Upload
lytram
View
217
Download
1
Embed Size (px)
Citation preview
3 Introduction
4 Socialengineering
8 Malware
10 Networkattacks
12 Conclusion
13 Furtherguidance
14 Abouttheauthor
Contents
2of14
57%
of companies said they have been attacked more over the past year1
Individuals have been given increased anonymity as internet and email-based transactions have become the norm in business. Fraud, more than ever, may cover many different jurisdictions, with victims, beneficiaries and fraudsters potentially located in different countries.
This makes it difficult to investigate fraud and, crucially, very hard to recover funds. For this reason, businesses must look to prevent fraud, rather than hope to cure its consequences.
IntroductionFalling victim to a cyber fraud attack can result in major financial losses, while data breaches can severely damage customers’ trust in a company. Fraudsters can easily monetise stolen information by selling it on online, and the impact of this on businesses’ reputations can be severe.
1McAfee, 2016.
At Barclays, we are dedicated to helping you protect your business from the risks of cyber fraud attacks. This document aims to outline some of the key cyber fraud threats your business may face today, and offer guidance on how to mitigate those risks. We can’t cover every fraud risk your business may be exposed to in a single document, so this guidance is intended as a supplement to your own fraud risk management.
“Businesses must look to prevent fraud, rather than hope to cure its consequences.”
3 of 14
Alex Grant Managing Director Barclays Global Fraud Management
Socialengineeringisthemethodbywhichfraudstersaimtotrickpeopleintobreakingnormalsecurityprocedures.Fraudstersareusuallylookingforthevictimtogiveupsensitiveinformation,suchasbanklogindetails,orforthemtoenablemalicioussoftwaretobeinstalledontotheirdevice.Theymayalsotrickthevictimintocarryingoutafraudulentpaymentthemselves.
Fraudstersinsocialengineeringcasesoftenhavethoroughknowledgeofthecompanytoenablethemtobuildtrustwiththevictim.Theymaybeawareofregularpaymentsthataredue,orofthestructureofteamswithinyourcompany,enablingthemtoimpersonateinternalemployees.
Themostcommonformsofsocialengineeringforbusinesscustomersare:
• Invoicefraud
• CEOImpersonationFraud
• Phishing
• Vishing
• Smishing.
Social engineeringThethreatofcyberfraudcanseemdifficulttocombat,asthesoftwareusedbyfraudsterscanbeextremelycomplex.However,itisimportanttorememberthatmostcyberfraudattacksdependheavilyonhumaninteractions–fraudstershavelongidentifiedthattheeasiestwaytobreachanorganisation’sdefencesistotargetitspeople,notitssystems.
Onaverage,acompanydetects
17 data loss incidents
perday 2
Human error isthemostcommonsingle
factorthatbusinessesseeashavingledtotheirmost
disruptivebreach3
4of14
2Mcafee,2016.3gov.uk,2016.
Invoice fraud Invoicefraudoccurswhenafraudstersendsyouanemailorletter,orcallsyoupurportingtobefromasupplier/customer,andadvisesofachangeofbankdetailsorprovidesnewbankdetailsforpayment.Whentheinvoiceorpaymentismadeitisactuallytoanaccountcontrolledbyfraudsters.
Thefraudmayonlybediscoveredwhenthelegitimatesupplierfollowsuponnon-payments.
Fraudulentlettersandemailssenttocompaniesareoftenwell-written,meaningthefraudisdifficulttospotwithoutstrongoperatingprocessesandcontrolsinplace.
Legitimatecustomers/supplierscanhavetheiremailaccountshacked.Fraudsterscansendemailsfromanyemailaddressanddisguisethemasbeingsentbyarecognisedsender.Theycaneveninsertfakeemailsintoexistinggenuineemailtrails.
CEO Impersonation Fraud Avariationoninvoicefraud,thisiswhenanemailpurportingtocomefromaseniorofficialwithinyourorganisationrequestsapaymentwithbankdetailsprovided,butwhichhasactuallycomefromafraudster.
• Becautiousofhowmuchinformationyourevealaboutyourcompanyandkeyofficialsviasocialmediaplatforms
• Makeyourstaffawareofthisthreat,particularlythosethatmakeand/orprocesspayments
• Anypaymentrequestswithneworamendedbankdetailsreceivedbyemail,letterorphoneshouldbeindependentlyverified.Thisincludesinternalemailsfromseniormanagementthatcontainpaymentrequests.Ensurethatyouvalidatetheexactbankdetailchangesyoushouldbemakinginfull
• Considersettingupsinglepointsofcontactwiththecompaniesyoupayregularly
• Regularlyconductauditsonyouraccounts
• ElectronicpaymentsintheUKaremadebasedonsortcodeandaccountnumberonly,andanyaccountnamegivenisnotroutinelychecked,thereforeindependentverificationisimportant.
Case studyAcompanyinthepropertysectorwasrequiredtopaytheirsupplierover£102,000attheendofthemonth.Notlongbeforethepaymentwasdue,theyreceivedamessageadvisingofachangeofaccountdetails.Thepaymentwasdulymadetothenewaccountasinstructed.Aweeklater,thegenuinesuppliercalledtoaskwhytheyhadnotreceivedtheirfunds.
Asaweekhadpassed,therewasnowonly£300leftintheaccountusedbythefraudsters–theresthadbeenwithdrawnandspent.Consequently,thecompany’sbankwereunabletoofferanyassistanceinrecoveringthefunds.
ProtectingyourbusinessagainstinvoicefraudandCEOimpersonation
5of14
“Invoicefraudcanbedevastatingforasmallbusiness.Itisimportantthatemployeesareabletospotthesignsofanattemptandthatastrictpolicyisinplacewhenmakingchangestopaymentdetails.Thisshouldrequirecheckingthechangeswiththecompanyconcernedbycontactingthemdirectlythroughexistingcontacts,aswellasrequireamanagertocheckandsignoffthechanges.”DCI Andrew GouldOperationFalcon,MetropolitanPoliceService
PhishingPhishinginvolvesafraudster,posingasalegitimatesource,sendingemailsorlettersthataimtotrickpeopleintodivulgingsensitiveinformationortransferringmoneyintootheraccounts.Theemailstypicallycontainalinktoafakewebsite,whichwillrequestthatyouenterfinancialinformation.Alternatively,emailsmaycontainanattachmentintheformofadocument,formornotification.
Equally,theemailmaybedesignedtocontainanddelivermalwareviaanattachmentoralink.Ifthelinkisclickedortheattachmentopened,thecriminalwillbeabletogainaccesstoyoursystem.
VishingVishing(vocalphishing)involvesafraudsterphoningacompanyinordertoconvinceamemberofstafftorevealsensitivecompanyinformationormakeapayment.
Mostcommonly,fraudstersmakeanunsolicitedcallpretendingtobefromyourbank,sotheycanaskyoutorevealconfidentialinformationormakepaymentstoaccountdetailsprovided.CasesoffraudstersimpersonatingtheCEOofthevictim’scompanyhavealsobeenontherise,whileothertacticsincludeimpersonatingthepolice,utilityproviders,deliverycompaniesorotherserviceproviders.Theymayclaimthatyouraccountorcardhasbeencompromised,orthatapaymenthasbeenmadebythebusinessusingincorrectbankdetails.
CallerIDsornumbersondisplayarerelativelyeasytochangeorspoof.Fraudstershavebeenknowntoconvincepeopleacallisgenuinebygettingthemtocross-checktheincomingcallnumberwiththeofficialnumberofthebank. 4DataBreachInvestigationsReport.5McAfee,2016.
Smishing Smishingiswhereafraudstertargetsavictimviaatextpurportingtobefromtheirbank,inordertoconvincethemtorevealsensitivefinancialinformationortransfermoneyintootheraccounts.Thetextoftencontainsaphonenumber,whichconnectsyoutothefraudster.Aswithvishing,detailscanbespoofed,soitcanseemasifthetextsarecomingfromalegitimatesourceandtheycanevenbeinsertedintogenuinetextcommunicationswiththebank.
Over
500,000 new phishing URLs were detected in Q1 20165
23%of recipients open
phishing emails and
11% open
attachments4
Over
500,000 new phishing URLs were detected in Q1 20165
23%of recipients open
phishing emails and
11% open
attachments4
6of14
Case studyTheaccountsdepartmentatXYZLtdreceivedanemailinstructionpurportingtobefromthedirectorforapayment.Thedirectoroftenmadepaymentrequeststhisway.
Whenreplyingtothedirector’semail,thereturnaddressmatchedthedirector’semailexactly,providingtheaccountsteamwithassuranceofitsauthenticity.
Twopaymentstotalling£125,000weremade.Thefraudwasidentifiedwhentheaccountsteamlatercalledthedirector,whoadvisedheknewnothingoftheinstruction.
• Donotassumeacallerisgenuinebecausetheyknowinformationaboutyouoryourcompany–fraudstersareskilledincollectingenoughinformationtosoundconvincingandcanchangecallerdisplayIDstoagenuinelookingnumber
• Neverenteranypersonalorsecurityinformationonasiteaccessedthroughalinkinanemail
• Neverclickonlinksoropenattachmentsfromsendersyouareunsureof
• Ifyouaresuspicious,terminatethecallandcallbackusingyourusualcontactnumber,andnotoneprovidedbythecaller
• Onsitesthatrequireyoutoinputsensitiveinformation,lookfor‘https’inthewebsiteaddress–the‘s’standsfor‘secure’
• Rememberthatyourbankmayaskyouforsomeinformation,butwillneveraskforyourfullpasswordorPIN,provideyouwithdetailstomakeapayment,orrequestthatyougrantthemaccesstoyoursystemsorPC.
Protectingyourbusinessagainstphishing,vishingandsmishing
7of14
“Intelligencesuggeststhatcriminalshaverecentlyincreasedtheirfocusonphishingemailspurportingtobefrommajoronlineretailersandinternetcompanies,brandswhichalargeproportionofrecipientsarelikelytouse.Theseemailsareincreasinglysophisticatedandattempttotrickrecipientsintogivingawaypersonalorfinancialdetails,orintodownloadingmalware.”Financial Fraud Action (FFA) UK Year end 2016 Fraud Update
Trojans
Trojanprogramsareatypeofmalwarethatenteryourcomputeronthebackofothersoftware.Theyactasbackdoorstothecomputer,grantingafraudsterremoteaccess.Onceinsideyourdevice,atrojancangiveastrangeraccesstoyourpersonaldetailsbytakingscreenshotsorcapturingkeystrokes.
Whenloggingintoonlinebankingwebsites,anunexpectedscreenmightappear,delayingyouoraskingyoutorepeatedlyinputdata.Whileyouaredelayedbythese,afraudstercouldbesettingupanotherpaymentelsewhere,waitingforyoutounwittinglyauthoriseitbyinputtingyourPIN.
Trojansarehardtodetectastheyremainpassivewhennotinuse.Firewallsandanti-virussoftwarehelptodefendagainsttrojans,butcan’tguaranteeyourprotection.Youshouldalwaysbecautiousof‘pop-ups’onyourscreenrequestingthatyouputyourcardintothereader,inputyourPIN,orallowadownload.
Malware‘Malware’,shortfor‘malicioussoftware’,isusedbycriminalstodisruptcomputeroperationsandaccessconfidentialinformation.Malwarecanbeinstalledintoyourcomputerthroughclickingalinkinanemail,openinganattachmenttoanemail,orbydownloadingsoftwarefromamalicioussource.
Ransomware
Ransomwareenablesafraudstertogaincontrolofyoursysteminordertoencryptyourfiles,demandingafeetounlockthem.Withoutthedecryptioncode,itisveryunlikelythatyouwillbeabletoaccessyourfilesagain.
Thoughinmanycasesthecriminalswillrestorefileswhentheransomispaid,thereisnoguaranteethiswillbethecase.Hackershavebeenknowntosharestolenprivatecustomerinformationfreeofchargeonthewebinordertopunishacompanyfornotpayingtheirproposedransom.
6,7,8McAfee,2016.
Over
half abillionmalware sampleswere detected in Q1 20168
Over 5.5 millionsamples of ransomware counted
in Q1 20167
24% risein new ransomware samples
in Q1 20166
8of14
Case studyA member of staff at an SME opened an email and clicked on a link that contained malware. The malware infected the computer system and encrypted all the files so that no access could be gained by members of staff. The criminals contacted the company, giving them 24 hours to pay £2,000 in bitcoin to unlock their system. The company had not backed up their files, so was particularly vulnerable. The company contacted Action Fraud, who advised them not to pay the ransom. They were then able to restore their machines, but unfortunately lost some important files due to not being fully backed up.
Device security
• Keep your firewalls and security software updated, setting updates to auto where possible
• Install the latest updates for your internet browser and operating system
• Only download files and software from trustworthy sources
• Be cautious of emails which ask you to follow a website link or open an attachment
• Run regular security scans on your devices
• Ensure you keep your important files backed up, stored off your network
• If your computer does get infected, disconnect from the network straight away and seek professional assistance.
Online banking
• If you have a smart card, never leave it in the reader connected to your computer
• If possible, select dual approval for making transactions, using two separate machines for setting up this authorisation
• Be wary about pop-ups for PINsentry resets when logging into online banking (your PINsentry will never need updating or resetting)
• Never remake payments to alternative account details if asked to do so
• Never enter your PIN in order to allow a download
• Never re-enter your PIN at login or while making a payment
• If you notice anything unusual on your online banking screens, abandon your banking session and tell Barclays at once.
Protecting your business against malware
“Malware is usually effective because it targets vulnerabilities in systems which have not been updated. It is essential that antivirus software is deployed and that systems are patched regularly to ensure the latest security updates are installed. The damage done by malware can also be reduced by making frequent backups of data which are then stored securely in a separate system or place.”DCI Andrew Gould Operation Falcon, Metropolitan Police Service
9 of 14
The attacker intercepts the network and watches the transactionsbetween the two parties, stealing sensitive information.
Attacker with router
User
Unsecured network
Web server
Emailsarethemaincommunicationmethodformostcompanies,yetitisoftenforgottenhowunsecurethecommunicationsare.Anemailcanbethoughtoflikeapostcard–itcanbereadasitmovesacrossnetworks.
Itisthereforeimportantthatsensitiveinformationisonlysentoverencryptednetworks.SecureSocketsLayer(SSL)isthestandardsecuritytechnologyforestablishinganencryptedlinkbetweenawebserverandabrowser.
Man-in-the-MiddleAttack
Therearevariousdifferenttypesofnetworkattack,butallrequiretheexploitationofanunsecurednetwork.Wherethenetworkisnotencrypted,anunknownthirdpartymayinterceptcommunicationsthatarebeingsent.Ina‘Man-in-the-MiddleAttack’,theattackerinterceptsthenetworkandwatchesthetransactionsbetweenthetwoparties.Theyarethenabletostealsensitiveinformation,suchasaccountpasswords,bankingdetails,orcustomerdata.
AcommonexampleofaMan-in-the-MiddleAttackis‘activeeavesdropping’.Thisiswhentheattackermakesindependentconnectionswiththevictimsandrelaysmessagesbetweenthemtomakethembelievetheyaretalkingdirectlytoeachotheroveraprivateconnection,wheninfacttheentireconversationiscontrolledbytheattacker.Theattackermustbeabletointerceptallrelevantmessagespassingbetweenthetwovictimsandinjectnewones.
Network attacksAsworkforceshavebecomemoremobile,employeesnolongeralwaysworkonasingletrustednetwork,makingsecuritymoredifficult.
10of14
• UseaVirtualPrivateNetwork(VPN)forremoteaccess.VPNsaddprivacyandsecuritytopublicnetworksand areusedbycorporationstoprotectsensitivedata
• IntheabsenceofaVPN,avoidunknownpublicWi-Fisourcesandonlyusetrustedsecureconnections
• Onsitesthatrequireyoutoinputsensitiveinformation,lookfor‘https’atthebeginningofthewebsiteURL–the‘s’standsfor‘secure’
• EnsurethereisapadlocksymbolintheURLaddressbar–thisshowsthatyourconnectionissecure
• ConfigurerouterstohaltmoresimpleattacksbystoppinginvalidIPaddresses
• Useintrusion-detectionsystems(IDS),whichcanprovidesomeprotectionagainstvalidprotocolsbeingusedagainstyouinanattack
• InvestinDDoSmitigationappliances,whichcanhelptoblockillegitimatetraffictoyourwebsite
• Considerbuyingexcessbandwidththatcanhandlespikesindemand.Alternatively,useanoutsourcedproviderwhereyoucanbuyservicesondemand,suchasburstablecircuitsthatprovidemorebandwidthwhenyourequireit.
ProtectingyourbusinessagainstnetworkattacksDistributedDenialofServiceAttack
ADistributedDenialofServiceAttack(DDoSAttack)iswhenahackertriestobombardawebsitewithtrafficfrommultiplesources,causingthesitetobecomeoverwhelmedandcrash.
Attackerscreateanetworkofinfectedcomputersknownasbotnetsbysendingandspreadingmalwarethroughwebsites,emailsandsocialmedia.
Oncethemalwarehasbeendistributeditallowsthehackertolaunchanattackremotely,sometimesusingabotnetofoveramilliondifferentusers,withouttheirknowledge.
ThereareplacesontheDarkWebwhereitispossibletobuyandsellbotnetsorindividualDDoSattacks.Forasmallfee,afraudstercandisruptanorganisation’sonlineoperations,causingthemtoloseoutonsalesandsufferfromdamagetotheirreputation. Attacker Victim
Controller
Zombies
Zombies
1/3ofalldowntimeincidentsareattributedtoDDoSattacks9
9Verisign/MerrilResearch,2015.
11of14
Beingstringentaboutcybersecuritycanfallbythewaysidewhenrunningabusiness–thereturnoninvestmentisdifficulttoquantify,assuccessliesintheavoidanceofloss.Ensuringthatyourcompanyhasgoodcyberhygienewillhelptokeepyousafefromfraudsters.
Keepyoursoftwareupdated
Investinginup-to-datecyber-defencesoftwareisimperativetoprotectingyourbusinessfromthefinancialandreputationalconsequencesofcyberfraud.Youshouldalsoensurethatyourinternetbrowsersareupdatedtothemostrecentversions.Testingyourowncontrolstoensuretheyareoperatingasappropriatewillalsoenableyoutoidentifysystemweaknessesbeforefraudstersgettoexploitthem.Alwaysensurethatimportantfilesarebackeduptoaremovableharddrivediskortothecloud.
Yourpeopleareaweaknessandadefence
Raisingawarenessoffraudwithinyourcompanyiskeytoitsprevention.Ensuringthatemployeeswhocanauthorisepaymentsareawareofpotentialthreatswilllessenyourchancesofacyberfraudattacksucceeding.
Itisimportanttocreateacultureinyourcompanywhereemployeesareencouragedtoreportfraudthreats,sotheydonotfeeltheyneedtohideabreachtheymayhavebeenunwittinglyinvolvedin.
Pleaseshareourfraudawarenessvideoswithyourpaymentteams–thesecanbefoundat
barclayscorporate.com/fraudawareness
10McAfee,2015.
ConclusionOpportunitiesforcyberattacksaresuretogrowinthecomingyears,withMcAfee’spredictionsforecastingavastincreaseincyberusage.
44 zettabytesof data in 2020
(compared to 8.8 zettabytes in 2015)
24.4 billionIP-connected devices by 2019(compared to 16.3 billion in 201510)
5.9 billionsmartphone connections in 2020
(compared to 3.3 billion in 2015)
200 billionconnected devices are expected
to be in use by 2020
12of14
Further guidance
Furtherresources:
www.actionfraud.police.uk
www.barclayscorporate.com/fraudawareness
www.consilium.europa.eu
www.getsafeonline.org
www.gov.uk/government/policies/cyber-security
The Little Books of Big Scams – Business Edition(MetropolitanPolice)
Ifyouhaveanyqueries,pleasespeaktoyourRelationshipDirector.
IfyoufallvictimtofraudonyourBarclayspaymentchannels,calltheOnlineFraudHelpdeskimmediatelyon
03301560155.*Fraudulentattacks,evenifunsuccessful,shouldbereportedtoActionFraudbycalling
03001232040.
*LinesareopenMondaytoFriday,8amto7pm.Tomaintainaqualityservicewemaymonitororrecordphonecalls.
13of14
About the author
Alex Grant Managing Director Barclays Global Fraud Management
Alex is global lead for Strategy and Analytics covering all fraud types in both transaction and lending fraud, from consumer cards through to unauthorised trading in the Investment Bank. Over the past seven years Alex has been the Money Laundering Reporting Officer for the Retail Bank, and has led the UK and Europe’s Operational Risk and Fraud functions, focusing on Global Retail Banking Fraud.
Alex is also a member of the Joint Fraud Taskforce, a Government led initiative that aims to drive down the number of fraud victims within the UK.
The views expressed in this report are the views of the author, and do not necessarily reflect the views of Barclays Bank PLC nor should they be taken as statements of policy or intent of Barclays Bank PLC. Barclays Bank PLC takes no responsibility for the veracity of information contained in the author’s narrative and no warranties or undertakings of any kind, whether expressed or implied, regarding the accuracy or completeness of the information given. Barclays Bank PLC takes no liability for the impact of any decisions made based on information contained and views expressed in the author’s guides or articles.
Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.
April 2017. BD05443.
barclayscorporate.com
14 of 14