as legitimate companies or
    Rely on AMAS and Audit Insights to keep you
                                                             government agencies you do business with
up to date on business and computing practices you
                                                           • They can steal info from your workplace by hacking
can use in your everyday work routine here at SU.            electronic files or taking paper files

                                                           How thieves use your personal information:
                In this issue:                             • They can call a credit card issuer, pretending to be
                                                               you, and change your mailing address on your credit
        Identity Theft – How it happens, how to                card
        prevent it and resources for victims               •   They can open a new credit card account, using your,
        Steps to Protect Confidential Data –                   name, date of birth and SSN
        Safeguards such as compression, encryption, and    •   They can establish a phone or wireless service in your
        password protection                                    name
        Cash Receipts – Procedures and controls            •   They can open a bank account in your name
        Ask the Auditors – Document retention              •   They can counterfeit checks or debit cards
        In the News - Phishing                                                                              continued…
        Quick Tips and Tricks
                                                                                                            SPRING 2004

Identity Theft!                                                   Steps to take if you are a victim:
                                  …continued from page 1
                                                                  1) Contact the fraud department of each of three major
                                                                     credit bureaus
How to prevent identity theft:
                                                                     • Equifax – 1-800-525-6285
• Place passwords on your credit card, bank and phone
                                                                     • Experian – 1-888-Experian (397-3742)
                                                                     • Transunion – 1-800-680-7289
• Secure personal information in your home
                                                                  2) Close any accounts that have been tampered with or
• Ask and learn about information security procedures at
                                                                     opened fraudulently
                                                                  3) File a report with local police or police dept. where
• Don’t give out personal information on the phone                   the identity theft took place
• Shred your mail to guard against theft                          4) File a complaint with the Federal Trade Commission
• Keep your SS card in a safe place, not in your wallet
• Limit the identification information you carry with you

How to prevent your computer from being used
                                                                  If you have been a victim of identity theft, call the
against you:
                                                                  Federal Trade Commission’s Identity Theft Hotline
•   Update your virus protection software regularly
                                                                  at 1-877-IDTHEFT (438-4338). Also, for more
•   Don’t download files from strangers
                                                                  information about ID Theft please visit
•   Use a firewall
•   Use a secure browser
•   Try not to store financial information on your laptop
    unless absolutely necessary

“How To” - Steps to Protect Confidential Data

E    veryday, many of us are routinely privy to confidential University information so we may perform our job duties. For
     purposes of this article, “Confidential” is defined as private student/faculty/staff information such as payroll data,
social security numbers, SU ID’s, health information, etc. We may find it necessary at times, to share this confidential
                information with other employees. Our first step in protecting our data is to determine the most appropriate
               method of relaying the needed information to the receiver. Remember the most primitive methods (i.e. hand
              carrying a report or a diskette to the receiver), may be the fastest/safest approach.
            When you are providing confidential information on media such as disk or CD, or in an e-mail, it is a good idea
to let the receiver know that the information you are providing them is confidential. You should then discuss
confidentiality with them, or provide a written statement on your files/reports/email about confidentiality (i.e. “Syracuse
University – Contents of this File include Confident/Sensitive Information and the information contained in this File is the
property of Syracuse University and may not be released to any other party without the written consent of the Data
Custodian. Please dispose of this information by shredding or other confidential method”).
If e-mailing is the preferred method of sending the data/files, then reasonable protection and controls should be in place
before sending any confidential information in an email or as an attachment to an email. Examples of files could include
spreadsheets and text or query output files. A simple way to conceal the data and make it hard for an eavesdropper to read
is to use a process that provides the following:
      1. Compression also called file zipping
      2. Encryption to scramble up the file
      3. Password Protection to limit file view ability with a private password (must be provided in some way to file
         receiver, i.e. phone call to receiver)
Although the above may sound complex, the steps are very easy to follow. Instructions can be found at

                                                                                                              SPRING 2004

Cash Receipt Procedures and                                        Ask the Auditors!
                                                                   Q: How long do I have to keep

A    long our travels we have found several departments
     that have regular cash receipt activity for various
reasons. No matter what the purpose, cash receipts need
                                                                   accounting records for?

                                                                   A: This is the most frequently
to be properly safeguarded and accounted for. Please               asked question and the answer is
take a moment to ensure you have controls in place:                three years. Archives and
                                                                   Records Management is the best resource on campus for
• Duties should be adequately segregated; meaning, the
                                                                   record retention schedules and purge information. Both
  person recording the receipt should not be the same as
                                                                   of which can be found at:
  that making the deposit. Additionally, a person
  independent of recording and depositing
  responsibilities should perform the deposit verification
  (monthly reconciliation to the general ledger).
                                                                   Make this newsletter an outlet you can use! The AMAS
• Maintain a log of all monies received. The log can be
                                                                   staff has a lot of University experience and we’ll do our
  in manual or electronic format and should contain the
                                                                   best to give you good advice. Send your questions to:
  amount received, the payer, purpose of the payment
  and its form (cash or check).
• Provide a receipt. Ideally receipts should be pre-
  numbered and two-part. One copy should be provided
  to the payer while the other copy is kept. Sales                        “In the News”: Phishing
  deposits can be verified by accounting for all
  sequentially numbered tickets independently.
• Cash receipts received via mail should be opened by              W       ith the recent theft of credit card information from
                                                                           B.J.’s Warehouse, the issue of identity theft has
                                                                   hit close to home. The Federal Trade Commission
  two persons. One person totals the remittances and the
  other the payments. Document and agree the totals.               reports that there were almost 32,000 fraud and identity
• Keep transfers of cash to a minimum. Accountability              theft complaints in NYS last year. Credit card theft, on-
  is lost when several people handle cash before it is             line auctions and phone/utility fraud topped the list. One
  deposited. If transfers must take place, be sure to              on-line scam becoming more prominent is “phishing”.
  document it. Use receipts and verify what you are told              Phishing involves email sent in mass
  you are receiving is actually what you are getting               mailings by scammers who pose as
  before you provide a receipt.                                    reputable companies directing
• Restrictively endorse checks immediately upon receipt            consumers to websites to update account
  with a stamp stating “For Deposit Only”.                         or other personal information. Typically
                                                                   they state there is a problem and that your account will
• Keep cash and checks in a secure area until they can
                                                                   be suspended until you do. The websites appear
  be deposited. When in your custody you are
                                                                   legitimate but are really look-alikes. Many consumers
  responsible for it.
                                                                   are fooled into entering their information.
• Make timely deposits. Ideally deposits should be made
                                                                      The Anti-Phishing Working Group (APWG website:
  within 24 hours.
                                                          reports that scams have
• If gifts are received, they should be forwarded to the
                                                                   increased by over 40% in the past month. The most
  Development Office immediately for processing.
                                                                   targeted companies are Ebay, Citibank and Paypal. Up
• Personal checks should not be cashed.                            to 5% of the recipients of these mailings respond.
We realize that ideal control may be difficult to achieve.            If you receive a suspicious email, do not reply or click
If you would like to discuss your specific situation               on the link in the email. Contact the company using a
please call. We would be glad to help!                             phone number or website you know is legitimate. Avoid
                                                                   emailing personal information. As in the quick tips and
                                                                   tricks section of the prior newsletter look for the “s” at
  Related SU Policies:
    Gift Handling                                                  the end of the http to ensure a secure site. Review your       bank and credit card statements timely.
    Revenue from Transactions with External Parties

                                                                                                                   SPRING 2004

                  Quick Tricks & Tips:

                  Here are some helpful hints we’ve discovered along our travels:

   1.   Tired of those annoying pop-up ads on the web when you are doing research? Are your computing habits
        being tracked? Free downloads are available to help with these annoyances:

        Pop-up Stopper
        Spybot - spyware remover
        Ad-aware - spyware remover
        Cleanup! - removes unnecessary files
        Note: If you remove ALL cookies you will get a re-install message from the Peoplesoft Portal when you try to go to the
        Peoplesoft Portal web page!

   2. Did you know that Novell has a great website full of helpful tips and tools for Groupwise? The site has
      useful information for both end users and administrators. Cool tools are also available. See:

If you are not on our distribution list or know someone who would like to receive this publication, please let us

How to Contact Us:

Phone: 315-443-5150                                                                         Visit Us Online!
Fax: 315-443-5151
Address: Audit & Management Advisory Services (AMAS)                   Our website has a lot more detailed information, articles
          621 Skytop Road, Suite 100                                    and resources. We couldn’t pack everything into this
          Syracuse, NY 13244                                               edition, so until the next one arrives, visit us at:


To top