Cyber Threat 2018

Business Email Compromise (BEC)

Fraud Awareness Training

Gábor Weissmüller

EMEA Senior Investigator

Citi Security & Investigative Services

What is Cyber fraud?

• Phishing?

• Spear phising?

• Whaling?

• Social engeeniring,

• BEC ( Business Email Compromise)?

• Spyware?

• Ransomware?

• Swift fraud?

• Spoofed website?

• etc.

3

The Impact on Business

The financial implications help explain why Cyber is now considered one of the

primary operational risks, but a Cyber incident can damage far more than a

company’s bottom line.

Average cost of cybercrime to companies2

$21.2MM$11.5MM$10.4MM$8.7MMEstimated global cost of

Cybercrime by 20191

$2 Trillion

1. Forbes; “(Cyber crime) increasing to almost four times the estimated cost of

data breaches in 2015”;

January 2016.

2. Accenture & Ponemon Institute; “2017 Cost of Cyber Crime Study”;

September 2017.

4

Key Trends From 2017

Multi-National / Global Incidents.

Phishing 2.0.

The Evolution of Ransomware.

The Exploitation of IoT Devices (internet of things)

Increasing Incidents. Everywhere.

Five key cybercrime trends emerged during 2017

5

Primary Cyber Attackers

The cyber landscape consists of five primary groups of adversaries

Nation State Cyber Crime Terrorism Hacktivism Insider

Sophisticated

actors

Supporting

national

interests

Targeting trade

secrets &

sensitive

information

Financially

motivated

Frequent use

of social

engineering

Most common

type of cyber

attack

Politically or

ideologically

motivated

Goal is to instill

fear

Attacks often

destructive

Advancement

of a social or

political agenda

Attacks often

disruptive

Motivations

vary including

fraud, revenge,

desire for

destruction

Access is often

authorized,

making

detection hard

Business E-mail Compromise (BEC)

Organised Criminal Groups (OCGs)

are a global industry

Use Social Engineering tactics, via

phone and email

Target Corporate Entities’ Treasury

and Accounts Payable departments

Study their targets using Internet

and Social Media

Use Spear Phishing to install

malware on their targets’ PCs

Beneficiary Change

CEO Impersonation

Screen sharing

Trending Attack Methods

$3.1BLost via Business Email

Compromise (BEC) Scams

22 143 Victims from October 2013 to

February 2016

1300%Increase in identified exposed

losses since January 2015

As of April 14, 2016

Criminals spoof communications from the victim’s existing business contacts to persuade the firm’s employees to

transfer funds to accounts controlled by the criminals.

The Iceberg – The Anatomy of a BEC attack

TECH

INFILTRATIONSOCIAL

ENGINEERING

OSINT

Social Media searches

focused on key employees

- LinkedIn, Facebook,

Twitter etc.

Research on company

structure, payment

processing & platforms

SPEARPHISHING

Targeted Phishing e-mails

aimed at key personnel &

used to deploy

Malware/Spyware

3-9

Mo

nth

s3

-9 M

on

ths

K

n

o

w

l

e

d

g

e

B

u

i

l

d

i

n

g

E- mail

&

Payment

“They have excellent tradecraft, and they do

their homework. They use language specific to

the company they are targeting”

“To make matters worse, the criminals often

employ malware to infiltrate company

networks, gaining access to legitimate e-mail

threads about billing and invoices”

The FBI - BEC An Emerging Global Threat , Aug 2015

FILLING IN THE GAPS

Phone contact made with

employees of victim

organization to further

enhance knowledge of

company structure,

processes and personnel.

e.g. names of authorizers

LEARNING THE LINGO

Nuances of language

used between

employees noted

Social Engineering

• Social Networks

• Information available in public domain

Intelligence Gathering

• Using intelligence gathered to create a believable scenario

Pretexting

• Execute Attack

Execution

Social Engineers exploits our natural instinct to….

Trust – We tend to trust unless given a reason not to.

Assist – Social engineers target customer service & helpdesk representatives who are trained to help.

Obey – We have a natural tendency to obey Authority figures (follow instructions).

Social Engineering is the ‘Art of manipulating people into performing actions or divulging confidential information

that may not be in the target’s best interest’

Spoofed e-mails

In 2015 an unnamed US company was defrauded out of almost $100 million by individuals who created a fake e-

mail address in order to pose as one of its legitimate vendors

Spoofing involves the creation of a fraudulent e-mail address, which is designed to look like a genuine email

address. For example, if the target company’s domain is “@smith.com”, criminals may register “@smith.co.uk”

or “@smith-inc.com”. Spoofing can be used to add an appearance of legitimacy to fraudulent requests.

Second “i” is substituted with “l”

What we ask of clients in the event of Fraud

ACT

Alert

Follow up

Act Quickly

• Review and urgently confirm fraud - every

minute may count.

Use the ‘F’ Word

• Be prepared to state “FRAUD” and confirm this

in writing/email (not “potential fraud” or similar,

banks will not act on “potential” issues)

What we ask of clients in the event of Fraud

ACT

Alert

Follow up

Alert Immediately

• Initiate recall actions (this may include SWIFT

recall and/or direct contact)

• The shorter the time between fraudulent

transaction and detection, the greater the

chance of recovery

What we ask of clients in the event of Fraud

ACT

Alert

Follow up

Provide the Details

• Beneficiary banks and others will need clear

background information before they will act

• Some jurisdictions are more difficult than others so

clients may need to consider further action to secure

their position

• Provide details on what exactly happened (e.g. fake

email domains, compromised email chain)

• Where a beneficiary bank requests an indemnity from

*It is critical there is no delay in providing this letter!

The Importance of Immediate Escalation

An example of money flows following the initiation of fraudulent payments ….

Beneficiary 1

BANK A

BANK B

BANK C

BANK D

BANK E

BANK F

BANK G

BANK H

BANK I

BANK J

BANK COM

BANK F

BANK K

KZT 548,250,000

KZT 369,235,000

$135,000.00

$ 120,000.00

$ 130,000.00

$ 2,165,000.00

$ 2,100,000.00

$ 615,000.00

$ 399,800.00

$ 100,000.00

$ 200,000.00

$ 50,000.00

$ 50,000.00

$ 52,240.00

Beneficiary 1

Beneficiary 2

Beneficiary 3

Beneficiary 4

Beneficiary 5

Beneficiary 6

Beneficiary 7

$ 135,000.00

$ 120,000.00

$ 130,000.00

$ 2,165,000.00

$ 2,100,000.00

$ 615,000.00

$ 399,800.00

$ 100,000.00

$ 50,000.00

$ 200,000.00

$ 50,000.00

$ 52,740.00

$ 135,000.00

$ 120,000.00

$ 130,000.00

$ 2,165,000.00

$ 2,100,000.00

$ 2,165,000.00

$ 2,100,000.00

$ 135,000.00

$ 120,000.00

$ 130,000.00

$ 615,000.00

$ 399,800.00

$ 100,000.00

$ 50,000.00

$ 200,000.00

$ 50,000.00

$ 52,740.00

Client

Victim

14

Business Email Compromise – Precautions

The sophistication of BEC can make the attacks very hard to spot, but there are a

number of simple steps that Citi staff can take to reduce their chances of falling

victim

1 Understand the risk posed by BEC and educate your colleagues.Ensure all payment processes have maker:checker controls.

If you receive an email asking for a payment to be sent to a new beneficiary,

perform a call back on a known telephone number to check the request.

Look for requests that are out of the ordinary – different senders, new email

formats, unusual language or tone, strange times, etc.

Be wary of any email that is marked as ‘urgent’, ‘secret’ or ‘confidential’. As well

as requests that give an excuse why a call back cannot be performed.

23456 Don’t be pressured into making a quick decision. Listen to your instincts and question anything that feels wrong.

Questions?