2017 Fraud Overview &

Mitigation Strategies

AFP Payments Fraud and Control Survey

2

75% of organizations that were victims of fraud had

experienced check fraud in 2016 (checks are still half of

all BtoB payments)

74% reported their organizations were exposed to

Business Email Compromise (BEC)

63% of fraud attempts resulted from actions of an

outside individual

30% reported ACH Debit Fraud is an all time high

SOURCE: 2017 AFP Payments Fraud and Control Survey

Troubling Trend

3

SOURCE: 2017 AFP Payments Fraud and Control Survey

0%

10%

20%

30%

40%

50%

60%

70%

80%

Checks WireTransfers

CommercialCard

ACH Debits ACH Credits

4

Fraud by Payment Type

SOURCE: 2017 AFP Payments Fraud and Control Survey

Fraud Sources

5

Fraud Prevention Best Practices - Check

6

Fraud Prevention Best Practices - ACH

7

The Threat Landscape – Business Email Compromise

8

9 SOURCE: 2017 AFP Payments Fraud and Control Survey

Business Email Compromise

10

Business Email Compromise

• Business Executive Fraud - Email accounts of high-level

business executives (CFO, CTO, etc.) are spoofed/hacked and

a fraudulent wire transfer request is made

• Bogus Supplier Invoices – After a vendor has been hacked, a

company is asked to change payment instructions or pay an

invoice to an alternative, fraudulent account.

• Attorney Impersonation– Scammers convince targets that

wire transfers are needed for legal matter settlement,

indicating the need for confidentiality and urgency.

• Data Theft – The goal isn’t direct funds transfer. Scammers

are looking for sensitive corporate financial information.

11

Business Email Compromise – Wire Transfer

Spoofed or Hacked

CEO Email

Criminals learn about

their targets from online

sources. They monitor

emails, and create a

sense of urgency and

importance around the

fraudulent request.

Legitimate User:

CFO, Controller

They “sound “ like the

legitimate source. Spoofed

emails very closely mimic a

legitimate emails Requests

are well-worded and specific

to the business victims.

Requests coincide with

business travel dates for

executives whose emails

were spoofed.

BEC Amounts are

generally in a range of

normal client wire

transfer activity to

avoid suspicion or

detection.

Wire Transfer Sent Criminal Beneficiary

receives funds

BEC Beneficiary

banks are both

domestic and

international.

1

1

12

Business Email Compromise Mitigation Best Practices – Wire Transfer

• Educate your staff about the fraud risks inherent in their daily processes.

• Create a culture that empowers employees to ask questions especially when there is a

request for secrecy, to bypass normal operating procedures or pressure to take action

quickly.

• Develop processes for wire validation that include access to key executives for

approval.

• Require two people to approve the movement of large sums or to make changes to

any information that impacts the movement of funds.

• Verify important or large transactions through an alternate method including

phone call or in-person.

• Establish a company website domain and use it to create company email

accounts. Do not use free, web-based email accounts for business purposes.

• Limit the amount of information available to the general public about your

company’s internal operations.

• Conduct all banking on a dedicated machine used for no other task. Create

dedicated virtual operating system for the sole purpose of providing a secure

environment.

13

Business Email Compromise – Invoice

Spoofed or Hacked

Supplier Email

Criminals learn about

their targets from online

sources. They leverage

company websites,

press releases, and

company directories.

Legitimate User:

Accounts

Payable Team

They monitor emails, to

determine normal process

flow and optimal timing.

They “sound “ like a

legitimate vendor. New

supplier lookalike domains

can be created.

They control email flows

and create new email

rules to avoid detection.

Fake conversations

about the invoice can

take place without the

associate realizing the

breach.

Change Invoice and

Payment Instructions Criminal Beneficiary

receives funds

BEC Amounts are

generally in a range of

normal invoice activity.

@venderr @vendor

1

3

14

Business Email Compromise Mitigation Best Practices – Supplier/Invoice

• Train associates on all vendor management policies and empower them to ask questions

when in doubt.

• Know Your Vendor - Verify Your New Vendor is a Legitimate Organization

- Perform due diligence on the company’s background and existence

- Dual approvals for new vendors

- Email requests for new vendor set-up not accepted

• Plan How Your Vendor Will Connect to You

- EDI, secure FTP, Web portal, Phone

- Test, document, and validate

• Segregate Responsibility of Vendor Authentication and Purchasing Functions

• Changes to Vendor Master File : Requests must be validated by trusted source at vendor

• Verbal Confirmation – Vendors should be required to verbally approve changes using

phone numbers that are known and listed for vendors

• Vendor list, including contact information of individuals authorized to make payment

changes, should be kept in a hard copy file

• New Vendor system flags

The Threat Landscape - Ransomware

15

16

Ransomware

Hollywood Presbyterian - 2016

• $17K in Bitcoin ransom paid

• 10 days of downtime

• No access to patient records

• No email, lab work, pharmacy, CT

scans, medical test results

Locker Ransomware – Disables access & control

Crypto Ransomware - Encrypts data

• 28,000 ransomware incidents per month in 2015

• 56,000 per month in 2016

• In Q1 2016, $209 million was paid to ransomware criminals for

encryption keys to unlock phones, computer files and entire computer

systems following the installation of this malware

San Francisco Rail System Ransomware

17

“You Hacked, ALL Data Encrypted.

Contact For Key(cryptom27@yandex.com)ID:681

Enter.”

SOURCE: Sophos 11/2016

18

Ransomware – My Example

10

1

8

19

The FBI offers the following tips to protect devices from ransomware:

• Ensure you have updated antivirus software on your devices

• Enable automated patches for your operating system and web browser

• Use strong passwords unique to each account

• Use a pop-up blocker

• Download software, games, and programs (especially those that are free) only

from sites known and trusted sites

• Don’t open attachments in unsolicited e-mails and never click on a URL

contained in an unsolicited e-mail. Close out the e-mail and go directly to the

organization’s website.

• Use the same precautions on your mobile phone as you would on your

computer when using the Internet.

• Conduct regular system back-ups and store the backed-up data offline.

Ransomware

The Threat Landscape – Beware of Online Risks

20

21

• Phishing (Email)

• Smishing (Text Message)

• Vishing (Voice/Phone)

• Twishing (Twitter)

• Search Engine Poisoning

• Trusted Site Compromise

• Malvertising

• Software Vulnerabilities

• Scareware

• Fake Mobile Apps

Avoid Getting Hooked By a Phish…

Threat Landscape…

22

SMISHING VISHING

TWISHING

It’s everywhere…

23

Scareware

2

3

24

The Black Market

1

6

ABC

SOURCE: Dell SecureWorks

Hacker service Price

Social Security number ('Fullz' dossier) $30.00

Date of birth $11.00

Health insurance credentials $20.00

Visa or MasterCard credentials $4.00

American Express credentials $7.00

Discover credit credentials $8.00

Credit card with magnetic stripe or chip

data

$12.00

Bank account number (balance of

$70,000 to $150,000)

$300

Full identity 'Kitz‘ (Healthcare

data/documents)

$1,200 to $1,300

25

Password Security

Don’ts • Never use the “remember password”

feature

• Never use your name, phone number, a

number series (e.g., “123456”), or an

easily-guessed word (e.g., “password”)

• Never share your password

• Never write down your password

Do’s

• Use a different password for each account

• Change your password often

• Use a combination of upper/lower case,

numbers, and special characters

• Use long passwords

• Substitute numbers for letters and vice versa

• Use multiple random words

• Use capitalization in random places, intentionally misspell words, or spell them backwards

• Use words then remove letters and add relevant numbers: First Car — 1992 Ford Mustang = FdMstg92

• Use phrases substituting letters with numbers: The party is at 7 o'clock = prtyzat7 • Experiment with your favorite song, album, or movie titles by adding

numbers: Michael Jackson’s Thriller = MJAXtHri13r

Password Managers

26

SOURCE: PC Magazine 11/4/16

“The Very Best: Veteran password manager LastPass 4.0 Premium offers an impressively

comprehensive set of features. Slick and polished Dashlane 4 also boasts a ton of features,

even some that LastPass lacks. Sticky Password Premium handles essential tasks better than

most, and a portion of every purchase goes to help an endangered species.”

Better Safe Than Sorry…

27

•Only download or buy apps from legitimate app stores.

•Check out the reputation of apps and particularly the app publisher.

•Only enter credit card info on secure shopping portals.

•Avoid using simple passwords, and use two-factor authentication if you can.

•Be alert for poisoned search results when using search engines to find products.

•Don’t use free public Wi-Fi to make purchases or do online banking.

•Be suspicious of great deals you learn about via social media or emails and don’t click

the links.

•Turn off location services while shopping to minimize the potential personal data that

could be compromised.

•Make sure the connection to e-commerce sites is secured (HTTPS).

SOURCE: Network World 11/22/16

28

Other Resources

28

https://www.ublock.org/ - Ad blocker site

http://urlquery.net/ - URL query site

“These days, you need an ad blocker. Not only that, you’ll need to limit the

number of websites added to the blocker’s exemption list. Criminals are

able to leverage ad networks in order to display malicious ads, often

leading consumers to exploit kits that deliver Ransomware or other

malware to the system.”

“This is a service for detecting and analyzing web-based malware. It provides

detailed information about the activities a browser does while visiting a site

and presents the information for further analysis.”

SOURCE: CSO 11/21/16

https://www.usa.gov/online-safety - Online Safety Tips

https://www.ic3.gov/default.aspx - Internet Crime Complaint Center

https://www.fbi.gov/scams-and-safety/on-the-internet - FBI Resources

29

“When it comes to your messaging, simplify, clarify, repeat” (Corey Nachriner - CTO Watchgard)

“This time, make it personal” (John Stewart - SVP Chief Security & Trust Officer - Cisco)

“Connect the dots between security and their existing goals & priorities” (Lysa Myers,

Security Researcher – ESET)

“Make explicit the behaviors you want to see and the practices you expect people to adhere to.” (Jack Danahy, Co-founder & CTO Barkly)

“Quickly move the focus from ‘what you did wrong’ to ‘how we can make it better’” (Amy Baker, VP Marketing – Wombat Security Technologies)

29

Employee Awareness

SOURCE: Barkly Realist Guide to Cybersecurity Awareness

30

3

0

Wrap-up

31

THANK YOU

mary.harrington@suntrust.com