1 / 34

Who is Phishing in Your Company Hole?

Who is Phishing in Your Company Hole? . Michael Loox, CFI Head of Loss Prevention The Coffee Bean & Tea Leaf. The Road To The Coffee Bean. The Coffee Bean & Tea Leaf . 2 nd largest US retail specialty coffee & tea brand

lottie
Download Presentation

Who is Phishing in Your Company Hole?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Who is Phishing in Your Company Hole? Michael Loox, CFI Head of Loss Prevention The Coffee Bean & Tea Leaf

  2. The Road To The Coffee Bean

  3. The Coffee Bean & Tea Leaf • 2nd largest US retail specialty coffee & tea brand • 933 stores in 28 countries, 15 states & Washington D.C. – largest footprint in emerging markets • $518 M system-wide sales • Serving over 150 million customers annually • 12,000+ global team members • Successful Omni-channel strategy • 58 franchise relationships • Regional Offices in Singapore and Malaysia • 50 Years Old- Born and Brewed in So. Cal since 1963

  4. United States • Singapore • Malaysia • Israel • Korea • Brunei • Indonesia • UAE • China • Philippines • Kuwait • Saudi Arabia • Sri Lanka • Bahrain

  5. Current United States Markets Seattle Tacoma Airport (1 location) New Jersey, Garden State Mall: (2 locations)

  6. Current Worldwide Markets United States: (311 locations: Company & Franchised ) Mongolia: (1 location) Iraqi Kurdistan: (1 location) Qatar: (7 locations) Bahrain: (3 locations) India: (26 locations) Germany: (1 location) South Korea (221 locations) Turkey: (1 location) Shanghai, China: (30 locations) Lebanon: (3 locations) Cambodia: (2 locations) Israel: (2 locations) Vietnam: (12 locations) Egypt: (17 locations) Mexico: (8 locations) Philippines: (53 locations) UAE: (0 locations) Kuwait: (15 locations) Jordan: (1 location) Thailand: (10 locations) Sri Lanka: (3 locations) Saudi Arabia: (11 locations) Brunei (8 locations) Indonesia: (68 locations) Oman: (2 locations) Singapore: (51 locations) Company Owned Malaysia: (59 locations) Company & Franchised Worldwide Store Count: 933

  7. What is Phishing? “A kind of social engineering attack in which criminals use spoofed emails to trick people into disclosing sensitive information (business or personal) or installing malware on their personal or employers computers or servers.” • Attack targets users not systems • Attacks circumvent your organizations security measures • It does not matter how many firewalls, encryption software, and two factor authentication mechanisms you have, if the person behind the keyboard falls for a phish In a 2003 IT security survey, 90% of office workers gave researchers their password in answer to a survey question for a cheap pen. Similar surveys obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords Spam is unsolicited junk email which may contain a “phish”.

  8. Origins & Evolution of Phishing • Derivative of “Phreaks”- 1990’s term for Hackers • First mention -January 2, 1996 in Usenet newsgroup • Response to AOL preventing use of algorithmically created credit card numbers to open accounts • Phisher posed as AOL staff member via email or IM requesting passwords and other personal info • Hijacked accounts used for spamming and fraud • Response- “No one working for AOL will ask for your password or billing information”

  9. Types and Variants of The Phish • Spear Phishing- a targeted communication to employees or members of an organization. Emails are customized for appeal with public information available on web sites and ask for recipient to click on a linkor open a zip file • Whaling- is a spear phish used against high level targets such as a CEO, politician, officers in the armed forces or other “Big Phish” • Vishing- callers state from “tech support”, your bank, or have you call a number to get business and credit information • Smishing- same scam through text messages and IM

  10. Phishing Season 2012 • Within the last year over 37 million unique users subjected to phishing attack – up 87% • Over 102,100 internet users are subject to attack each day • 12% of all Phishing Attacks were launched via spam mailings. 88% came from links to web pages • Over 20% of all phishing attacks mimicked a bank or other financial institution • Phishing losses estimated at $1.5 billion in 2012 • Major Cyber-threat to businesses

  11. Anatomy of a Phish Every Phishing attack email is built upon emotional and visual triggers with commonly added human motivators and emotion. • Rightful Rewards: tax refunds and prizes • Greed: Unwarranted lottery winnings and 419-type scams • False Accusations: Tax Fraud, Customer complaint, FCC, etc. • Curiosity: “Look who searched for you on Google” • Right the Wrong: Fake order confirmation from known online merchants or shopping sites citing alleged purchases made • Trust: Fake emails from banks, service providers, or business associates/professional networks

  12. Phish Tells • Spelling and Bad Grammar- spellcheck???? • Embedded links: https://www.scamuez.exe .exe files are known to launch malware • Threats: “Your account will be closed” • Spoofing popular websites/companies • You did not initiate contact • Any request for confidential or sensitive information or requesting names

  13. Identifying the Phish What a phishing email might look like?

  14. Species of Phish

  15. Zip file attached to launch malicious software

  16. Appears to be from Coffee Bean email account Malicious Zip file attachment

  17. Put an End to Phishing Season Phishing may be used as one step in a targeted attack against your company or its employees. • Corporate Espionage from competitors; foreign and domestic • Theft of money from the companyaccounts • Theft of money from employee accounts • Theft of customer information • Identity theft • Theft of national security secrets

  18. 10 Tips for Phishing Prevention • Never give out personal, financial or other sensitive information to anyone who requests • Be suspicious of email requesting sensitive information • Don’t click on links embedded in an email • Enter a fake password when prompted; legitimate website will not accept fake • Don’t fill out forms asking for sensitive information. Use secure website only.

  19. The other 5…….. • Keep your browser and operating systems up to date • Regularly verify all charges on credit card and bank statements • Always use updated antivirus and firewall software • When in doubt, check authenticity • Notify www.ftc.org and the internet crime complaint center www.ic3.gov if you think you are a victim to an attack

  20. Phishing Forecast for 2013 • Phishing Via Mobile- directly attacking smartphone users • Phishing Via Apps- attacking through installation of malicious apps • Phishing Via Social Media- in 2010 social media attacks comprised of 8.3% of total, by end of 2011 it was 84.5% Have strong IT and Computer Usage Policy!

  21. False Billing & Phone Scams False Billing- targets businesses by telephone, mail, email and fax. The scammer will supply you with an invoice for products or services you have not ordered or received hoping it will be paid on receipt with no investigation. • Mid to large businesses are targeted hoping smaller invoices are processed for payment without review • Many false billing scams begin with telephone call to get key names and contacts and details about company • Information helps scammer create invoice including names, account numbers for services ordinarily used.

  22. Variations of Billing & Phone Scams Advertising & Directory Listing (Yellow Pages renewal) • Billing for unauthorized listing or ad (print or web) • Proposal disguised as agreement or invoice • You think you are responding to free offer or renewal • Use of existing company names & logo to look real Fax Back Scams • Unsolicited fax offering great deals and discounts on products, services, trips • High cost of fax reply buried in print or not listed. • Premium fax rates can cost up to $10 / minute.

  23. Scams continued…….. Office Supplies or Mystery Supplies Scam • Invoice for supplies never ordered, never received or were not what you thought them to be • Recent scammer cleared $700K sending invoices to companies for fluorescent light bulbs never received • Send unordered supplies at inflated rates or low quality supplies. This is usually preceded with a fax to confirm order. Employee signs and sends back • This is used a proof of order to collect payment

  24. Demand for Payment • Receive letter demanding payment for products or services never received or an unverifiable debt • Official letterhead (agency, attorney, debt collector) • A case number is assigned to alleged debt • Written as if it were a court case • Request comes from 3rd party who has taken over debt or claims to be pursuing debt on behalf • Threats of further interest and penalties • Pay by this date or else……..

  25. Demand for Payment

  26. The Health Dept. is Calling..... • Receive call from “State Health Dept.” or DOA • Inform restaurant of complaint and visit today • Will attempt to persuade employee to provide personal and/or credit information for ID theft and fraud • Variation- will ask employee to enter a five digit verification code to confirm appointment in a subsequent call. This allows scammer to set up a fraudulent Craigslist or an online auction house account verified to your restaurant phone number. • Variation- other scammers claim to be IT techs or from the bank requesting credit card info as system is “down”

  27. Point of Sale Scams • Confuses cashier during transaction • Use of social engineering like a Phish • Asks for change of $20 and leaves with $30 • Have policy on making change; double count, don’t be rushed Counterfeit Money • Best line of protection- UV machine or cash verification tower • $5.00 bills washed, print $100’s • Review security features on all bills $20 and above.

  28. Credit Card / Gift Card Fraud • Never hand key any credit card transaction, especially for sale of gift cards. • Get swipe and signature for any transaction over your designated threshold ($25.00?) • Remove remaining balances from all gift cards linked to a charge back transaction • Establish credit card acceptance policy including a loss prevention training element • Identify areas or groups of stores with highest % of fraud to develop a targeted response. • Do not transfer balances from one gift card to another

  29. No Scams Here…… • Employee Training • Create eTraining platform (embedded) • Micro-games • Provide Internet access resources • New hire awareness module • Specific cash and credit card procedures Establish Company Hotlines for verification • Documented procedures and protocols with real time access to assist in decision making process • Ops / LP / IT / Acct. contact during business hours • When in doubt- Just say “No” and call supervisor

  30. Integrate For Success • Develop and lead a multi-departmental partnership to combat fraud and scams across all levels of your company or organization • Provide awareness and response directives for each department or “impact” area • Work directly with A/P to ensure; • Invoices are verified by department • Purchasing guidelines were followed • There is a new vendor approval process • Suspicious invoices are reviewed, create checklist • Systems in place to prevent duplicate invoices

  31. If you have been scammed… • Notify appropriate law enforcement agencies • Send alert to other departments or restaurants to prevent/minimize other losses • Alert your Loss Prevention/Security peers if applicable and/or approved by your company • Review scam to determine areas in need of retraining or possible internal dishonesty

  32. Thank You!

More Related