1 / 23

Here Phishy, Phishy…

Here Phishy, Phishy…. Don’t Take the Bait Protect your Company from Payment Fraud. Neal Baker Senior Vice President Director of Corporate Security and Fraud Investigations Texas Capital Bank. James Emerson Vice President-Controller U. S. Risk Insurance Group, Inc.

sirius
Download Presentation

Here Phishy, Phishy…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Here Phishy, Phishy… Don’t Take the BaitProtect your Company from Payment Fraud Neal BakerSenior Vice President Director of Corporate Securityand Fraud InvestigationsTexas Capital Bank James EmersonVice President-ControllerU. S. Risk Insurance Group, Inc. Steven BullittAssistant to Special Agentin ChargeUnited States Secret Service Moderator:Duane ReavesTreasury & Liquidity SolutionsTexas Capital Bank

  2. Agenda • Introduction of Panelists • Key Messages • Setting the Stage • Magnitude of the Problem • Zeus Bot Confidential • Into the Deep-Panelists’ Experiences • Protections and Recommendations • Terms • Q&A

  3. Key Message • Fraud is here to stay…whether it internal, external, electronic or paper-based… it is worse than you thought • Prevention is not just about utilizing the latest technology but involves an active application of common sense • Cybercrime looks like a business, walks like a business, talks like a business and the opponents are intelligent and nimble • No organization is immune from internal or external fraud • Check fraud is still rampant; ACH fraud is on the rise with more corporations moving to electronic payments and cyber fraud has only begun

  4. Background • Cybercrime is widespread and mainstream… • Velocity of business account takeover is increasing • Thousands of strains of malware are delivered at a rate outpacing the ability for anti-virus software to mitigate threats on a real time basis • Cyber attacks are costly with an average cost of $18k per day with a median cost per company of $3.8 million annually • Cybercrime is a $70 billion industry in the U.S. with a dedicated career-minded “workforce” forming a underground economy • Zeus Trojan infiltration spans 196 countries with an estimated 3.6 million infected computers in the U.S. alone and has already infected virtual cloud computing networks • Social networking is tipping the knowledge scale in favor of the “phishers”

  5. Background • Names in cyber news… • In 2009, 74,000 FTP accounts on websites of companies such as NASA, Monster, ABC, Oracle, Cisco, Amazon and BusinessWeek were compromised • Zeus has sent out over 1.5 million phishing messages on Facebook • Zeus has spread emails purporting to be from major corporations such as the instance of nine million from Verizon Wireless alone

  6. Background • Not to be outdone non-electronic payment fraud is also a thriving business… • Over 90% of all attempted payment fraud today still involves checks • Counterfeit checks using the organization’s MICR line data is the most prevalent form of check fraud • Altered payee names on checks also ranks very high in the incidence of fraud • Altered employee pay checks also scores as the third most prevalent form of check fraud

  7. Magnitude of the Problem • You know things are bad when… • There are 93 Computer Crime Task Forces in United States alone • The FBI had a major cyber fraud takedown called Operation Phish Phry • We now have a National Cyber Security Awareness Month • The Electronic Crimes Task Force of the U.S. Secret Service has been in existence now for 16 years

  8. Threat Environment Coordinated Attacks Fewer Higher Higher Fewer Greater Terrorists Man-in-the Browser with Zeus Bot Organized Cyber Crime Rings Hybrid Worms Whaling Hired Hackers for Corporate Espionage Phishing Number of Incidents Viruses Level of Sophistication Pay-off Known Mitigates Barriers to Entry ACH Kiting Hobbyists/ Cyber Vandals USPS and Lockbox Check Theft Organized Crime Rings Counterfeit and Altered Checks Rogue Employees Internal theft More Lower Lesser Lesser Many

  9. Zeus Bot Confidential • Zeus is available for purchase in underground forums for $700 • $4000 buys the latest version and there are published “going rates” for an array of fraudulent services • You can get it for free, if you don’t mind pirating software...and what hacker does? • Software incorporates copy protection mechanisms to attempt to prevent piracy, thus illustrating the intent of the organization to run as a “business” • Zeus organization is thought to operate out of the Ukraine, Latvia and other countries • Organization is rumored to have a “support staff” of over 500

  10. Zeus Bot Confidential • Malware exploiters purchase malware • They utilize it to steal banking credentials • They launch attacks from compromised machines • They transfer stolen funds Malware coders program software to exploit a computer vulnerability and sells on the black market Malware Exploiters • Mules receive and transfer stolen funds • They retain a percentage of the funds Money Mules • Victims include individuals, businesses and financial institutions Victims

  11. Zeus Bot Confidential Email Received by Victim or Victim Visits a Legitimate Website Attachment contains malware or malicious script is on website Work Station Compromised Victim is infected with credential stealing software and banking credentials are stolen Cycle Repeats Hacker Engages Hacker receives banking credentials and remotes into victim’s computer via a compromised proxy and logs into victim’s online banking service Stolen Funds Mules Mules receive stolen funds and retain percentage Mules Money Transferred to Fraudulent Companies Money moved offshore Mules Money laundered

  12. Into the Deep-Panelists’ Experiences

  13. Fraud Awareness Checklist

  14. Fraud Awareness Checklist

  15. Fraud Awareness Checklist

  16. Fraud Awareness Checklist

  17. Fraud Awareness Checklist

  18. Fraud Awareness Checklist

  19. Fraud Awareness Checklist

  20. Key Message • If you don’t do anything else…. • Never leave check stock unsecured • Never share passwords and user names • Never leave payment and reconcilement is the hands of the same individual(s) • Educate employees to be suspicious of emails from banks or government agencies requesting information • Consider standalone PCs for online banking • Rehearse your preparedness plan if you are compromised • Use Positive Pay and ACH Debit Blocks • Always initiate ACH and wire transfers under dual control • Install antivirus and security software on all PCs

  21. Terms

  22. Terms

  23. Thank You and Be Safe! The recommendations in this document are suggestions and each company’s situation is unique. Consult appropriate advisors in implementing your fraud protection program.

More Related