Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
FRAUD & CYBERCRIME HOW TO PROTECT YOUR COMPANY?
BNP PARIBAS CASH MANAGEMENT June 2018
Credit: Shutterstock
A world of fraud
2
1. Fraud by impersonation:
a growing risk
2. Cyber-fraud: a
rising threat
3. Data theft: a major risk 5. Internal fraud: most frequent cases 4. Client risk, still at stake
Credit: Shutterstock
$ millions per breach $ billions
worldwide
40% annual growth
60% of frauds
$3.1+ bn worldwide
Source: PwC Economic Crime Survey 2014
Source: Forbes, January 17th, 2016 Source: FBI 2016 quoted by Bank Info Security
Various studies incl. 2016 Nilson report Source: IBM & Ponemon 2015 Cost of Data Breach
1. Impersonation fraud
Fake CEO Scam
The three most frequent impersonation fraud schemes:
| 2017 | Fraud & Cybercrime 4
Credit: Shutterstock
1. Impersonation fraud
htt
p:/
/en
treprise
s.b
npp
ariba
s.f
r/rs
c/c
ontr
ib/v
ideo/d
ossie
rs/H
ello
_
He
re_
Is_
Yo
ur_
Ch
airm
an.m
p4
From: [email protected] <[email protected]>
Sent: Wednesday, December 30, 2015 at 3:44 PM
To: Kate
Subject: Confidential file
Hello Kate,
Did Mr Tim Ryan from our Law Firm contact you?
Best Regards,
John Smith
Chief Executive Officer "Sent from my iPhone"
| 2017 | Fraud & Cybercrime 6
From: Kate
Sent: Wednesday, December 30, 2015 at 3:47 PM
To: ‘[email protected]’
Subject: RE: Confidential file
Yes, I just hung up with him.
But I did not understand the purpose of his call.
Regards,
Kate
| 2017 | Fraud & Cybercrime 7
From: [email protected] <[email protected]>
Kate,
For the last months we have been working, in coordination and under the supervision of the SEC on acquiring a Chinese company... This takeover bid must remain strictly confidential, no one else needs to know for now. The public announcement of this takeover will take place Friday, January 8, 2016 in our office with the presence of the entire board.
I've chosen you for your discretion and great work within the company.
Please contact our law firm immediately ([email protected]). He will give you the bank details to make the credit transfer immediately.
Please send me the balances of the accounts.
This is very sensitive, so please only communicate with me through this email ([email protected]), in order for us not to infringe SEC regulations.
John Smith
9
Awareness raising (newcomers!)
and message from CEO
Protect against fake CEO scam
Segregation of duties
Avoid validation by fax
11
1. Raise your team’s awareness about fraud, cyber risks and information dissemination risks.
Hold regular sessions (do not forget newcomers, short term employees) for various staff profiles: accounting, treasury, purchasing, P.A., etc.
To raise awareness: “credit transfer fraud” training kit C
redit: Shutterstock
?
1. Impersonation fraud
Fake CEO Scam Fake Vendor Scam
The three most frequent impersonation fraud schemes:
Credit: Shutterstock
| 2017 | Fraud & Cybercrime 12
From: [email protected]
Subject: our bank account
Dear Bob,
From: [email protected]
Subject: duplicate invoices?
Hello Kim!
Beware of “Business Email Compromise” (BEC)
Beware of social engineering: fake
clients, fake auditors, fake tax
inspectors, fake public
administration, fake notary...
Hello,
Please find the original version of our invoice # 029077112/ 936451
Best Regards,
Shelia Bodo
OVERDUE INVOICE - URGENT
Beware of data theft trough hacking and malware
REGISTERED LETTER
18
19
Call-back procedure in case of bank account change
Safe management of vendor contact details
Protect against fake vendor scam
Credit: S
hutterstock
Focus on tier-1 vendors and foreign beneficiaries
Protect against fake vendor scam
Credit: S
hutterstock
Call-back procedure • Apply written call-back procedure in case of vendor detail modification • Use safe contact details, not those contained in the notification or invoices • Verify the email address of the request and do not check using “Reply to” • Proceed on receipt of the notification (do not wait until you need to make the payment) • In case of foreign beneficiary country or largest suppliers, use 2 channels (phone + email) • Use local Account Check schemes (e.g. SEPAmail IBAN Check in France)
Instructions to check email headers
IBAN Check
Safe administration of vendor details • Authenticate and trace accounts and details changes (phone numbers, email address...) • Appoint few people authorized to modify vendor details (ex : 2 or 3 senior accounting staff) • Train these people regularly and make them accountable • If necessary, set up a reference data department (in-house or outsourced)
Against invoice and data theft (protect your clients) • Apply written call-back procedures in case of accounting information request • Regularly raise employees awareness against invoice theft, BEC and malware • Build a culture of risk (incoming call, mail, email, social network…)
SEDA SEPA e-Database
Alignment
?
1. Impersonation fraud
Fake CEO Scam Fake Technician Scam Fake Vendor Scam
The three most frequent impersonation fraud schemes:
Credit: Shutterstock
| 2017 | Fraud & Cybercrime 23
Establish Support Connection Type your name and the support key received from your technician
Your Name: Support Key:
Cre
dit:
Shu
tters
tock
I have the control of your PC. I’m checking the transfers… Go
for a coffee if you want!
I’m done. Wait 3 days before using your tool: meanwhile, send your payments by paper orders
Mr Martin from BNP Paribas speaking,
do you remember me?
Your e-banking will be migrating to a new version, and will be
unavailable for 72 hours.
Could you please go to www.is.gd/migration so that I can proceed with verification.
Please enter your session key 281 199 250.
Somewhere, abroad… 0 825 000..
Germany
An accountant receives a call…
- $355,087.11 Continue
Awareness raising
Call-back procedure
Protect against technician scam
Option: “RAT1”black listing
1. RAT: Remote Administration Tools 25
List of authorised countries and/or account numbers: “Secure Flows” C
redit: Shutterstock
1. Impersonation fraud
Fake CEO Scam Fake Technician Scam Fake Vendor Scam
The three most frequent impersonation fraud schemes:
Beyond the financial damage,
such frauds cause human trauma, layoffs and even bankruptcies.
27
$ 47m € 70m € 42m
€ 23m $ 17m € 40m
€ 1,5M ON AVERAGE
€ 2m € 1,5m
€ 1,4m € 1,1m
€ 0,5M ON AVERAGE
$ 100m+ $ 100m
€ 1,6m € 15m
RANDOM
Anonymous Anonymous
Anonymous Anonymous
1. Impersonation fraud
Purchase of public documents,
social networks
Anonymous prepaid
card
Voice over IP platforms
Voice changer
software
Remote Administration Tools, PC
and e-mail hacking, fake website …
Diversion of
phone line
29
1. Impersonation fraud
?
Main countries of destination of transfers:
Israel
China and Hong-Kong
SEPA zone countries
France
(intermediary bank accounts)
Greece
Cyprus
Macedonia
Bulgaria
Slovakia
Czech Rep.
Hungary
Romania Croatia
China
Cambodia
Turkey
Hong Kong Poland Latvia
Estonia
Lithuania
United Kingdom Germany
Sweden
Austria
Belgium Spain
Netherlands Norway Denmark Switzerland
Italy Slovenia San Marino
…
Singapour
Monaco Portugal 30
2. Cyber fraud: a rising threat
Frequent phishing attacks…
40
Your BNP Paribas account needs verification:
06/03/2014 07:26
Message from: “BNP Paribas” < @bnpparibas.com>
To:
Subject: BNP Paribas messages
Dear client, You have (2) new messages. Check your mailbox, by clicking on the link below: Your mailbox
1. Reception of emails… … or SMS
2. Cyber fraud: a rising threat
41
2. Theft of password
… or SIM card misappropriation
3. Theft of SMS validation code
For security reasons, we need to check your mobile phone.
You will receive an SMS code within a few minutes.
Please enter your SMS code:
info: a SIM card
reissuing request has been
asked for your mobile
contract. If you are not
responsible for this request,
please contact immediately
the Help Desk at
2. Cyber fraud: a rising threat
42
Beware of attachments (MS Office,
zip…), links to documents
2. Cyber fraud: a rising threat
invoice
An employee receives
an email
Propagation and
data theft
The malware creates
beneficiary account or
credit transfer
1 3 5
2 4
invoice
invoice
invoice
If needed, it asks for
validation via a fake page
A malware installs on
the PC silently
Credit: Shutterstock 43
Bogus page : signature request at login Regular login page
OK
12345678
To proceed with validation 1. Enter the challenge on your reader 2. Enter your PIN code 3. Enter the response and confirm
OK
Challenge : 4702 3476
Access your accounts
AN EMAIL WITH URGENT ANTIVIRUS UPDATE...
BUT... BUT... WHAT'S THIS THING?
LET’S GO, I DON’T HAVE ALL DAY...
NO I JUST OPENED THE ATTACHMENT
LOOK MARK! IT SAYS MY FILES ARE ENCRYPTED, AND I MUST PAY € 300
TO DECRYPT!
LOOK, IT'S CALLED CRYPTOLOCKER IS IT
WHAT YOU GOT? UH NO...
DIDN’T YOU CHECK THE EMAIL SENDER?
46
Ransomware alert
Protect against cyber fraud
1. If possible, use offline validation (e.g. one-time password) and raise user awareness against fake validation pages
2. Regular backup, disconnected from your IT network, regularly tested to make sure it is not encrypted
48
Cre
dit:
Shu
tters
tock
Awareness raising
Segregation of duties1
Frequent secured backups2
Good “IT hygiene”
… And if possible, blocking VBA attachments
To assess your prevention: « personalized risk assessment »
3. Data theft: a major risk
Malware can steal: Your browsing history
Your id and passwords (web banking,
webmail ...)
Your credit card numbers
Your contact information (address,
phone, email ...)
Your lists of customers and suppliers,
account numbers...
This data can be sold and allow
other scammers to operate: Credit card frauds
Direct debit frauds
Impersonation frauds… 49
| 2017 | Fraud & Cybercrime
3. Data theft: a major risk
Malware on P.O.S. machines
Theft of data of 70+ millions clients
Global cost of $170 m ($20 to 200 per client)
CEO fired after 35 year of service
Multiples lawsuits
Massive data theft is a major risk to utilities, telco’s, large retailers, online merchants,
but also to SMEs, often less protected.
Hacking of databases (client files, bank
details…)
Espionage (secret process, pricing, RFPs…)
Damages (paralysed servers, unusable PCs, e-
commerce site defaced…)
80% of
cyber attacks
Medium Business
Small Business
Large business
50
3. Data theft: a major risk
Beware of fake customers,
auditors, tax inspectors, public
administration, surveyors, head
hunters, travel agencies...
…AND ALSO ON SOCIAL NETWORKS BY PHONE, MAIL, EMAIL…
52
Awareness raising1
and culture of risk
Authentication of correspondents2
Protect against information theft
Protection of files
1. Awareness in order to create a culture of risks, and identify sensitive information: be cautious when publishing info on social networks, over the phone, by email…
2. Verification procedures in case of sensitive solicitations (e.g. call-back to authenticate tax authorities requests, etc.) 53
To raise awareness: “Protecting information” training kit C
redit: Shutterstock
4. Client risk, still at stake
54
1. Order by a fake client (or a prospect)
2. Delivery at a bogus address and receipt of
loaded trucks
3. Non-payment of invoices
NB: affects particularly the businesses of the agri-food
industry
Example: fake client fraud Example: supplier credit fraud
1. Creation of a business relationship • Fraudster buys electronic devices from his victim
• Gradual increase in the amounts
2. Non-payment of the last delivery • Provision of a copy of the credit transfer order
• Cancellation of the transfer order
• Materials sent abroad
• Insolvency
NB: many other client frauds: supplier credit based on false information,
fake payment means (counterfeit money, loyalty card scam…)
4. Client risk: collection risks
55
Tru
st
Collection means Risks (client frauds…)
CREDIT TRANSFER
B2B DIRECT DEBIT
CARD (WITH PIN OR 3D SECURE)
STANDARD DIRECT DEBIT
CASH
CARD (WITH NO PIN, AND NO 3D SECURE)
CHEQUE
Recommendation Collection guarantee
Very low (rare cases of cancellation or dispute)
Very low (rare cases of cancellation or dispute)
Low (commercial contestation up to 13 months – mostly foreign cards)
Medium (repudiation within 8 weeks without motive, contestation for mandate nullity within 13 months)
Medium (counterfeit money, theft of cash at point of sale or during transportation)
High (repudiation within 8 weeks without motive)
High (rubber cheque, cheque theft and falsification, overpayment scams…)
At account credit (within 24 hours)
At account credit (within 24 hours)
At account credit (within 24 hours)
After 8 weeks
After 72 hours following the remittance to bank
After 13 months
After 15 days*
To be favoured when possible
To be favoured when possible
Best solution for point of sales and e-commerce
For trusted clients, moderate amounts, service offering…
Amount < €1,000 (15.000 for foreigners)
To be used with trusted clients, duly authenticated
To be used with trusted clients, duly authenticated
+
-
BILLS OF EXCHANGE
Medium (risk of unpaid bill and commercial dispute)
After ~ 15 days, even in case of bill discount
To be used with trusted clients only
* Loss / theft: 8 days - Fraudulent use: 10 days - Signature not in conformity / falsification / false / irregular or missing endorsement / obligatory mention absent: 60 days - Insufficient provision: the alert for insufficient provision occurs during the presentation for payment to the sending bank, which must inform the
issuer of this and invite him to regularize the position of his account. A period of 24 or 48 hours is quite commonly practiced by the banks, but the latter may last up to 7 days depending on the practices of the bank of the issuer of the check.
Upon order receipt, authenticate your client1
Know and control the risks of collection means
Protect against client fraud
1. Written procedure in case of receipt of order, request for quotation or request for opening a customer account, for example: call-back upon receipt of the order - In case of foreign country, check by two channels - Use
safe contact, not those contained in the order, not by replying to the email - verify the email address of the request carefully ... 56
SEPAmail IBAN Check, 3DSecure, Mercanet, Ethoca©
Vérifiance, SDD white and black list…
IBAN Check
Credit: S
hutterstock
Sou
rces
: Pw
C 2
014
Glo
bal E
cono
mic
Crim
e S
urve
y –
Ass
ocia
tion
of C
ertif
ied
Fra
ud E
xam
iner
s
Unaccounted sales
Theft of receivables Cash, cheques, Ponzi
schemes, fake discount…
Purchasing Fraud Fake invoice, fake supplier…
Outgoing cheque
tampering Payroll Fraud Fake employee,
fake timesheets…
Expense Reimbursements
5%
10%
15%
20%
Falsified
transfer
100 K€ 50 K€ 150 K€
Asset Theft Supply, tangible and
intangible assets
5. Internal fraud: most frequent cases
60 Average prejudice >
Pro
babi
lity
>
Payments Receivables
Sources: P
wC
2014 Global E
conomic C
rime S
urvey – Association of C
ertified Fraud E
xaminers
5. Internal fraud: most frequent cases
| 2017 | Fraud & Cybercrime
Theft and forgery of cheques
by an employee with access to the mail
1. Misuse of cheque letters
2. Cheques’ printed item tampering
3. Cashing in on several accounts
by company’s Head of IT Operations
1. Subscription of leasing contracts
• Fake delegations of authority
• Purchase of electronic devices (not related to
company’s activity)
2. Misappropriation and resale of purchased devices
• Use of bogus companies
• Passive complicity of the leasing company
Purchasing misappropriation
61
Protect against internal fraud
Accounting follow-up and bank reconciliation
Limitation of the means of payment in circulation
62
Corporate Card, Purchasing Card, Virtual Card, Secured Cheque Letter©, Chèque Confiance©,
Forcash©, Smart Lock Boxes…
Credit: S
hutterstock
Procedures and segregation of duties
Protect your business Fraud is not inevitable: corporates can protect themselves
Up-to-date OS, browser and
antivirus software
Restriction of installation rights
Auto-execution of macros
deactivated
Protection of customer and
supplier databases
Regular backups
3. Secure your information
system
Fraud and cyber risks and
information dissemination
Accounting, treasury,
purchasing, P.A., etc.
Regular sessions (newcomers,
short term employees) ...
1. Train your staff
regularly
2. Authenticate your
counterparties
CEO, vendor, technician, client
Written procedure
Not yielding to urgency and
confidentiality
Safe contact details!
Check email headers!
SEPAmail IBAN Check (in France)
Fin
d all co
ncrete g
oo
d p
ractices in o
ur train
ing
kits
Training kits IBAN Check
65
Protect your business Fraud is not inevitable: corporates can protect themselves
Work with HR, IT, Purchasing…
Culture of risk
Watch of new fraud schemes
Whistle Blowing Hotline
Communication to clients
Fraud risk assessment…
6. Build corporate
governance
Segregation of duty and limit
amounts
Suppression of paper orders
and validations
Authentication means
Beware of private PC and
smartphones!
4. Make good use of
your payment application
5. Use improved
controls
Daily monitoring of issued
payments
Use of paper proofs
Internal control and audits
Secure Flows: authorised
countries…
Fin
d all co
ncrete g
oo
d p
ractices in o
ur train
ing
kits
Secure Flows
Bank call back
Assessment 66
In case of fraudulent transfer (or suspicion)
• Before it happens, train your staff to ensure they react appropriately in case of fraud
• Ask your legal department to be prepared to file complaint in the beneficiary’s country if necessary
• Check issued transfers every day, with special attention to high-risk countries
CONTACT YOUR
BANK
IMMEDIATELY
FILE A
COMPLAINT WITH
THE POLICE
NOTIFY YOUR
MANAGEMENT AND
PRESERVE EVIDENCE
BANK 1 2 3
Credit: Shutterstock
| 2017 | Fraud & Cybercrime
Greece China Poland Latvia Estonia Lithuania Bulgaria Slovakia Czech Rep. Hungary HK Cyprus UK
… Germany Sweden Austria Belgium Spain Turkey Netherlands Norway Denmark Macedonia Croatia Slovenia San Marino Romania Switzerland Italy Singapore Monaco Portugal
67
Questions?
Ask your relationship manager for a diagnosis and personalized advice
1. Train your staff regularly Regularly raise your team’s awareness to risks and
limit information dissemination
4. Ensure proper duty segregation Ensure duty segregation, make good use of payment
tool, and avoid paper orders
5. Use improved controls Monitor issued payments every day or use
countries / beneficiaries closed lists
6. Keep updated and talk about it Raise your clients and suppliers’ awareness,
and work with your banks
2. Authenticate your counterparties Have an identity verification procedure: CEO,
vendor, technical officer, client, tax officer…
3. Secure your information system Use up-to-date antivirus, restrict installation rights
and protect your databases
69