Cyber fraudProtecting your business against the current threats

3 Introduction

4 Socialengineering

8 Malware

10 Networkattacks

12 Conclusion

13 Furtherguidance

14 Abouttheauthor

Contents

2of14

57%

of companies said they have been attacked more over the past year1

Individuals have been given increased anonymity as internet and email-based transactions have become the norm in business. Fraud, more than ever, may cover many different jurisdictions, with victims, beneficiaries and fraudsters potentially located in different countries.

This makes it difficult to investigate fraud and, crucially, very hard to recover funds. For this reason, businesses must look to prevent fraud, rather than hope to cure its consequences.

IntroductionFalling victim to a cyber fraud attack can result in major financial losses, while data breaches can severely damage customers’ trust in a company. Fraudsters can easily monetise stolen information by selling it on online, and the impact of this on businesses’ reputations can be severe.

1McAfee, 2016.

At Barclays, we are dedicated to helping you protect your business from the risks of cyber fraud attacks. This document aims to outline some of the key cyber fraud threats your business may face today, and offer guidance on how to mitigate those risks. We can’t cover every fraud risk your business may be exposed to in a single document, so this guidance is intended as a supplement to your own fraud risk management.

“Businesses must look to prevent fraud, rather than hope to cure its consequences.”

3 of 14

Alex Grant Managing Director Barclays Global Fraud Management

Socialengineeringisthemethodbywhichfraudstersaimtotrickpeopleintobreakingnormalsecurityprocedures.Fraudstersareusuallylookingforthevictimtogiveupsensitiveinformation,suchasbanklogindetails,orforthemtoenablemalicioussoftwaretobeinstalledontotheirdevice.Theymayalsotrickthevictimintocarryingoutafraudulentpaymentthemselves.

Fraudstersinsocialengineeringcasesoftenhavethoroughknowledgeofthecompanytoenablethemtobuildtrustwiththevictim.Theymaybeawareofregularpaymentsthataredue,orofthestructureofteamswithinyourcompany,enablingthemtoimpersonateinternalemployees.

Themostcommonformsofsocialengineeringforbusinesscustomersare:

• Invoicefraud

• CEOImpersonationFraud

• Phishing

• Vishing

• Smishing.

Social engineeringThethreatofcyberfraudcanseemdifficulttocombat,asthesoftwareusedbyfraudsterscanbeextremelycomplex.However,itisimportanttorememberthatmostcyberfraudattacksdependheavilyonhumaninteractions–fraudstershavelongidentifiedthattheeasiestwaytobreachanorganisation’sdefencesistotargetitspeople,notitssystems.

Onaverage,acompanydetects

17 data loss incidents

perday 2

Human error isthemostcommonsingle

factorthatbusinessesseeashavingledtotheirmost

disruptivebreach3

4of14

2Mcafee,2016.3gov.uk,2016.

Invoice fraud Invoicefraudoccurswhenafraudstersendsyouanemailorletter,orcallsyoupurportingtobefromasupplier/customer,andadvisesofachangeofbankdetailsorprovidesnewbankdetailsforpayment.Whentheinvoiceorpaymentismadeitisactuallytoanaccountcontrolledbyfraudsters.

Thefraudmayonlybediscoveredwhenthelegitimatesupplierfollowsuponnon-payments.

Fraudulentlettersandemailssenttocompaniesareoftenwell-written,meaningthefraudisdifficulttospotwithoutstrongoperatingprocessesandcontrolsinplace.

Legitimatecustomers/supplierscanhavetheiremailaccountshacked.Fraudsterscansendemailsfromanyemailaddressanddisguisethemasbeingsentbyarecognisedsender.Theycaneveninsertfakeemailsintoexistinggenuineemailtrails.

CEO Impersonation Fraud Avariationoninvoicefraud,thisiswhenanemailpurportingtocomefromaseniorofficialwithinyourorganisationrequestsapaymentwithbankdetailsprovided,butwhichhasactuallycomefromafraudster.

• Becautiousofhowmuchinformationyourevealaboutyourcompanyandkeyofficialsviasocialmediaplatforms

• Makeyourstaffawareofthisthreat,particularlythosethatmakeand/orprocesspayments

• Anypaymentrequestswithneworamendedbankdetailsreceivedbyemail,letterorphoneshouldbeindependentlyverified.Thisincludesinternalemailsfromseniormanagementthatcontainpaymentrequests.Ensurethatyouvalidatetheexactbankdetailchangesyoushouldbemakinginfull

• Considersettingupsinglepointsofcontactwiththecompaniesyoupayregularly

• Regularlyconductauditsonyouraccounts

• ElectronicpaymentsintheUKaremadebasedonsortcodeandaccountnumberonly,andanyaccountnamegivenisnotroutinelychecked,thereforeindependentverificationisimportant.

Case studyAcompanyinthepropertysectorwasrequiredtopaytheirsupplierover£102,000attheendofthemonth.Notlongbeforethepaymentwasdue,theyreceivedamessageadvisingofachangeofaccountdetails.Thepaymentwasdulymadetothenewaccountasinstructed.Aweeklater,thegenuinesuppliercalledtoaskwhytheyhadnotreceivedtheirfunds.

Asaweekhadpassed,therewasnowonly£300leftintheaccountusedbythefraudsters–theresthadbeenwithdrawnandspent.Consequently,thecompany’sbankwereunabletoofferanyassistanceinrecoveringthefunds.

ProtectingyourbusinessagainstinvoicefraudandCEOimpersonation

5of14

“Invoicefraudcanbedevastatingforasmallbusiness.Itisimportantthatemployeesareabletospotthesignsofanattemptandthatastrictpolicyisinplacewhenmakingchangestopaymentdetails.Thisshouldrequirecheckingthechangeswiththecompanyconcernedbycontactingthemdirectlythroughexistingcontacts,aswellasrequireamanagertocheckandsignoffthechanges.”DCI Andrew GouldOperationFalcon,MetropolitanPoliceService

PhishingPhishinginvolvesafraudster,posingasalegitimatesource,sendingemailsorlettersthataimtotrickpeopleintodivulgingsensitiveinformationortransferringmoneyintootheraccounts.Theemailstypicallycontainalinktoafakewebsite,whichwillrequestthatyouenterfinancialinformation.Alternatively,emailsmaycontainanattachmentintheformofadocument,formornotification.

Equally,theemailmaybedesignedtocontainanddelivermalwareviaanattachmentoralink.Ifthelinkisclickedortheattachmentopened,thecriminalwillbeabletogainaccesstoyoursystem.

VishingVishing(vocalphishing)involvesafraudsterphoningacompanyinordertoconvinceamemberofstafftorevealsensitivecompanyinformationormakeapayment.

Mostcommonly,fraudstersmakeanunsolicitedcallpretendingtobefromyourbank,sotheycanaskyoutorevealconfidentialinformationormakepaymentstoaccountdetailsprovided.CasesoffraudstersimpersonatingtheCEOofthevictim’scompanyhavealsobeenontherise,whileothertacticsincludeimpersonatingthepolice,utilityproviders,deliverycompaniesorotherserviceproviders.Theymayclaimthatyouraccountorcardhasbeencompromised,orthatapaymenthasbeenmadebythebusinessusingincorrectbankdetails.

CallerIDsornumbersondisplayarerelativelyeasytochangeorspoof.Fraudstershavebeenknowntoconvincepeopleacallisgenuinebygettingthemtocross-checktheincomingcallnumberwiththeofficialnumberofthebank. 4DataBreachInvestigationsReport.5McAfee,2016.

Smishing Smishingiswhereafraudstertargetsavictimviaatextpurportingtobefromtheirbank,inordertoconvincethemtorevealsensitivefinancialinformationortransfermoneyintootheraccounts.Thetextoftencontainsaphonenumber,whichconnectsyoutothefraudster.Aswithvishing,detailscanbespoofed,soitcanseemasifthetextsarecomingfromalegitimatesourceandtheycanevenbeinsertedintogenuinetextcommunicationswiththebank.

Over

500,000 new phishing URLs were detected in Q1 20165

23%of recipients open

phishing emails and

11% open

attachments4

Over

500,000 new phishing URLs were detected in Q1 20165

23%of recipients open

phishing emails and

11% open

attachments4

6of14

Case studyTheaccountsdepartmentatXYZLtdreceivedanemailinstructionpurportingtobefromthedirectorforapayment.Thedirectoroftenmadepaymentrequeststhisway.

Whenreplyingtothedirector’semail,thereturnaddressmatchedthedirector’semailexactly,providingtheaccountsteamwithassuranceofitsauthenticity.

Twopaymentstotalling£125,000weremade.Thefraudwasidentifiedwhentheaccountsteamlatercalledthedirector,whoadvisedheknewnothingoftheinstruction.

• Donotassumeacallerisgenuinebecausetheyknowinformationaboutyouoryourcompany–fraudstersareskilledincollectingenoughinformationtosoundconvincingandcanchangecallerdisplayIDstoagenuinelookingnumber

• Neverenteranypersonalorsecurityinformationonasiteaccessedthroughalinkinanemail

• Neverclickonlinksoropenattachmentsfromsendersyouareunsureof

• Ifyouaresuspicious,terminatethecallandcallbackusingyourusualcontactnumber,andnotoneprovidedbythecaller

• Onsitesthatrequireyoutoinputsensitiveinformation,lookfor‘https’inthewebsiteaddress–the‘s’standsfor‘secure’

• Rememberthatyourbankmayaskyouforsomeinformation,butwillneveraskforyourfullpasswordorPIN,provideyouwithdetailstomakeapayment,orrequestthatyougrantthemaccesstoyoursystemsorPC.

Protectingyourbusinessagainstphishing,vishingandsmishing

7of14

“Intelligencesuggeststhatcriminalshaverecentlyincreasedtheirfocusonphishingemailspurportingtobefrommajoronlineretailersandinternetcompanies,brandswhichalargeproportionofrecipientsarelikelytouse.Theseemailsareincreasinglysophisticatedandattempttotrickrecipientsintogivingawaypersonalorfinancialdetails,orintodownloadingmalware.”Financial Fraud Action (FFA) UK Year end 2016 Fraud Update

Trojans

Trojanprogramsareatypeofmalwarethatenteryourcomputeronthebackofothersoftware.Theyactasbackdoorstothecomputer,grantingafraudsterremoteaccess.Onceinsideyourdevice,atrojancangiveastrangeraccesstoyourpersonaldetailsbytakingscreenshotsorcapturingkeystrokes.

Whenloggingintoonlinebankingwebsites,anunexpectedscreenmightappear,delayingyouoraskingyoutorepeatedlyinputdata.Whileyouaredelayedbythese,afraudstercouldbesettingupanotherpaymentelsewhere,waitingforyoutounwittinglyauthoriseitbyinputtingyourPIN.

Trojansarehardtodetectastheyremainpassivewhennotinuse.Firewallsandanti-virussoftwarehelptodefendagainsttrojans,butcan’tguaranteeyourprotection.Youshouldalwaysbecautiousof‘pop-ups’onyourscreenrequestingthatyouputyourcardintothereader,inputyourPIN,orallowadownload.

Malware‘Malware’,shortfor‘malicioussoftware’,isusedbycriminalstodisruptcomputeroperationsandaccessconfidentialinformation.Malwarecanbeinstalledintoyourcomputerthroughclickingalinkinanemail,openinganattachmenttoanemail,orbydownloadingsoftwarefromamalicioussource.

Ransomware

Ransomwareenablesafraudstertogaincontrolofyoursysteminordertoencryptyourfiles,demandingafeetounlockthem.Withoutthedecryptioncode,itisveryunlikelythatyouwillbeabletoaccessyourfilesagain.

Thoughinmanycasesthecriminalswillrestorefileswhentheransomispaid,thereisnoguaranteethiswillbethecase.Hackershavebeenknowntosharestolenprivatecustomerinformationfreeofchargeonthewebinordertopunishacompanyfornotpayingtheirproposedransom.

6,7,8McAfee,2016.

Over

half abillionmalware sampleswere detected in Q1 20168

Over 5.5 millionsamples of ransomware counted

in Q1 20167

24% risein new ransomware samples

in Q1 20166

8of14

Case studyA member of staff at an SME opened an email and clicked on a link that contained malware. The malware infected the computer system and encrypted all the files so that no access could be gained by members of staff. The criminals contacted the company, giving them 24 hours to pay £2,000 in bitcoin to unlock their system. The company had not backed up their files, so was particularly vulnerable. The company contacted Action Fraud, who advised them not to pay the ransom. They were then able to restore their machines, but unfortunately lost some important files due to not being fully backed up.

Device security

• Keep your firewalls and security software updated, setting updates to auto where possible

• Install the latest updates for your internet browser and operating system

• Only download files and software from trustworthy sources

• Be cautious of emails which ask you to follow a website link or open an attachment

• Run regular security scans on your devices

• Ensure you keep your important files backed up, stored off your network

• If your computer does get infected, disconnect from the network straight away and seek professional assistance.

Online banking

• If you have a smart card, never leave it in the reader connected to your computer

• If possible, select dual approval for making transactions, using two separate machines for setting up this authorisation

• Be wary about pop-ups for PINsentry resets when logging into online banking (your PINsentry will never need updating or resetting)

• Never remake payments to alternative account details if asked to do so

• Never enter your PIN in order to allow a download

• Never re-enter your PIN at login or while making a payment

• If you notice anything unusual on your online banking screens, abandon your banking session and tell Barclays at once.

Protecting your business against malware

“Malware is usually effective because it targets vulnerabilities in systems which have not been updated. It is essential that antivirus software is deployed and that systems are patched regularly to ensure the latest security updates are installed. The damage done by malware can also be reduced by making frequent backups of data which are then stored securely in a separate system or place.”DCI Andrew Gould Operation Falcon, Metropolitan Police Service

9 of 14

The attacker intercepts the network and watches the transactionsbetween the two parties, stealing sensitive information.

Attacker with router

User

Unsecured network

Web server

Emailsarethemaincommunicationmethodformostcompanies,yetitisoftenforgottenhowunsecurethecommunicationsare.Anemailcanbethoughtoflikeapostcard–itcanbereadasitmovesacrossnetworks.

Itisthereforeimportantthatsensitiveinformationisonlysentoverencryptednetworks.SecureSocketsLayer(SSL)isthestandardsecuritytechnologyforestablishinganencryptedlinkbetweenawebserverandabrowser.

Man-in-the-MiddleAttack

Therearevariousdifferenttypesofnetworkattack,butallrequiretheexploitationofanunsecurednetwork.Wherethenetworkisnotencrypted,anunknownthirdpartymayinterceptcommunicationsthatarebeingsent.Ina‘Man-in-the-MiddleAttack’,theattackerinterceptsthenetworkandwatchesthetransactionsbetweenthetwoparties.Theyarethenabletostealsensitiveinformation,suchasaccountpasswords,bankingdetails,orcustomerdata.

AcommonexampleofaMan-in-the-MiddleAttackis‘activeeavesdropping’.Thisiswhentheattackermakesindependentconnectionswiththevictimsandrelaysmessagesbetweenthemtomakethembelievetheyaretalkingdirectlytoeachotheroveraprivateconnection,wheninfacttheentireconversationiscontrolledbytheattacker.Theattackermustbeabletointerceptallrelevantmessagespassingbetweenthetwovictimsandinjectnewones.

Network attacksAsworkforceshavebecomemoremobile,employeesnolongeralwaysworkonasingletrustednetwork,makingsecuritymoredifficult.

10of14

• UseaVirtualPrivateNetwork(VPN)forremoteaccess.VPNsaddprivacyandsecuritytopublicnetworksand areusedbycorporationstoprotectsensitivedata

• IntheabsenceofaVPN,avoidunknownpublicWi-Fisourcesandonlyusetrustedsecureconnections

• Onsitesthatrequireyoutoinputsensitiveinformation,lookfor‘https’atthebeginningofthewebsiteURL–the‘s’standsfor‘secure’

• EnsurethereisapadlocksymbolintheURLaddressbar–thisshowsthatyourconnectionissecure

• ConfigurerouterstohaltmoresimpleattacksbystoppinginvalidIPaddresses

• Useintrusion-detectionsystems(IDS),whichcanprovidesomeprotectionagainstvalidprotocolsbeingusedagainstyouinanattack

• InvestinDDoSmitigationappliances,whichcanhelptoblockillegitimatetraffictoyourwebsite

• Considerbuyingexcessbandwidththatcanhandlespikesindemand.Alternatively,useanoutsourcedproviderwhereyoucanbuyservicesondemand,suchasburstablecircuitsthatprovidemorebandwidthwhenyourequireit.

ProtectingyourbusinessagainstnetworkattacksDistributedDenialofServiceAttack

ADistributedDenialofServiceAttack(DDoSAttack)iswhenahackertriestobombardawebsitewithtrafficfrommultiplesources,causingthesitetobecomeoverwhelmedandcrash.

Attackerscreateanetworkofinfectedcomputersknownasbotnetsbysendingandspreadingmalwarethroughwebsites,emailsandsocialmedia.

Oncethemalwarehasbeendistributeditallowsthehackertolaunchanattackremotely,sometimesusingabotnetofoveramilliondifferentusers,withouttheirknowledge.

ThereareplacesontheDarkWebwhereitispossibletobuyandsellbotnetsorindividualDDoSattacks.Forasmallfee,afraudstercandisruptanorganisation’sonlineoperations,causingthemtoloseoutonsalesandsufferfromdamagetotheirreputation. Attacker Victim

Controller

Zombies

Zombies

1/3ofalldowntimeincidentsareattributedtoDDoSattacks9

9Verisign/MerrilResearch,2015.

11of14

Beingstringentaboutcybersecuritycanfallbythewaysidewhenrunningabusiness–thereturnoninvestmentisdifficulttoquantify,assuccessliesintheavoidanceofloss.Ensuringthatyourcompanyhasgoodcyberhygienewillhelptokeepyousafefromfraudsters.

Keepyoursoftwareupdated

Investinginup-to-datecyber-defencesoftwareisimperativetoprotectingyourbusinessfromthefinancialandreputationalconsequencesofcyberfraud.Youshouldalsoensurethatyourinternetbrowsersareupdatedtothemostrecentversions.Testingyourowncontrolstoensuretheyareoperatingasappropriatewillalsoenableyoutoidentifysystemweaknessesbeforefraudstersgettoexploitthem.Alwaysensurethatimportantfilesarebackeduptoaremovableharddrivediskortothecloud.

Yourpeopleareaweaknessandadefence

Raisingawarenessoffraudwithinyourcompanyiskeytoitsprevention.Ensuringthatemployeeswhocanauthorisepaymentsareawareofpotentialthreatswilllessenyourchancesofacyberfraudattacksucceeding.

Itisimportanttocreateacultureinyourcompanywhereemployeesareencouragedtoreportfraudthreats,sotheydonotfeeltheyneedtohideabreachtheymayhavebeenunwittinglyinvolvedin.

Pleaseshareourfraudawarenessvideoswithyourpaymentteams–thesecanbefoundat

barclayscorporate.com/fraudawareness

10McAfee,2015.

ConclusionOpportunitiesforcyberattacksaresuretogrowinthecomingyears,withMcAfee’spredictionsforecastingavastincreaseincyberusage.

44 zettabytesof data in 2020

(compared to 8.8 zettabytes in 2015)

24.4 billionIP-connected devices by 2019(compared to 16.3 billion in 201510)

5.9 billionsmartphone connections in 2020

(compared to 3.3 billion in 2015)

200 billionconnected devices are expected

to be in use by 2020

12of14

Further guidance

Furtherresources:

www.actionfraud.police.uk

www.barclayscorporate.com/fraudawareness

www.consilium.europa.eu

www.getsafeonline.org

www.gov.uk/government/policies/cyber-security

The Little Books of Big Scams – Business Edition(MetropolitanPolice)

Ifyouhaveanyqueries,pleasespeaktoyourRelationshipDirector.

IfyoufallvictimtofraudonyourBarclayspaymentchannels,calltheOnlineFraudHelpdeskimmediatelyon

03301560155.*Fraudulentattacks,evenifunsuccessful,shouldbereportedtoActionFraudbycalling

03001232040.

*LinesareopenMondaytoFriday,8amto7pm.Tomaintainaqualityservicewemaymonitororrecordphonecalls.

13of14

About the author

Alex Grant Managing Director Barclays Global Fraud Management

Alex is global lead for Strategy and Analytics covering all fraud types in both transaction and lending fraud, from consumer cards through to unauthorised trading in the Investment Bank. Over the past seven years Alex has been the Money Laundering Reporting Officer for the Retail Bank, and has led the UK and Europe’s Operational Risk and Fraud functions, focusing on Global Retail Banking Fraud.

Alex is also a member of the Joint Fraud Taskforce, a Government led initiative that aims to drive down the number of fraud victims within the UK.

The views expressed in this report are the views of the author, and do not necessarily reflect the views of Barclays Bank PLC nor should they be taken as statements of policy or intent of Barclays Bank PLC. Barclays Bank PLC takes no responsibility for the veracity of information contained in the author’s narrative and no warranties or undertakings of any kind, whether expressed or implied, regarding the accuracy or completeness of the information given. Barclays Bank PLC takes no liability for the impact of any decisions made based on information contained and views expressed in the author’s guides or articles.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.

April 2017. BD05443.

barclayscorporate.com

14 of 14