1 1 Thwarting Outside Threats – The New and the Tried-and-True: Corporate Identity Theft and Check Fraud Presented at 2016 Greg Litster, President SAFEChecks Corporate Identity Theft Corporate Identity Theft is the most urgent financial threat facing businesses and organizations today. There are two major types of Corporate Identity Theft: First, fraudsters target and imitate a legitimate business, oftentimes imitating an individual within that business. Second, criminals target an organization’s clients or vendors by fraudulently diverting payments. The most common Corporate Identity Theft scam today is the BEC Scam (Business Email Compromise)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
1
Thwarting Outside Threats –
The New and the Tried-and-True:
Corporate Identity Theft
and Check Fraud
Presented at
2016
Greg Litster, President
SAFEChecks
Corporate Identity Theft
Corporate Identity Theft
is the most urgent
financial threat
facing businesses and
organizations today.
There are two major types of
Corporate Identity Theft:
First, fraudsters target and imitate
a legitimate business,
oftentimes imitating an individual
within that business.
Second, criminals target an
organization’s clients or vendors
by fraudulently diverting payments.
The most common Corporate Identity Theft scam
today is the
BEC Scam(Business Email Compromise)
2
2
The FBI issued two alerts in 2015 regarding BEC Scams.
By early 2016, 12,000 companies had been compromised, with losses of $2 Billion.
BEC scams are against ORGANIZATIONS / BUSINESSES, not against financial institutions.
The scam relies on a legitimate request
coming from legitimate user to their bank.
The problem is not the money transfer system, but rather the fault of someone falling for a scam based on a clever social engineering scheme.
image From IBM Software Thought Leadership White Paper: The thriving malware industry: Cybercrime made easy
BEC Scams usually follow one of three variations:
Simple email requesting wire transfer
Complex email requesting wire transfer
Fake vendor invoices
Simple email requesting Wire Transfer � Criminals acquire info on targeted company from
public sources (social media, press releases, etc.)
� They learn about organizational structure, vendors, clients, news, CEO/CFO travel plans, etc.
3
3
�They decide who to target, who to impersonate, and which message will be most believable.
�They strike when the targets are out of the office and less likely to be available for confirmation of request
Criminals deliver the message by email:
–They compromise an executive’s email account, controlling email flow to avoid detection – redirecting emails, editing settings for replies, etc.
Criminals deliver the message by email:
–They research the style, language, content of emails of person they are impersonating
–They also research the wire transfer amounts and protocols that are typical for that person, to avoid raising any red flags
If they cannot compromise an executive’s email account:
– Fraudsters send a well-written email (supposedly from the CEO, CFO, etc.) to another targeted person in the organization, directing them to send a wire transfer
– The targeted person sends wire request to bank
– Because the fraudulent request looks legitimate, if the bank calls to confirm request, the targeted person approves the request
Variation on a theme....
Complex email requesting Wire Transfer
The “complex” email strategy is very similar to the simple email strategy, with several elaborate details added to the message to make it seem believable.
The message plays on the trusting and perhaps dependent relationship between the target person and the executive being impersonated.
The target person, not wanting to “let the executive down,” will usually fulfill the request.
4
4
Fake Vendor Invoices:
–Criminals target someone in the Finance Department
–They review invoices coming from a legitimate vendor that the Finance department has received via email
–They created a fraudulent invoice which mimics the real invoices received by the Finance Department
Fake Vendor Invoices:
–The fake invoice has updated banking information, with the account controlled by the criminals
–They send a fake invoice using an email address very similar to that of the real vendor
–the Finance Department pays the invoice to the new account, and if questioned by the Bank, approves the transaction because the invoice looks legitimate
Solutions to BEC Scams
- Verify that the email address is correct and legitimate (addresses are often changed by a single letter)
- Implement a detection system that flags e-mails with extensions that are similar to the company e-mail
- Spoofed emails used in BEC scams are unlikely to set off spam traps because the targets are not mass emailed
Solutions to BEC Scams
- Be suspicious of urgency and/or secrecy in a wire transfer request
- Look for consistency with prior requests, from CEO, CFO, etc. and also from vendor companies.
- Look at wording, phrasing of email – it may have a different style than normal, misspellings, errors.
Solutions to BEC Scams
- Use alternate forms of communication to confirm the request, e.g. if the request came via email, confirm via phone.
- Use a known phone number, not one showing in the email request
- Confirm that the request actually originated with a “C” level executive, even if (especially if) the request says no more confirmation is needed
Solutions to BEC Scams
- Use dual controls for wire transfers – two people must always approve a wire transfer
- Ideally, there should not be a direct reporting relationship between those two people
- Both reviewers must take their role seriously, carefully reviewing each request
5
5
Solutions for Preventing Unauthorized Wire Transfers
In four easy steps you can prevent unauthorizedonline money transfers:
1) Purchase a new computer that is dedicated to online banking only. It connects to the bank, and nothing else. A basic, inexpensive computer will suffice.
Solutions for Preventing Unauthorized Wire Transfers
2) Require two different computers and users/passwords to send money out of your account.
One or more employees can initiate a wire or ACH transfer using their everyday computers, but require that all initiated transfers be released using ONLY the dedicated banking computer. Persons authorized to release the transfers must use different user names and passwords than those used to initiate the transfer.
Solutions for Preventing Unauthorized Wire Transfers
3) Update your bank’s Electronic Funds Transfer (EFT) agreement to reflect your revised, two-computer initiation-release procedures.
Solutions for Preventing Unauthorized Wire Transfers
4) Implement all additional controls and technologies your bank recommends. Failure to implement the controls the bank recommends may result in your being liable for any cyber losses.
Variation on a theme....
Second category of
Corporate Identity Theft:
Criminals target an organization’s
clients or vendors through hacking
and diverting payments.
� Hackers target Accounts Receivable List
� Send bogus change-of-bank notifications
to customers
� New PO Box controlled by hackers
� New Bank R/T and account controlled by
hackers
6
6
Solutions….
� Banks: Monitor bank changes on outgoing
repetitive wires
� Companies: Confirm ALL bank change
notifications from vendors
� Buy cyber crime and check fraud
insurance
� Banks: Monitor bank changes on outgoing
repetitive wires
� Companies: Confirm ALL bank change
notifications from vendors
� Buy cyber crime and check fraud
insurance
Training!!
Protecting your business, your customers, and
employees is the responsibility of everyone in
your organization.
Training!!
-Educate employees about BEC scams and other types
of Corporate Identity Theft
- Realize that email is not a secure communication
vehicle
- Encourage employees to ask questions, to slow down
when reviewing transactions
Training!!
-Encourage executives to be supportive of those who
are following verification procedures, even when the
process slows down the transaction
- Be conscious about what is displayed on social
media regarding the company
7
7
Training!!
-Revise auto “out of office” responses – they can tip
off criminals regarding travels plans of top executives
- For training purposes, send your staff simulated
attacks and see if anyone “falls” for the fraud attempt