payment fraud trends : what can you do? protect yourself and your business from financial fraud
TRANSCRIPT
Payment Fraud Trends : What Can
you do?Protect Yourself and Your Business from Financial
Fraud.
Payment Fraud
New ways to steal the old way• 77% of organizations target of check fraud*• Check fraud up even while check used declining• Steal, wash, or create checks – publishing software• Stolen from mailbox• Purchase account numbers – black sites• Online For Sale, Investment, Sweepstakes, Work at home
“Just wire back the difference”
*2015 AFP Payments Fraud and Control Study
Payment Fraud
Skimming• Hardware capture card data• Installed @ ATM, gas pumps, retail point-of sale• Card passes skimmer first • Data transmitted wirelessly• Info sold via black websites
Payment Fraud - Skimming
Payment Fraud – Skimming with PIN Capture
Payment Fraud
Corporate Account Takeover• Target businesses of all sizes• Malware via email or websites -
Trojan/Zeus• Malware “records” your credentials • Execute transfers via your PC
Omaha MECA Payroll Fraud
Payment Fraud
Social Engineering• Phishing, Vishing, Smishing
• Two thirds of electronic fraud cases can be traced back to phishing.• One in ten people open an attachment when they have know idea what they are opening.
• e-mail takeover or social site mimic - LinkedIn, Facebook
• Message from boss or vendor (Scoular Grain)
• Card/online access has been frozen – click this link
Payment Fraud
PC Extortion• Malware via e-mail• Cryptolocker encryption• Ransom within 72 hours• Payment in MoneyPak or Bitcoin
Attacker distributes messages with
malicious attachments or
links to the targeted users
Users fail to understand social engineering trick and
open the malicious attachment or click on the
link
Messages can be through email, social media sites,
and even SMS
Target users system is exploited
RAT is installed on target system or credentials are
harvested with other malware
RAT is used to gain access to additional systems on
internal network. Some malware will self destruct
after credentials are harvested
Data is harvested and sent to attacker over an
encrypted channel to avoid detection
Attacker will then use information to profit and launch additional attacks
Payment Fraud
Fighting Check Fraud• Positive Pay-match paid checks• High Dollar Authorization-checks over set
dollar amount• Secure Check Stock• Replace check payments with ACH, Card
or wire payments• Separation of Duties• Online Account Review
Payment Fraud
ACH and Wire Fraud• Originator creates fraudulent transaction
– bill payment• Employee creates a fraudulent wire or
credit based on boss’ message• Supply Chain - impersonates a vendor• Fraudulent e-mail sent directly to the
bank
Payment Fraud
Fighting ACH and Wire Fraud• Restricted Access; only those needed to create trans.• Dual Control – two users needed to initiate• ACH Filter or Block – only unauthorized ACH electronic• Segregate Funds – separate account for specific deposits• Multifactor authentication -Tokens – one-time password• Wire Call Backs• Online Account Review/Reconciliation• Separation of Duties • Dedicated Workstation – no email or Social Media allowed• Up-to-Date Antivirus Software & Good Back-ups• Strong Password Policy
Payment Fraud
Card Payments and Mobile wallets• Liability shift to merchants – October 2015• Tokenization• Google Wallet, Apple Pay, SoftCard
Payment Fraud
Fighting Internal Fraud• Dual control/custody • Timely reconciliation/review• Face-to-face or phone call verification (out-of-band)• Separation of Duties • Credit & Background checks• Insurance• Education/Training
Payment Fraud – Top Five Take Aways
• Protect Your Credit Cards and Bank Accounts• Secure Your IT Infrastructure• Have a Password Policy• Educate Your Staff• Insure Your Business
