1 / 22

Trends in the Current Fraud Environment

Trends in the Current Fraud Environment. Carolina’s Cash Adventure. May 17th │ Myrtle Beach, SC. Alarming Newspaper Headlines. Police arrest 19 in $10m online banking heist 1 The gang used malicious software to access people's bank log-in details . 37 'Money Mules' Arrested 2

skyla
Download Presentation

Trends in the Current Fraud Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trends in the Current Fraud Environment Carolina’s Cash Adventure May 17th │ Myrtle Beach, SC

  2. Alarming Newspaper Headlines Police arrest 19 in $10m online banking heist1 The gang used malicious software to access people's bank log-in details 37 'Money Mules' Arrested2 21 Separate Cases Tied to Global Fraud Schemes Arrests are piling up in a massive check fraud scheme3 Cyber criminals managed to steal almost$600,000 from Brigantine City, New Jersey,viafraudulent wire transfers4 1 Reuters 9/29/10, 2 WWW.BankInfoSecurity 9/30/10, 3 – www.wrdw.com 4/21/10, 4 – www.softpedia.com 10/4/10

  3. Expected Top Fraud Trends for 2011 • Check Fraud • Corporate Account Takeover • Attacks via Vendor (3rd party) managed services • Mobile Devices (Smartphone's / PDA’s)

  4. Check Fraud 1

  5. Checks are the dominant payment form targeted by fraudsters In 2010, 93 percent of affected organizations reported their checks had been targeted • Types of Fraud Resulting from Using Checks

  6. Fraudsters target checks due to the inherent lack of security Fraudsters have easy access to paper, printers and scanners to create phony checks with detailed personal banking information obtained from stolen paper or electronic image items • Fraudster steals checks (post office, lockbox, online banking, company) • Wash check and change payee information and/or amount • “Mule” cashes check or opens bank account with fraudulent credentials and deposits or cashes the check • Technology allows for capture of check images and authorized signatures • With online access, fraudsters can review check issue patterns to take advantage of payment cycles

  7. Check fraud schemes continue to evolve and vary in their level of complexity • New Business Account • Fraudster steals checks (post office, lockbox, online banking, company) • Fraudster obtains new business credentials that are the same or similar to the check by going to official sites • Bank account is opened and checks deposited • Funds withdrawn via various methods • Refund Scams • Customer writes company a check for deposit on a new service. Could include overpayment such as $550 for a $50 deposit fee • Customer calls up and cancels service or return the “accidental” overpayment • Company gives customer a $500 check for the overpayment • Initial deposit of gets returned days later as counterfeit

  8. Corporate Account Takeover 1

  9. Cyber-thieves gain control of bank accounts by stealing the valid online banking credentials resulting in Corporate Account Takeover • Credentials are stolen through malware that is installed on a computer through various means • Infected documents and links sent through email • Clicking on a document, video, or a photo that is posted on legitimate website but initiates malware download • Using an infected flash drive • Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions

  10. “Phishing” attacks illegally solicit victims’ personal information with official-looking requests 1 A malicious threat arrives (email, website, offer) The user takes an action that makes him or her vulnerable to an information compromise (opens an email, visits a fake web site, clicks on an offer) The user is prompted for confidential information 4 The user responds and compromises confidential information 5 The confidential information is transmitted to the phisher 6 The confidential information is used to impersonate the user 7 The phisher engages in fraud using the compromised information1 1. www.sunbelt-software.com

  11. Current focus is at small and medium-sized businesses as larger businesses have implemented security measures • Typical Scenario: • Fraudster gains client login credentials • Perpetrator monitors legitimate user usage for a period of time prior to executing ACH/Wire transactions • Schedules transfer so accomplice at recipient banks or unwitting “money mules” for the express purpose of receiving and laundering these funds. • Examples • Payroll Payments – Fraudster accesses Payroll files and manipulates the payment information • Changes recipient deposit account information • Adds fictitious associate(s) and adds payment(s) • Initiates payroll payments off-cycle to avoid daily limits • Recurring Payments – Fraudster manipulates ACH Batch or Wire Transfer templates to direct funds to alternates account(s) in the US for ACH and US/International for Wire Transfer

  12. Vendor Services & Mobile Fraud 1

  13. Services and technologies that are designed to help companies can also provide additional fraud risk Businesses that outsource their transactional network servers and or services (i.e. reporting services, payroll, accounts payable ,etc ) must ensure those vendors maintain acceptable security levels • Reliance on third-party or outsourcer security may present increased vulnerability to access by fraudsters • Controls for identifying access to shared information and log-ins are managed beyond your four walls • Potential losses and recovery need to include the vendor impacting fraud recovery efforts Web-enabled mobile phones are vulnerable to similar types of worms and viruses as computers • Mobile Banking (Text, Deposits, and Positive Pay) have created convenient access from your mobile device, unfortunately this has created new ways for fraudsters to gain access to your information • Multiple devices and carriers have created variability in technology offerings requiring security that addresses all carriers and systems • Mobile Security is still evolving with undefined industry standard and what works today may not work tomorrow

  14. Fraud Prevention – Best Practices 1

  15. Security needs must be balanced against client expectations for anytime, anywhere banking services Securing Online Transactions • Carry out all online banking activities from a stand-alone computer • Dedicate one workstation for payment initiation and a different workstation for release functions • Utilize Multi-factor Authentication: something you know (password) and something you have (token, One Time PINs) • Implement Dual Control and Dual Administration within your payment applications • An individual user should never have initiation and release capabilities for the same transaction • Each application entitlement-related action should be approved by a second administrator • Prohibit shared user names and passwords and avoid using an automatic login features that save usernames and passwords • Install and maintain anti-virus, anti-malware, spyware applications, and operating system patches • Never access online banking via Internet cafes, public libraries or open Wi-Fi hotspots • Report suspicious transaction activity to the your bank and the authorities immediately

  16. Fraud prevention considerations for Check Best Practices • Reconcile accounts on a daily basis • Segregate internal duties for financial activities (Audit/Control) • Consider migration from Check Payments to Electronic Payment Products • Become fraud focused on inquiries from other banks or institutions regarding legitimacy of checks • Escalate suspicious activities to management team • Safeguard check stock and use check stock security features • Consider outsourcing check processing to secured vendor Prevention Products • Positive Pay - Automate review of items before decision to Pay or Return • Teller Positive Pay - Integrates check decision at the teller in banking centers • Payee Positive Pay - Determine if payee names have been altered • Reverse Positive Pay - Notify bank of exception items identified on file • Maximum Dollar Control - Flag any check over a given dollar amount to decision

  17. Fraud prevention considerations for ACH & Wire • Separate duties and auditing responsibilities across user credentials to provide additional security within the cash management system • Set individual user limits appropriate for the payment and the user • Maximum dollar amount per transaction for initiating and approving wires / ACH • Maximum daily cumulative dollar amount of all wires initiated and/or approved • Review ACH and Wire Transfer Procedures on regular basis and ensure that user credentials are updated and maintained to represent appropriate needs • Use Repetitive Wire Templates to eliminate manual intervention and manipulation • Implement ACH Blocks to block incoming ACH transactions from posting to your accounts • Use ACH Positive Pay to monitor and control ACH transactions before they post to the bank account and allow transaction acceptance or rejection in real time • Apply ACH Authorization Service to post only incoming ACH items from “authorized” trading partners

  18. Fraud prevention considerations for Vendor Services and Mobile Technology Vendor Services • Perform site review and engage all resources listed and verifiable to assist in decision making. • Review internal needs and allow vendor access only to required data and limit log-ins to limit potential breaches • Ask and understand the vendor’s loss recovery processes and service level agreements currently in place. • Do your homework – check references, awards, or company standards regarding product and data security processes and procedures to ensure a balanced risk/reward decision Mobile Devices • Choose devices carefully – select device that provides encryption and authentication capabilities1 • Use Intrusion Prevention software • Control and limit third party applications downloads • Limit Bluetooth capabilities – switch to hidden or turn off broadcast when not in use • Avoid using an automatic login features that save usernames and passwords for online banking

  19. Employee Education 1

  20. There is a direct relationship between the amount of user training and the decreased number of successful fraud attacks User Awareness Training: • Don’t assume employees understand email and internet risks • Don’t rely only on your company’s email or intranet to inform employees of email and internet policies and procedures • Set rules for personal internet usage • Ensure that employees understand policies toward monitoring of their computer activity • Consider restricting the ability to load/download data on your company computers

  21. Specificity strengthens the impact of employee training; simple, straight-forward examples can be the most powerful Key Success Factors: • Show employees how to recognize threats and convey the consequences of those threats • Be explicit about what to look for to identify a malicious email • Explain that users will keep passwords in a secure place and not to share them with coworkers • Provide frequent reports of new threats and statistics of how many viruses have been caught within your organization • Never turn off security protection on your computer and stay current with updates • Do not use your personal computer for company business • Do not connect to the internet through suspect wireless networks (e.g., Wi-Fi from a café) • Forward suspicious emails to the company’s designated email account (include the email address) • Open only identifiable attachments from known sources. Financial institutions and government agencies never ask you to enter personal data, such as passwords, SSN, account numbers, etc

  22. Two Minute Self-Assessment on Best Practices • Front-Door Security • Do you or your team use workarounds to streamline access to your bank’s portal or online applications (e.g., group sign-on with shared passwords)? Or leave passwords lying around, like a set of keys to your office? • Do you have an IT department or outsource your security to a firm that ensures all PC’s engaged in your cash management activities have all the security basics deployed, and those PC’s are not operating in unprotected networks and used by other individuals? • Transactional Controls • Does your company use dual administration and mandate dual approval and segregation of responsibilities for payment activities, including template creation? • Does your organization use all authentication tools offered (e.g., tokens, digital certificates and encourage your employees to register their computers)? • Back-Door Security • Is a review of audit logs and bank account activity part of your department’s daily routine? • Does your user administrator immediately respond to changes in an employee’s job requirements by making necessary changes to user entitlements? • Employee Education • Do you have a formal employee education process — with user awareness training designed for specificity — for online security and fraud prevention? Is it refreshed annually? • Do all employees receive hard copies of all internet policies and procedures? Are they required to sign and date each policy?

More Related