2017 fraud overview & mitigation strategies › resources › presentations › 04192017 fraud...
TRANSCRIPT
2017 Fraud Overview &
Mitigation Strategies
AFP Payments Fraud and Control Survey
2
75% of organizations that were victims of fraud had
experienced check fraud in 2016 (checks are still half of
all BtoB payments)
74% reported their organizations were exposed to
Business Email Compromise (BEC)
63% of fraud attempts resulted from actions of an
outside individual
30% reported ACH Debit Fraud is an all time high
SOURCE: 2017 AFP Payments Fraud and Control Survey
Troubling Trend
3
SOURCE: 2017 AFP Payments Fraud and Control Survey
0%
10%
20%
30%
40%
50%
60%
70%
80%
Checks WireTransfers
CommercialCard
ACH Debits ACH Credits
4
Fraud by Payment Type
SOURCE: 2017 AFP Payments Fraud and Control Survey
Fraud Sources
5
Fraud Prevention Best Practices - Check
6
Fraud Prevention Best Practices - ACH
7
The Threat Landscape – Business Email Compromise
8
9 SOURCE: 2017 AFP Payments Fraud and Control Survey
Business Email Compromise
10
Business Email Compromise
• Business Executive Fraud - Email accounts of high-level
business executives (CFO, CTO, etc.) are spoofed/hacked and
a fraudulent wire transfer request is made
• Bogus Supplier Invoices – After a vendor has been hacked, a
company is asked to change payment instructions or pay an
invoice to an alternative, fraudulent account.
• Attorney Impersonation– Scammers convince targets that
wire transfers are needed for legal matter settlement,
indicating the need for confidentiality and urgency.
• Data Theft – The goal isn’t direct funds transfer. Scammers
are looking for sensitive corporate financial information.
11
Business Email Compromise – Wire Transfer
Spoofed or Hacked
CEO Email
Criminals learn about
their targets from online
sources. They monitor
emails, and create a
sense of urgency and
importance around the
fraudulent request.
Legitimate User:
CFO, Controller
They “sound “ like the
legitimate source. Spoofed
emails very closely mimic a
legitimate emails Requests
are well-worded and specific
to the business victims.
Requests coincide with
business travel dates for
executives whose emails
were spoofed.
BEC Amounts are
generally in a range of
normal client wire
transfer activity to
avoid suspicion or
detection.
Wire Transfer Sent Criminal Beneficiary
receives funds
BEC Beneficiary
banks are both
domestic and
international.
1
1
12
Business Email Compromise Mitigation Best Practices – Wire Transfer
• Educate your staff about the fraud risks inherent in their daily processes.
• Create a culture that empowers employees to ask questions especially when there is a
request for secrecy, to bypass normal operating procedures or pressure to take action
quickly.
• Develop processes for wire validation that include access to key executives for
approval.
• Require two people to approve the movement of large sums or to make changes to
any information that impacts the movement of funds.
• Verify important or large transactions through an alternate method including
phone call or in-person.
• Establish a company website domain and use it to create company email
accounts. Do not use free, web-based email accounts for business purposes.
• Limit the amount of information available to the general public about your
company’s internal operations.
• Conduct all banking on a dedicated machine used for no other task. Create
dedicated virtual operating system for the sole purpose of providing a secure
environment.
13
Business Email Compromise – Invoice
Spoofed or Hacked
Supplier Email
Criminals learn about
their targets from online
sources. They leverage
company websites,
press releases, and
company directories.
Legitimate User:
Accounts
Payable Team
They monitor emails, to
determine normal process
flow and optimal timing.
They “sound “ like a
legitimate vendor. New
supplier lookalike domains
can be created.
They control email flows
and create new email
rules to avoid detection.
Fake conversations
about the invoice can
take place without the
associate realizing the
breach.
Change Invoice and
Payment Instructions Criminal Beneficiary
receives funds
BEC Amounts are
generally in a range of
normal invoice activity.
@venderr @vendor
1
3
14
Business Email Compromise Mitigation Best Practices – Supplier/Invoice
• Train associates on all vendor management policies and empower them to ask questions
when in doubt.
• Know Your Vendor - Verify Your New Vendor is a Legitimate Organization
- Perform due diligence on the company’s background and existence
- Dual approvals for new vendors
- Email requests for new vendor set-up not accepted
• Plan How Your Vendor Will Connect to You
- EDI, secure FTP, Web portal, Phone
- Test, document, and validate
• Segregate Responsibility of Vendor Authentication and Purchasing Functions
• Changes to Vendor Master File : Requests must be validated by trusted source at vendor
• Verbal Confirmation – Vendors should be required to verbally approve changes using
phone numbers that are known and listed for vendors
• Vendor list, including contact information of individuals authorized to make payment
changes, should be kept in a hard copy file
• New Vendor system flags
The Threat Landscape - Ransomware
15
16
Ransomware
Hollywood Presbyterian - 2016
• $17K in Bitcoin ransom paid
• 10 days of downtime
• No access to patient records
• No email, lab work, pharmacy, CT
scans, medical test results
Locker Ransomware – Disables access & control
Crypto Ransomware - Encrypts data
• 28,000 ransomware incidents per month in 2015
• 56,000 per month in 2016
• In Q1 2016, $209 million was paid to ransomware criminals for
encryption keys to unlock phones, computer files and entire computer
systems following the installation of this malware
San Francisco Rail System Ransomware
17
“You Hacked, ALL Data Encrypted.
Contact For Key([email protected])ID:681
Enter.”
SOURCE: Sophos 11/2016
18
Ransomware – My Example
10
1
8
19
The FBI offers the following tips to protect devices from ransomware:
• Ensure you have updated antivirus software on your devices
• Enable automated patches for your operating system and web browser
• Use strong passwords unique to each account
• Use a pop-up blocker
• Download software, games, and programs (especially those that are free) only
from sites known and trusted sites
• Don’t open attachments in unsolicited e-mails and never click on a URL
contained in an unsolicited e-mail. Close out the e-mail and go directly to the
organization’s website.
• Use the same precautions on your mobile phone as you would on your
computer when using the Internet.
• Conduct regular system back-ups and store the backed-up data offline.
Ransomware
The Threat Landscape – Beware of Online Risks
20
21
• Phishing (Email)
• Smishing (Text Message)
• Vishing (Voice/Phone)
• Twishing (Twitter)
• Search Engine Poisoning
• Trusted Site Compromise
• Malvertising
• Software Vulnerabilities
• Scareware
• Fake Mobile Apps
Avoid Getting Hooked By a Phish…
Threat Landscape…
22
SMISHING VISHING
TWISHING
It’s everywhere…
23
Scareware
2
3
24
The Black Market
1
6
ABC
SOURCE: Dell SecureWorks
Hacker service Price
Social Security number ('Fullz' dossier) $30.00
Date of birth $11.00
Health insurance credentials $20.00
Visa or MasterCard credentials $4.00
American Express credentials $7.00
Discover credit credentials $8.00
Credit card with magnetic stripe or chip
data
$12.00
Bank account number (balance of
$70,000 to $150,000)
$300
Full identity 'Kitz‘ (Healthcare
data/documents)
$1,200 to $1,300
25
Password Security
Don’ts • Never use the “remember password”
feature
• Never use your name, phone number, a
number series (e.g., “123456”), or an
easily-guessed word (e.g., “password”)
• Never share your password
• Never write down your password
Do’s
• Use a different password for each account
• Change your password often
• Use a combination of upper/lower case,
numbers, and special characters
• Use long passwords
• Substitute numbers for letters and vice versa
• Use multiple random words
• Use capitalization in random places, intentionally misspell words, or spell them backwards
• Use words then remove letters and add relevant numbers: First Car — 1992 Ford Mustang = FdMstg92
• Use phrases substituting letters with numbers: The party is at 7 o'clock = prtyzat7 • Experiment with your favorite song, album, or movie titles by adding
numbers: Michael Jackson’s Thriller = MJAXtHri13r
Password Managers
26
SOURCE: PC Magazine 11/4/16
“The Very Best: Veteran password manager LastPass 4.0 Premium offers an impressively
comprehensive set of features. Slick and polished Dashlane 4 also boasts a ton of features,
even some that LastPass lacks. Sticky Password Premium handles essential tasks better than
most, and a portion of every purchase goes to help an endangered species.”
Better Safe Than Sorry…
27
•Only download or buy apps from legitimate app stores.
•Check out the reputation of apps and particularly the app publisher.
•Only enter credit card info on secure shopping portals.
•Avoid using simple passwords, and use two-factor authentication if you can.
•Be alert for poisoned search results when using search engines to find products.
•Don’t use free public Wi-Fi to make purchases or do online banking.
•Be suspicious of great deals you learn about via social media or emails and don’t click
the links.
•Turn off location services while shopping to minimize the potential personal data that
could be compromised.
•Make sure the connection to e-commerce sites is secured (HTTPS).
SOURCE: Network World 11/22/16
28
Other Resources
28
https://www.ublock.org/ - Ad blocker site
http://urlquery.net/ - URL query site
“These days, you need an ad blocker. Not only that, you’ll need to limit the
number of websites added to the blocker’s exemption list. Criminals are
able to leverage ad networks in order to display malicious ads, often
leading consumers to exploit kits that deliver Ransomware or other
malware to the system.”
“This is a service for detecting and analyzing web-based malware. It provides
detailed information about the activities a browser does while visiting a site
and presents the information for further analysis.”
SOURCE: CSO 11/21/16
https://www.usa.gov/online-safety - Online Safety Tips
https://www.ic3.gov/default.aspx - Internet Crime Complaint Center
https://www.fbi.gov/scams-and-safety/on-the-internet - FBI Resources
29
“When it comes to your messaging, simplify, clarify, repeat” (Corey Nachriner - CTO Watchgard)
“This time, make it personal” (John Stewart - SVP Chief Security & Trust Officer - Cisco)
“Connect the dots between security and their existing goals & priorities” (Lysa Myers,
Security Researcher – ESET)
“Make explicit the behaviors you want to see and the practices you expect people to adhere to.” (Jack Danahy, Co-founder & CTO Barkly)
“Quickly move the focus from ‘what you did wrong’ to ‘how we can make it better’” (Amy Baker, VP Marketing – Wombat Security Technologies)
29
Employee Awareness
SOURCE: Barkly Realist Guide to Cybersecurity Awareness
30
3
0