tools, tips and techniques to mitigate fraud -...
TRANSCRIPT
1
Tools,TipsandTechniquestoMitigateFraud
September2017
2
Agenda• EmailThreats• EstablishControls• FraudInvoiceSchemes• ReducingRisk
3
EmailThreats
4
WhatitallMeans
PHISHING
SPOOFING
SMISHING
MASQUERADING
Infectedfiles/maliciouslinkssentthroughemail
Infectedfiles/maliciouslinkssentthroughSMSmessage
Emailmessageswithaforgedsenderaddress
Attackthatusesafakeidentity,suchasanetworkidentity,togainunauthorizedaccesstopersonalcomputerinformationthroughlegitimateaccessidentification
successfulfraudulenttransaction
5
§ Lookslikealegitimatecorrespondencefromthecompany
§ Wordingdoesnothavethelevelofrefinementexpectedfromanauthenticcompanymessage
§ Hasanattentiongetter– highdollaramountofacellbillinthisexample
§ Embeddedlinksactivatemalwaredownloadonyourdevice
§ Someindividualsclickonthelinksandmaynotevenrecognizetheydon'thavearelationshipwiththecompany
ClassicPhishing
6
From: [email protected]: Wednesday,June1,201510:30amTo: [email protected]: Invoicepayment#R64274
Joe,Paymentwassent.Letmeknowifyouneedtheconfirmationnumber.---------------------------------------------------------From: [email protected]: Wednesday,June1,201510:20amTo: [email protected]: Invoicepayment#R64278
DearChris,Pleasepayattentiontothismail,aboutpaymentthereisnowchangeinourbankaccountdetails.WereceivedanalertfromourBANKaboutpresentsecuritychallengeswhichtheyarefacedwith,notingthattherewereseveral unauthorizedaccessandwithdrawalstoourcompanyaccount.SopresentlyourbankconfirmedthatweshouldSTOPallincomingpaymentstotheaccountuntilthebankcompletetheirsecurityupdate.Pleasesendthepaymenttooursubsidiaryaccount.
BeneficiaryBank:ABCDHongKongBeneficiaryName:EMCA(HK)LimitedBeneficiaryAddress:10/GF,SuperluckInd.CentrePhase3,37ShaTsuiRd,TsuenWanAccountNo:073-029562-658BankCode:003SWIFTCode:ABCDHKHHHKHBranchAddress:17Queen'sRoadWest,HK.HongKongThankyou.---------------------------------------------------------From: [email protected]: Wednesday,June1,201510:10amTo: [email protected]: Invoicepayment#R64274
Joe,Iresearchedtheinvoicesandyouarecorrect.FoundthesecondinvoiceR64274.Iwillgoaheadandprocessthepaymentfor$283,011.67tothesameaccount.
Thanks.---------------------------------------------------------From: [email protected]: Wednesday,June1,20159:45amTo: [email protected]: Invoicepayment#R64278
HiChris,Thepaymentmentionedbelowwaswellreceived.Thankyou.However,IfoundoutyouskippedoneinvoiceR64274whichisreferringtotheshippingticket#115320(seeattached).MayIaskyouif#115320and#115317wereduplicated,becauseyoupaidR64278referringto#115317.ThesetwoseparateticketsforROR-185 300lbsatthesamePOnumber,butIreceivedseparately.
Pleaseadvise.Joe---------------------------------------------------------
Isanyonemonitoringyouremailsorthatoftherecipient?
1. Messagebetween2companiesonthepaymentofaninvoice.- Paymentreceived.Questioningpaymentonsecondinvoice.
2. Researchrevealspaymentonsecondinvoiceislegitimatelyowed.
3. EmailInsertion- Readingtheinteractionbetweencompanies- Seesthatapaymentisgoingtobesent- Alertssendersomethingiswrongwithprimarybankaccount.- Fundsneedtobesenttoanalternateaccountwhilebankisresearchingissue.- Salutationdifferentthanprioremails- Languagenotcrisp- UsesCapsandalertphrases
4. Confirmationthatpaymentwassenttothecriminal’saccount.
E-MailMonitoring/Insertion
1
2
3
4
7
SomePhishingschemesinvolvemimickinginternalemails.§ Basedoneasytoobtaininformation
(Socialmediasites,Professionalassociations,companywebsite)theperpetratoroffraudknowskeyplayersandtheirrolesinyourcompany.
§ Domainnamesareregisteredthatsoundlikeyourcompany;butinvolveintentionalmisspellings.
§ InitialmessageisfakebutappearstobecomingfromSeniorexecutiveswithinthecompany
§ Focusonconfidentialityandurgency
Ifyoureceiveanemailsuchasthis:§ Contactthesenderbyanalternatemethod
tovalidatetheinstruction§ Followyourauthenticationprocedures§ Employdualcontrolspriortomaking
paymentchangesorprocessingpayments§ Validatethatcorrespondenceislegitimate
Spoofing/Masquerading
From:[email protected]:Tuesday,July8,201411:17amTo:[email protected]:FW:WireTransfer
Thisisthethirdone.Wearepullingtheconfirmationnowandwillsendtoyou.
From:[email protected]:Wednesday,June11,201411:30amTo:[email protected]:FW:WireTransfer
FYI,thisneedstogetprocessedtoday.Icheckedwith(insertnamehere)togetyourhelpprocessingitalong.Iwillassumewetakecareofanyvendorformsafterthefact.Icansendanemaildirectlyto(insertnamehere)orletyoudrivefromhere.Letmeknow.
From:[email protected]:Wednesday,June11,20149:59amTo:[email protected]:FW:WireTransfer
Processawireof$73,508.32totheattachedaccountinformation.Codeittoadminexpense.Letmeknowwhenthishasbeencompleted.
Thanks.
------------------------Forwardedmessage---------------------------------
From:[email protected]:Wednesday,June11,20146:45amTo:[email protected]:WireTransfer
Insertname(Treasurer),
Perourconversation,Ihaveattachedthewiringinstructionsforthewire.Letmeknowwhendone.
Thanks.Insertname,(CEO)
Lookatthespellingofthewordsandnamescarefully
8
RansomwareEmergingfraudtrend
Ransomwareisatypeofmalwarethatrestrictsaccesstotheinfectedcomputersystem• Demandsransomtoremovetherestrictions• Someformssystematicallyencryptfilesonthesystem's
harddrive• Difficultorimpossibletodecryptwithoutpayingthe
ransomforthedecryptionkey,somemaysimplylockthesystemanddisplaymessagestocoaxtheuserintopaying
• Mostransomwareentersthesystemthroughattachmentstoanemailmessage
Forconsideration• Uptodateanti-virussoftware• Emailgatewaysecurityproducts• Employeeeducation
RansomwareBrandNames
FakeBsodTescrypt Krypterade
99
EstablishControls
Establishothercommunicationchannels,suchastelephonecalls,toverifysignificanttransactions.Arrangethissecond-factorauthenticationearlyintherelationshipandoutsidetheemailenvironmenttoavoidinterceptionbyahacker
Bewareofsuddenchangesinbusinesspractices. Forexample,ifsuddenlyaskedtocontactarepresentativeattheirpersonalemailaddresswhenallpreviousofficialcorrespondencehasbeenonacompanyemail,verifyviaotherchannelsthatyouarestillincommunicationwithyourlegitimatebusinessassociate
Donotusethe"reply"option torespondtoanemailwithtransactionactivityorapprovalsforpayments.Instead,usethe"forward"optionandeithertypeinthecorrectemailaddressorselectitfromtheemailaddressbooktomakesurerealemailaddressisused
10
FraudulentInvoiceSchemes
11
FraudulentInvoices
AnothertrendimpactingcompaniesistheFraudulentInvoice:
§ ItisavariationonthePhishingemails.§ Fraudstermailsaninvoicetothecompany;often
addressedtotheAPdepartment§ Invoicehasdescriptionof“Investment”§ Invoiceusuallyincludesremittanceinformation
includingtheaccounttowhichfundsaretobepaid
IfyoureceiveanInvoicesuchasthis:
§ Verifythecompanyisanapprovedexistingandcurrenttradingpartner
§ Verifyitisforanactualpurchaseorworkperformedbythecompany
§ Confirmtheaccountontheinvoiceiswhatyouhaveonfileforthecompany
§ Caution– donotaddanewvendor,withanewaccount,andpayaninvoiceallinthesamestep
12
ReduceRiskExposure
13
§ Ifyou’regivingemployeesaccesstoyouraccounts,limitaccesstosensitivefunctionalitysuchaspaymenttransactions.
§ Setupyouraccountsothatanypaymentsscheduledbyoneemployeemustbeapprovedbyaseparateuser.
§ Setupapprovallimitsaroundtransactions.Thiscanbedonebytransactionamount,typeoftransaction.
§ Setupe-mailormobilenotificationstomultiplemembersofyourmanagementteamifanypaymentsareinitiatedoveracertainamount.
§ Requestnotificationsofanysignificantchangesinyourbalancessothatanyproblemscanbeaddressedimmediately.
EstablishSegregationOfDuties
Offline§ Havemorethanonepersonreviewbankreconciliations.§ Requiremorethanonesignatureforchecksoverasetamount.§ Makesurethereisdualcontroloverthephysicalcheckstock.
1414
ManagingFraudRisk
Fraudstersareincreasinglytargetingcompaniesthatconductonlinebusiness,employingsophisticatedtoolsdesignedtocompromiseyoursystemandsurrendercontrolofyourcomputer.
Bankexpertsandindustryleaderssharetrends,toolsandtacticsforallbusinesssegmentsthroughvideovignettes,casestudies,podcasts,andfeaturedwhitepapers.
Learnmore:managingfraudriskwebsite
AMONGONLINEBANKINGSERVICESPEERSFraudpreventionandmonitoring
SecurityadministrationandcomplianceSource:GreenwichAssociatesOnlineServicesBenchmarking,2014
#1
Considersolutionstohelpreduceyourexposuretofraud.▪ Notifications▪ CheckandACHPositivePay▪ PrepaidandCorporatecards
FRAUDPROTECTIONANDIDENTIFYSAFETYCARDSOLUTIONS
Source:JavelinStrategy&Research,2014#1
Tounderstandactionsyoucantaketohelpyourcompanyreducetherisksassociatedwithfraud,reviewonlinesecuritytipsandbestpractices togetstartedtoday.
DOCUMENT anactionplannowDevelopasoundinternalprocessfortransactionsusingthehighestindustrystandards.Communicateandenforcetheplanacrosstheorganization.Createaseparateplantorespondtoaninformationcompromiseevent.Keepinmindthataninformationbreachmayimpacttreasuryactivities.
EDUCATE yourteamonbestpracticesEstablishothercommunicationchannelssuchastelephonecalls,toverifysignificanttransactions.Donotusethe"reply"optiontorespondtoanemailwithtransactionactivityorapprovalsforpayments.
TAKEACTION
15
§ Beproactive inconductingperiodicfraudandsecuritytraining§ Don'tassumeemployeesunderstandemailandinternetrisks§ Setrulesforpersonalinternetusage– tellthemwhy§ Articulateemployeepoliciesforthemonitoringoftheircomputeractivity§ Formaltraining:don'trelyonlyonyourcompany'semailorintranettoinformemployeesofemailand
internetpoliciesandprocedures§ Considerrestrictingtheabilitytoload/downloaddataonyourcompanycomputers§ Showemployeeshowtorecognizethreatsandconveytheconsequencesofthosethreats§ Beexplicitaboutwhattolookfortoidentifyamaliciousemail§ Explainthatuserswillkeeppasswordsinasecureplaceandnottosharethemwithcoworkers§ Providefrequentreportsofnewthreatsandstatisticsofhowmanyviruseshavebeencaughtwithinyour
organization§ Neverturnoffsecurityprotectiononyourcomputerandstaycurrentwithupdates§ Donotuseyourpersonalcomputerforcompanybusiness§ Donotconnecttotheinternetthroughsuspectwirelessnetworks(e.g.,Wi-Fifromacafé)§ Forwardsuspiciousemailstothecompany'sdesignatedemailsecurityteam(includetheemailaddress)§ Openonlyidentifiableattachmentsfromknownsources.Financialinstitutionsandgovernmentagencies
neveraskyoutoenterpersonaldata,suchaspasswords,SSN,accountnumbers,etc
ThereisaDirectCorrelationBetweenEmployeeFraudEducationandDecreasedNumberofSuccessfulFraudAttacks
FraudAwarenessTraining
16
Appendix
17
GlossaryofTerms
§ MaliciousSoftware; softwareusedorcreatedbyattackerstodisruptcomputeroperation,gathersensitiveinformation,orgainaccesstoprivatecomputersystems.
§ DistributedDenialofService– isanattackwheremultiplecompromisedsystems–whichareusuallyinfectedwithaTrojan – areusedtotargetasinglesystemcausingincomingtraffictofloodthevictim
§ AthreatrelatedtoManintheMiddlewhereawebbrowserisinfectedbyaproxyTrojanthatallowswebpagesandtransactionstobemodifiedcovertly,invisibletoboththeuserandtheapplication.
§ Theactofattemptingtoacquireinformationsuchasusernames,passwords,andcreditcarddetails(andsometimes,indirectly,money)bymasqueradingasatrustworthyentityinanelectroniccommunication. Phishingemailsmaycontainlinkstowebsitesthatareinfectedwithmalware.
§ Isaformofcriminalactivityusingsocialengineeringtechniques. SMSphishingusescellphonetextmessagestodeliverthebaittoinducepeopletodivulgetheirpersonalinformation.Thehook(themethodusedtoactuallycapturepeople'sinformation)inthetextmessagemaybeawebsiteURL,butithasbecomemorecommontoseeatelephonenumberthatconnectstoanautomatedvoiceresponsesystem.
Malware
DDOS
ManInTheBrowser(MITB)
Phishing
SMishing
18
§ MalwareTrojanthatusesfakepopupadstoforcetheinfectedvictimtobuymalicioussoftwaretorepairitoranytypeofdrive-bydownloadstoloadbadsoftware
§ Istheactionofrecordingorloggingthekeysstruckontheakeyboard(tocaptureuserIDs,passwords,etc.)
§ Issoftwarethataidsingatheringinformationaboutapersonororganizationwithouttheirknowledgeandthatmaysendsuchinformationtoanotherentitywithouttheconsumer'sconsent,orthatassertscontroloveracomputerwithouttheconsumer'sknowledge
GlossaryofTerms(Cont'd)
Trojan
KeystrokeLogging
Spyware
1919
Disclaimer
"Bank of America Merrill Lynch"isthemarketingnamefortheglobalbankingandglobalmarketsbusinessesofBank of AmericaCorporation.Lending,derivatives,andothercommercialbankingactivitiesareperformedgloballybybankingaffiliatesofBank of AmericaCorporation,includingBank of America, N.A.,memberFDIC.Securities,capitalmarkets,strategicadvisory,andotherinvestmentbankingactivitiesareperformedgloballybyinvestmentbankingaffiliatesofBank of AmericaCorporation("InvestmentBankingAffiliates"),including,intheUnitedStates,Merrill Lynch, Pierce, Fenner & SmithIncorporatedandMerrillLynchProfessionalClearingCorp.,bothofwhichareregisteredbroker-dealersandmembersofSIPC,and,inotherjurisdictions,locallyregisteredentities.MerrillLynch,Pierce,Fenner&SmithIncorporatedandMerrillLynchProfessionalClearingCorp.areregisteredasfuturescommissionmerchantswiththeCFTCandaremembersoftheNFA.Thisdocumentisintendedforinformationpurposesonlyanddoesnotconstituteabindingcommitmenttoenterintoanytypeoftransactionorbusinessrelationshipasaconsequenceofanyinformationcontainedherein.ThesematerialshavebeenpreparedbyoneormoresubsidiariesofBankofAmericaCorporationsolelyfortheclientorpotential clienttowhomsuchmaterialsaredirectlyaddressedanddelivered(the"Company")inconnectionwithanactualorpotentialbusinessrelationshipandmaynotbeusedorrelieduponforanypurposeotherthanasspecificallycontemplatedbyawrittenagreementwithus.Weassumenoobligationtoupdateorotherwiserevisethesematerials, whichspeakasofthedateofthispresentation(oranotherdate,ifsonoted)andaresubjecttochangewithoutnotice.Undernocircumstancesmayacopyofthispresentationbeshown,copied,transmittedorotherwisegiventoanypersonotherthanyourauthorizedrepresentatives.Productsandservicesthatmaybereferencedinthe accompanyingmaterialsmaybeprovidedthroughoneormoreaffiliatesofBankofAmerica,N.A.Wearerequiredtoobtain,verifyandrecordcertaininformationthatidentifiesourclients,whichinformationincludesthenameandaddressoftheclientandotherinformationthatwillallowustoidentifytheclientinaccordancewiththeUSAPatriotAct(TitleIIIofPub.L.107-56,asamended(signedintolawOctober26,2001))andsuchotherlaws,rulesandregulations.Wedonotprovidelegal,compliance,taxoraccountingadvice.Accordingly,anystatementscontainedhereinastotaxmatters wereneitherwrittennorintendedbyustobeusedandcannotbeusedbyanytaxpayerforthepurposeofavoidingtaxpenaltiesthatmaybeimposedonsuchtaxpayer.Formoreinformation,includingtermsandconditionsthatapplytotheservice(s),pleasecontactyourBankofAmericaMerrillLynchrepresentative.InvestmentBankingAffiliatesarenotbanks.Thesecuritiesandfinancialinstrumentssold,offeredorrecommendedbyInvestment BankingAffiliates,includingwithoutlimitationmoneymarketmutualfunds,arenotbankdeposits,arenotguaranteedby,andarenototherwiseobligationsof,any bank,thriftorothersubsidiaryofBankofAmericaCorporation(unlessexplicitlystatedotherwise),andarenotinsuredbytheFederalDepositInsuranceCorporation("FDIC")oranyothergovernmentalagency(unlessexplicitlystatedotherwise).Thisdocumentisintendedforinformationpurposesonlyanddoesnotconstituteinvestmentadviceorarecommendationoranofferorsolicitation,andisnotthebasisforanycontracttopurchaseorsellanysecurityorotherinstrument,orforInvestmentBankingAffiliatesorbankingaffiliates to enterintoorarrangeanytypeoftransactionasaconsequentofanyinformationcontainedherein.Withrespecttoinvestmentsinmoneymarketmutualfunds,youshouldcarefullyconsiderafund'sinvestmentobjectives,risks,charges,andexpensesbeforeinvesting.Althoughmoneymarketmutualfundsseektopreservethevalueofyourinvestmentat$1.00pershare,itispossibletolosemoneybyinvestinginmoneymarketmutualfunds.Thevalueofinvestmentsandtheincomederivedfromthemmaygodownaswellasupandyoumaynot getbackyouroriginalinvestment.Thelevelofyieldmaybesubjecttofluctuationandisnotguaranteed.Changesinratesofexchangebetweencurrenciesmaycausethevalueofinvestments todecreaseorincrease.Wehaveadoptedpoliciesandguidelinesdesignedtopreservetheindependenceofourresearchanalysts.Thesepoliciesprohibitemployeesfromofferingresearchcoverage,afavorableresearchratingoraspecificpricetargetorofferingtochangearesearchratingorpricetargetasconsiderationfororaninducementtoobtainbusinessorothercompensation.
Copyright2015BankofAmericaCorporation.BankofAmericaN.A.,MemberFDIC,EqualHousingLender.