Who is Phishing in Your Company Hole?

Michael Loox, CFIHead of Loss Prevention

The Coffee Bean & Tea Leaf

The Road To The Coffee Bean

The Coffee Bean & Tea Leaf • 2nd largest US retail specialty coffee & tea brand• 933 stores in 28 countries, 15 states & Washington D.C. –

largest footprint in emerging markets• $518 M system-wide sales• Serving over 150 million customers annually• 12,000+ global team members• Successful Omni-channel strategy• 58 franchise relationships• Regional Offices in Singapore and Malaysia• 50 Years Old- Born and Brewed in So. Cal since 1963

1. United States2. Singapore3. Malaysia4. Israel5. Korea6. Brunei7. Indonesia 8. UAE9. China10. Philippines11. Kuwait12. Saudi Arabia13. Sri Lanka14. Bahrain

Current United States Markets

Seattle Tacoma Airport (1 location)

New Jersey, Garden State Mall: (2 locations)

Bahrain:(3 locations)

Brunei(8 locations)

Cambodia:(2 locations)

Shanghai, China:(30 locations)

Egypt:(17 locations)

India:(26 locations)

Indonesia:(68 locations)

Israel:(2 locations)

South Korea(221 locations)

Iraqi Kurdistan:(1 location)

Kuwait:(15 locations)

Lebanon:(3 locations)

Malaysia:(59 locations) Company & Franchised

Singapore:(51 locations) Company Owned

Mexico:(8 locations)

Oman:(2 locations)

Philippines:(53 locations)

Qatar:(7 locations)

Saudi Arabia:(11 locations)

Thailand:(10 locations)

Turkey:(1 location)

Sri Lanka:(3 locations)

UAE:(0 locations)

Vietnam:(12 locations)

United States:(311 locations: Company & Franchised )

Germany:(1 location)

Mongolia:(1 location)

Current Worldwide Markets

Worldwide Store Count: 933

Jordan:(1 location)

What is Phishing?“A kind of social engineering attack in which criminals use spoofed emails to trick people into disclosing sensitive information (business or personal) or installing malware on their personal or employers computers or servers.”

• Attack targets users not systems• Attacks circumvent your organizations security measures• It does not matter how many firewalls, encryption software, and two

factor authentication mechanisms you have, if the person behind the keyboard falls for a phish

In a 2003 IT security survey, 90% of office workers gave researchers their password in answer to a survey question for a cheap pen. Similar surveys obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords

Spam is unsolicited junk email which may contain a “phish”.

Origins & Evolution of Phishing

• Derivative of “Phreaks”- 1990’s term for Hackers • First mention -January 2, 1996 in Usenet newsgroup• Response to AOL preventing use of algorithmically

created credit card numbers to open accounts• Phisher posed as AOL staff member via email or IM

requesting passwords and other personal info• Hijacked accounts used for spamming and fraud• Response- “No one working for AOL will ask for your password or billing information”

Types and Variants of The Phish• Spear Phishing- a targeted communication to employees or

members of an organization. Emails are customized for appeal with public information available on web sites and ask for recipient to click on a link or open a zip file

• Whaling- is a spear phish used against high level targets such as a CEO, politician, officers in the armed forces or other “Big Phish”• Vishing- callers state from “tech support”, your bank, or have

you call a number to get business and credit information• Smishing- same scam through text messages and IM

Phishing Season 2012• Within the last year over 37 million unique users

subjected to phishing attack – up 87%• Over 102,100 internet users are subject to attack

each day• 12% of all Phishing Attacks were launched via spam

mailings. 88% came from links to web pages• Over 20% of all phishing attacks mimicked a bank or other financial institution• Phishing losses estimated at $1.5 billion in 2012• Major Cyber-threat to businesses

Anatomy of a PhishEvery Phishing attack email is built upon emotional and visual triggers with commonly added human motivators and emotion.1. Rightful Rewards: tax refunds and prizes2. Greed: Unwarranted lottery winnings and 419-type scams3. False Accusations: Tax Fraud, Customer complaint, FCC, etc.4. Curiosity: “Look who searched for you on Google”5. Right the Wrong: Fake order confirmation from known online

merchants or shopping sites citing alleged purchases made6. Trust: Fake emails from banks, service providers, or business associates/professional networks

Phish Tells

• Spelling and Bad Grammar- spellcheck????• Embedded links: https://www.scamuez.exe .exe files are known to launch malware• Threats: “Your account will be closed”• Spoofing popular websites/companies• You did not initiate contact• Any request for confidential or sensitive information or requesting names

Identifying the Phish

What a phishing email might look like?

Species of PhishMemo from: Ms Clare Brady Ref: WB/MM/UNL.Vol2.8/2013 The World Bank Audit report showed you have an unclaimed fund which the banks have been trading on, you can verify this on http://www.missingmoney.com/type your name at the search column for confirmation.(you will see your FUND) We have directed the I M F to start the release process which further details will be given to when we have ascertained your identity. Therefore, you are required to forward to us copy of your ID, upon verification; we will release full information to you. Regards, World Bank 1818 H Street, NW Washington, DC 20433 USA www.worldbank.org

You have received a complaint in regards to your business services. The complaint was filled by Mr./Mrs. Ahmed FRIGOLA on 07/22/2013/ Case Number: 267732192270 Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email. Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties. The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS. The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options. 2013 Council of IRS, Inc. All Rights Reserved.

From: IRS.gov [mailto:fraud.dep@irs.gov] Sent: Monday, July 22, 2013 8:16 AM To: mlindstrom@coffeebean.com; Melissa Lippert; Michael Loox; mnogueira@coffeebean.com; molloysmtplmolloy@coffeebean.com; mpatel@coffeebean.com; mpatterson@coffeebean.com; mserchia@coffeebean.com; Michelle Stene; Mitzi Sutton Subject: Complaint Case #267732192270 Zip file attached to launch malicious software

Appears to be from Coffee Bean email account

Malicious Zip file

attachment

Put an End to Phishing Season

Phishing may be used as one step in a targeted attack against your company or its employees.• Corporate Espionage from competitors; foreign and

domestic• Theft of money from the company accounts• Theft of money from employee accounts• Theft of customer information• Identity theft• Theft of national security secrets

10 Tips for Phishing Prevention

1. Never give out personal, financial or other sensitive information to anyone who requests

2. Be suspicious of email requesting sensitive information

3. Don’t click on links embedded in an email4. Enter a fake password when prompted; legitimate

website will not accept fake5. Don’t fill out forms asking for sensitive information. Use secure website only.

The other 5……..

6. Keep your browser and operating systems up to date

7. Regularly verify all charges on credit card and bank statements

8. Always use updated antivirus and firewall software9. When in doubt, check authenticity 10. Notify www.ftc.org and the internet crime complaint center www.ic3.gov if you think you are a victim to an attack

Phishing Forecast for 2013

• Phishing Via Mobile- directly attacking smartphone users

• Phishing Via Apps- attacking through installation of malicious apps

• Phishing Via Social Media- in 2010 social media attacks comprised of 8.3% of total, by end of 2011 it was 84.5%

Have strong IT and Computer Usage Policy!

False Billing & Phone Scams

False Billing- targets businesses by telephone, mail, email and fax. The scammer will supply you with an invoice for products or services you have not ordered or received hoping it will be paid on receipt with no investigation.• Mid to large businesses are targeted hoping smaller invoices are

processed for payment without review• Many false billing scams begin with telephone call to get key names and contacts and details about company• Information helps scammer create invoice including names, account numbers for services ordinarily used.

Variations of Billing & Phone Scams

Advertising & Directory Listing (Yellow Pages renewal)• Billing for unauthorized listing or ad (print or web)• Proposal disguised as agreement or invoice• You think you are responding to free offer or renewal• Use of existing company names & logo to look realFax Back Scams• Unsolicited fax offering great deals and discounts on products, services, trips• High cost of fax reply buried in print or not listed.• Premium fax rates can cost up to $10 / minute.

Scams continued……..

Office Supplies or Mystery Supplies Scam• Invoice for supplies never ordered, never received or

were not what you thought them to be• Recent scammer cleared $700K sending invoices to

companies for fluorescent light bulbs never received• Send unordered supplies at inflated rates or low

quality supplies. This is usually preceded with a fax to confirm order. Employee signs and sends back

• This is used a proof of order to collect payment

Demand for Payment

• Receive letter demanding payment for products or services never received or an unverifiable debt

• Official letterhead (agency, attorney, debt collector)• A case number is assigned to alleged debt • Written as if it were a court case• Request comes from 3rd party who has taken over

debt or claims to be pursuing debt on behalf• Threats of further interest and penalties• Pay by this date or else……..

Demand for PaymentRichard T Avis, Attorney

& Associates, LLC R ichard T Avis B arry S erota (1948 -2009)

-•' :b:C " ;v:;:;-;:: IV .::;: 1.· ., P .O . Bo x 10 08 Arlin g to n H e ig h ts, IL 60 00 6

!JC T 1 7 2 0 1 2

1cli/ P 1 ;,g ( :\ t F i ·

P hon e (84 7) 25 9 -47 0 0 Fa x (8 47) 25 9-9434

October 5, 2012

INTERNATL COFFEE & TEA 1945 S LA CIENEGA BLVD LOS ANGELES CA 90034

972923

CASE NO. 972923

RE: Tyco Integrated Security fdba ADT Security Services Inc

VS. INTERNATL COFFEE & TEA Account #1300-145000314

AMOUNT DUE $1185.43

Our firm has been engaged to collect the obligation that is due to Tyco Integrated Security.

The total balance of $1185.43 must be paid to our office within the next 5 days. This total excludes interest, late charges and attorney fees which can be added in accordance with the underlying contract.

Your payment in full should be made payable to Tyco fdba ADT and sent to our office at the above address. Be sure to include our case number 972923 on your remittance.

If we do not receive your payment, we will have no alternative but to pursue the TOTAL balance due to our client. This could include additional charges being added to your account such as interest, late charges and attorney fees, as per the terms of the underlying contract.

Sincerely,

Richard T Avis, Attorney & Associates, LLC

CONTACT: N.Minnick, Administrator - Ext.230

Richard T Avis, Attorney & Associates, LLC

Richard T Avis Ba rry Sero ta (1 948-200 9)

P.O. Box 1008 A rling to n H e ights , IL 600 0 6

Ph o ne (84 7 ) 2 59-4 70 0 Fax (84 7 ) 25 9 -9 43 4

April 18, 2013

INTERNATL COFFEE & TEA 1945 S LA CIENEGA BLVD LOS ANGELES CA 90034

972923

CASE N0.972923

RE: Tyco Integrated Security fdba ADT Security Services Inc

VS. INTERNATL COFFEE & TEA Account # 01300-145000314

AMOUNT DUE - $1185.43 IT IS IMPERATIVE THAT YOU FORWARD PAYMENT OF THE BALANCE DUE - IMMEDIATELY.

Payment should be in the form of check or money order made payable to Tyco fdba ADT and include your case number 972923.

Send your payment via Federal Express or USPS Express Mail

to:

Tyco Integrated Security»fdba ADT Security Services Inc c/o Richard T Avis, Attorney & Associates, LLC

3715 Ventura Drive Arlington Heights, IL 60004

The Health Dept. is Calling.....• Receive call from “State Health Dept.” or DOA• Inform restaurant of complaint and visit today• Will attempt to persuade employee to provide personal and/or credit information for ID theft and fraud• Variation- will ask employee to enter a five digit verification

code to confirm appointment in a subsequent call. This allows scammer to set up a fraudulent Craigslist or an online auction house account verified to your restaurant phone number.

• Variation- other scammers claim to be IT techs or from the bank requesting credit card info as system is “down”

Point of Sale Scams

• Confuses cashier during transaction • Use of social engineering like a Phish• Asks for change of $20 and leaves with $30• Have policy on making change; double count, don’t be rushed

Counterfeit Money• Best line of protection- UV machine or cash verification tower• $5.00 bills washed, print $100’s• Review security features on all bills $20 and above.

Credit Card / Gift Card Fraud• Never hand key any credit card transaction, especially for sale

of gift cards.• Get swipe and signature for any transaction over your

designated threshold ($25.00?)• Remove remaining balances from all gift cards linked to a

charge back transaction• Establish credit card acceptance policy including a loss

prevention training element• Identify areas or groups of stores with highest % of fraud to develop a targeted response.• Do not transfer balances from one gift card to another

No Scams Here……• Employee Training

– Create eTraining platform (embedded)– Micro-games– Provide Internet access resources– New hire awareness module– Specific cash and credit card proceduresEstablish Company Hotlines for verification– Documented procedures and protocols with real time access

to assist in decision making process– Ops / LP / IT / Acct. contact during business hours– When in doubt- Just say “No” and call supervisor

Integrate For Success• Develop and lead a multi-departmental partnership to combat

fraud and scams across all levels of your company or organization

• Provide awareness and response directives for each department or “impact” area

• Work directly with A/P to ensure;– Invoices are verified by department– Purchasing guidelines were followed– There is a new vendor approval process– Suspicious invoices are reviewed, create checklist– Systems in place to prevent duplicate invoices

If you have been scammed…

• Notify appropriate law enforcement agencies• Send alert to other departments or

restaurants to prevent/minimize other losses• Alert your Loss Prevention/Security peers if

applicable and/or approved by your company• Review scam to determine areas in need of

retraining or possible internal dishonesty

Thank You!