Internet Fraud and Risk Update

John Walp

Administrative Vice President

M&T Bank Corporate Information Security Officer

Member FDIC

Agenda • Understanding Internet risks and fraud trends

• Understanding crimeware, ransomware and

email/web/mobile/social-media threats

• Understanding the threat from account takeover fraud

• How to protect yourself, and your company

• Questions & Answers

2

Disclaimer

• This presentation is intended for information purposes

• Customers should contact their Information Technology

provider to determine the best way to safeguard the

security of their computers and networks

• Customers should familiarize themselves with their

institution’s account agreement and understand

their liability for fraud as ACH and Wire transactions are

regulated under the Uniform Commercial Code

3

Bank Robbery 2014

4

Trojan Horse 2014

5

Internet fraud is a big and growing business

• 2008 - RBS WorldPay – Hackers steal $9 million in

12 hours from 2,100 ATMs in 280 cities worldwide

• 2009 - Heartland Payment Systems - 130 million

payment cards stolen by hacker Albert Gonzalez

• 2011 - Fidelity National Information Services –

Hackers steal $13 million in 24 hours using 22 stolen

debit cards and unauthorized network access

• 2013 – FBI is investigating more than 400 cases of

Corporate Account Takeover Fraud (ACH/Wire)

6

Social Media Risk in 2014

7

Social Media Risk – Employees

8

Social Media Risk – Employees

9

Social Media Risk - Markets

10

“Own the email and you own the person”

11

Example of Social

Engineering techniques

used in wide-spread

spear phishing attacks

Nov. and Dec. 2012

12

Spear Phishing Attack

13

Ransomware Infection

14

Fake Anti-Virus Scam

15

BlackHat SEO

16

Mobile Threats Are Also On The Rise

17

Account Takeover Threat

18

How to Protect Yourself and Your Business

• Awareness: Review M&T Bank - Payment Fraud

Risk Management Handbook/Checklist

• Ensure your internal staff is aware of the risks and

operates with safe computing best practices in mind

• Be aware what your banking sites normally look like

• Verify emails containing payment instructions

• Run up-to-date Anti-Virus/Spyware

• Run up-to-date host based firewall software

• Patch third-party software – Adobe, Java, Quicktime

• Activate a “pop-up” blocker on Internet browsers to

help prevent web-based intrusions

19

• Review your credit report/banking transactions regularly

• Use fraud prevention and detection services offered by

M&T Bank: Payee Positive Pay, ACH block, etc.

• Limit staff Administrative access to privileges on the PC

and bank products used to conduct transactional activity

• Use a stand-alone PC for banking transactions

• Add “Dual Administration” for money movement

applications to reduce internal fraud with better control

over user permissions and transaction auditing

• If you accept credit/debit card payments, become and

remain compliant with Payment Card Industry standards

How to Protect Yourself and Your Business

20

Questions, Answers and Useful links

• browsercheck.qualys.com

• www.ic3.gov

21