Cyberfraud & Cybercrime

Alexandre Pluvinage – Head of the Cybersecurity Awareness

Understand them and Protect yourself

May 2017

Number of Internet user buying online

50%50%

54%

56%58%

59%

61%

63%65%

44% 45%

50%

52%55%

57%

60%

63%

68%

53% 53%

57%

60%61%

62%

64%

67%

68%

43%44%

47%

50%51% 51%

53%53%

55%

35%

40%

45%

50%

55%

60%

65%

70%

2007 2008 2009 2010 2011 2012 2013 2014 2015

Total 16-24 years 25-54 years 55-74 years

Internet users who bought or ordered goods or services for private use over the internet in the previous 12 months by age groups, EU-28, 2015 (% of internet users)

Source: Eurostat. EU 28 average (10/2015)2

3 Source: Etude Euler Hermes –DFCG march 2016

French companies facing cybercrime and cyberfraud in 2016

Companies that had (at least) one fraud attempt last year

Companies that were too late to detect the fraud

Companies that had more than 10 fraud attempts last year

4 Source: Etude Euler Hermes –DFCG mach 2016

Top 4 cyberfraud and cybercrime modus operandi

CEO Fraud Cybercrime(hacking IT systems)

Identity theft(banks, lawyers, etc.)

Invoice fraud

CEO Fraud

5

Brussels: 41,668,967 €• Total amount recovered: 26.921.772 €• Total amount stolen: 14.747.195 €

Wallonia: 28,867,353 €• Total amount recovered: 24.411.817 €• Total amount stolen: 4.455.536 €

Flanders: 5,445,309 €• Total amount recovered: 3.526.594 €• Total amount stolen: 1.918.715 €

Total at risk in Belgium: 75,981,629 €

Money at risk (29/05/2015)

6

7

Social engineeringPsychological manipulation

Audio

• Evidence in a real criminal case (anonymized)

• Recording between a fake CEO (criminal) and an accountant (victim)

• CEO is calling from Paris to a group’s company in Belgium

8

deb amount date Loss client Via account 1 Via account 2-3

Victim Corporate client 4.500.000 1.540.000 2.960.000

Beneficiary 1 NIKM LTD

BG00BUIB98881402900 -250.000 19-12-2013 Bulgarije Bank 1

-250.000 19-12-2013

-250.000 23-12-2013

Beneficiary 2 LINK LTD

CY22 0050 0140 0001 65 5301 -250.000 2-1-2014 Cyprus Bank 2

Beneficiary 3 ASIA LTD

AB12 1923123040003 -250.000 7-1-2014 China Bank 3 / rekening nummer 1

Beneficiary 4 ULTRA LTD -145.000 13-1-2014

AB12 1923113800237 -145.000 13-1-2014 China Bank 3 / rekeningnummer 2

C-Level Fraud – Real example (anonymized)

9

Invoice fraud

10

11

Invoice fraud

An invoice is intercepted and modified• Account number is changed• New invoice

Variance 02

Company receives a message faking email or letter from a legitimate company saying that they have changed of bank. All new invoices should be paid in the new account

Variance 03

Same as variance 02 but using a fakefactoring company

12

Invoice Fraud and Sticker Fraud

Variance 01

An invoice is intercepted during the mailing process and a sticker is added with a new account number

Invoice Fraud – Real example (anonymized)

13

Original

Fake

Phishing

14

• Security tests

• SEPA – new Bank interface

• Click here to read the Google document

• Fake new Bank card

Phishing

15

16

How to protect myself?

17

Protect your organization

GET them INVOLVED | Management | Persons with access to the company accounts

EDUCATE them | Secret and urgent are suspicious when concerning payments to an

unusual account | “Don’t believe your CEO !!!”

Create SECRET procedures | Set up internal secret double check procedures for

secret or urgent matters

PROTECT your own and customer’s data | Do not make all information available online | Destroy sensitive and financial information

PROTECT your payments | All change in a provider’s static data (account number, email,

telephone, etc.) should be double checked by phone (call back procedure)

PROTECT you invoices | Anonymous envelops | Double sending (e.g. email + mail)

18

It has just happened …

Contact your bank immediatelyIn some cases, we can get the money back

Contact the police to file a complaint(yourself or by a lawyer)

Protect the evidence (mail, telephone loggings, conversations)

Prefer a no-blame culture: targets of social engineering are also victims

19

Phishing

▪ Never share your codes

▪ Never go online from a mail (if you need to login to access the information)

▪ Always cut the chip if you do not use the card anymore

20

Cybersecurity Kit (FREE Awareness kit for companies):- Social enginery- E-mails (phishing)- Passwords

http://www.cybersecuritycoalition.be

Train your employees

22