John Kolar: Hello, everyone. Welcome to the Wells Fargo Treasury Management webinar “Facing the new faces of fraud.”
John Kolar: My name is John Kolar. I’m a vice president and a fraud prevention manager on the Wells Fargo Digital Solutions for Business, Fraud Prevention, and Authentication team. I’m thrilled you could join us today and really excited about the information and strategies we have lined up for you.
I’d like to take a moment to introduce our guest speakers. First is Brian Richter, vice president and assistant treasurer at McGraw‑Hill Education. We also have Kevin McCleary, assistant to the Special Agent in Charge for the U.S. Secret Service. Thank you both for joining us.
Brian Richter: Glad to be here, John.
Kevin McCleary: Absolutely. Thanks for having me.
(Before we get started slide)
John Kolar: All right. Before we get started, a quick few notes for our attendees. To qualify for the 1.2 CTP credits for — from the Association for Financial Professions and the 1 CPE credit for the National Association of State Boards of Accountancy, you must be — remain in — in attendance for at least 50 minutes.
The dial‑in for the audio portion of this webinar is 844‑833‑0706. You can also dial *1 during our Q&A time at the end of the presentation to ask questions. You may download a copy of today’s slides by clicking on the green Download Slides icon in the lower center of your screen. If you experience any audio or video difficulties during the presentation, you can press the F5 key, or press Command+R if you’re on a Mac, to refresh your console. If you continue to experience issues, there’s a technical help button on the bottom of the screen where you can chat with a technician.
(Today’s agenda slide)
John Kolar: All right. Let’s get started by going over the agenda for today’s webinar. First, we’ll discuss what fraud land — the landscape looks like today. There are definitely some trends we’re seeing, and this continues to be evolving. It’s a dynamic topic that’s changing every day. Then our guests will share their perspectives, along with some critical fraud-protection strategies your company can put in place. You’ll get to hear some real‑world examples along the way that will really help frame up the discussion and clearly demonstrate what we are up against when it comes to fraud, and some actionable steps that you can take to help reduce your risk. I’ll chime in there as well, and finally we’ll wrap up with some Q&A from the audience at the end.
(The sobering reality of fraud slide)
John Kolar: Before we can talk about what’s next, we need to look at where we’re at today. Unfortunately, fraud attacks are inevitable for business, and the numbers for the latest statistics prove that this is a problem and only getting worse: 74% of companies that were surveyed by the AFP survey in 2017 were victims of payment fraud in 2016. Seventy-four — 74% of those companies were exposed to BEC fraud, or business email compromise. That was a 10% increase from 2016. We’ll touch on that a little bit later. 64% of companies have been exposed to imposter fraud. And finally, financial losses for imposter fraud exceed $1.2 billion worldwide.
This is a sobering reality we face today, and now it seems we’re hearing more and more stories breaking in the news. The exposure and losses companies are facing can be staggering. There was also an FBI alert put out in May of this year, where the real estate sector has been hit at a 480% increase in exposure to imposter fraud.
(Audience poll slide)
John Kolar: Let’s see if these numbers ring true for some of you with a quick poll of our audience. And please note that responses to our polls throughout the presentation today are all completely anonymous. These polls are simply to give us a feel for where the group as a whole is at on various topics.
All right. First question: Has your company experienced fraud attacks or attempted fraud in the last year? Yes, no, or I don’t know. Please select the most appropriate response for your organization and click Submit.
(Poll results slide)
John Kolar: All right. Looks like the majority responses are confirming the stats I relayed earlier, and most of you are experiencing some form of fraud or attack or have been attacked in the past.
(New threats in the world of fraud, 10% slide)
John Kolar: The increase of 10% in the BEC compromise is a — is a great — great stat to reflect on. The statistics have proven, ready or not, fraud attacks will come your way. I’d like to start out by taking a look at some of the growing threats in our world of fraud. We’re seeing a steady increase in BEC or imposter fraud, and that’s just ramping up for the year.
(New threats in the world of fraud, Shift toward fraudulent slide)
John Kolar: We at Wells Fargo are also seeing fraudsters move towards ACH instead of wires. Wire fraud is still out there, the one‑time big hit for the million‑dollar transaction is still out there, but we are seeing the fraudsters and miscreants heading towards an ACH payment, where they’re driving down into lower dollar amounts and making multiple payments over time. And with the trends we’re seeing currently, the primary intent is to simply point out [that] fraudsters are focused on just one payment method. The payment method your company can — payment company you’re used to may be targeted for payment.
(New threats in the world of fraud, Attacks spanning slide)
John Kolar: Fraudsters are also broadering — broadening their net. Real estate and higher education industries are experiencing an onslaught of fraud attacks. Smaller companies often have fewer controls and measures than large corporate customers, making them more vulnerable. As we talk bit — a bit about later today, the fraudsters are becoming more sophisticated and continually evolving their strategies and efforts to find new ways to circumvent existing protective measures.
(New threats in the world of fraud, Mobile banking on the rise: slide)
John Kolar: Finally, as mobile banking and the ongoing transactions continue to grow, we believe fraud attacks in these areas have the potential to be more successful. This is due to the fact that people are often distracted on their phone or they feel pressured to act quickly. It’s important that we acknowledge the added risk that this brings, as both employees and fraudsters have more touch points and means of communication. Easier, quicker, faster doesn’t always mean secure and trusted.
(Fraud attacks: The schemes that stand out slide)
John Kolar: Before we go any further, I’d like to get some thoughts from both Brian and Kevin. Thinking about your time and experiences over the years related to these various types of fraud, can you share a little bit about a specific incident that stands out in your mind as particularly memorable? Brian, how — how about we go with you first?
Brian Richter: Sure thing, John. I definitely have one that jumps to mind immediately. I think this particular incident was memorable, because it was such a detailed, multilayered attack. One of our offshore entities had a vendor invoice manipulated to change the settlement instruction, which in — of itself was relatively low‑tech. However, the interesting part is what happened next. The invoice was submitted to our AP department, appeared to be a correct email address, normal contact person. Clearly, the fraudster was not only successful in masking the account of our vendor, but he also knew who the internal process person was and normal process for the payment to the particular vendor.
And they didn’t stop there. In addition to emailing the invoice to the correct contact, at the same time, they attempted to fax the same invoice. Our assumption is that the attempt was at validating the email via an alternative source. What really catches our attention about this is [that] our normal vendor already has the approvals under an existing PO. This fraudulent invoice amount and the services would be easily approved. Without significant employee training to what to look for and be sure that you check every step in the process, this could easily have been paid.
John Kolar: Wow. Thanks, Brian. That really speaks to the level of attention and planning fraudsters are committing to and just how hard it is to catch these attacks coming through. Kevin, any story from your experiences on the federal side of things that you’d like to share?
Kevin McCleary: Absolutely, John. Here’s one that relates to the topics we are discussing. I recently spoke with the VP of a large company, and he relayed details regarding an incident that they are currently facing, all coming out of a fraud attack earlier this summer. He started by letting me know that one of the employees in their accounting department had recently sent out the entire company’s payroll’s personally identifiable information, PII. It turned out that his company was the victim of spearphishing and that the employee and accounts — and payroll was specifically targeted. The cybercriminal sent a spoof email, which appeared to have come directly from the company president requesting information as soon as possible.
This company thought that they had educated their employees and had implemented safeguards against this type of fraud. They ended up firing the employee and then having to pay for credit monitoring for all of their employees. Finally, no thanks to the legal department at the company, this incident was not referred to law enforcement, so this cybercriminal’s data was not shared with other businesses and they were not ultimately pursued, both bad endings that we can learn from.
John Kolar: Thanks, Kevin. What a painful reminder on just how easy it is for a fraudster to cause major damage, oftentimes through the best of intentions by a single employee that simply isn’t following every step of the process. It’s always so insightful to hear real‑world stories. Let’s move forward now and dive in a little deeper into what we’re seeing fraudsters heavily working at.
(But the biggest threat for 2017 and beyond? slide)
John Kolar: In our view, the most significant threat now and in the future is business email compromise, or BEC. Data shows that this fraud tactic is holding steady and is likely to remain a serious threat. In fact, fraudsters are getting smarter and more patient. They’ll often — often infiltrate a system months before a transaction is created. This gives them time to observe and learn your patterns, increase the chances that their fraud attempts will go undetected when they do pull the trigger, and this of course can mean significant losses over time for your company.
So it’s important to take note that this isn’t always a simple, quick attack. We’re seeing very calculated, methodical approaches that can make fraudsters much harder to identify. They’re watching how and when and how often you’re paying certain vendors. They’re watching the tone of your emails, both internally and with your trusted partners.
(Understanding the key types of fraud, What do you watch for? slide)
John Kolar: So what — what do you need to watch for? Knowing what you’re up against is the first step in protecting your organization. Let’s take a few moments to go through the most common fraud types we are seeing.
(Understanding the key types of fraud, Business email compromise slide)
John Kolar: Like we said, business email compromise, or imposter fraud, which is another term for it, is a critical threat. This is where the fraudster impersonates a vendor, a company executive or another trusted part — trading partner, ultimately tricking you into making the payment for them. As I mentioned before, the fraudsters may have been watching your communications for some time and waiting for just the right time to jump in with a fraudulent request bundled with a very believable format. This kind of fraud is much harder to detect, because you have been deceived into actually being the one making the payment and it all looks normal on your end.
(Understanding the key types of fraud, Account takeover fraud slide)
John Kolar: In contrast, there is account takeover fraud. Here, a fraudster steals or uses your confidential online credentials to gain access to create a payment, literally taking over as you. This means that they are making the — making and authorizing payments using your credentials. This process can be — this can happen through malware, which is a form of social engineering. So that’s really the difference between the two: Business email compromise, they’re tricking you into making the payment for them, and with account takeover, they’re using your secure credentials to make that payment.
(Understanding the key types of fraud, Malware slide)
John Kolar: Often used with take — takeover fraud, malware is malicious software that is secretly downloaded onto your device, usually by clicking on an unsuspecting link in an email. The software then secretly captures — captures your keystrokes, and the fraudster watches for you to enter your credentials in order to gain access to — to your secure systems. One thing I’ll say here: if it looks suspicious, don’t click on it, whether it’s an email or even a pop‑up that appears to be legitimate or a legitimate online screen.
(Understanding the key types of fraud, Social engineering slide)
John Kolar: Social engineering is another tool criminals use to better target their fraud attempts. You’ve probably heard about phishing, when criminals send false emails that appear to be from a trustworthy source in an attempt to get someone to click on a link and download malware or give up confidential information. Today, we are also seeing a new form called spear — or smishing. Fraudsters target specific with — specific people within an organization and send fraudulent texts in hopes of capturing their credentials. And, finally, vishing is very similar —often, fraudsters make the fraudulent contact via phone — voice.
(Experiencing fraud firsthand slide)
John Kolar: As you can see, the fraud threats out there today are real and can be deployed in email, text, or voice contact. So what does it actually look like? I’m going to turn it over to our first guest, Brian Richter, and let him share a little of his company’s experience.
Brian Richter: Thanks, John.
(When imposter fraud strikes slide)
Brian Richter: I can say McGraw‑Hill Education is no stranger to fraud attacks. Our company has been exposed to many types of fraud attacks over the years, including two of the most prevalent ones: imposter fraud and account takeover fraud. We’ve seen our fair share of imposter fraud attempts try to come through. An email will show up that seems to be from the finance, the CFO, the CEO or — and asking if we can move funds quickly to make a payment. For example, one of our more recent attempts appeared to come from a business unit executive requesting a low‑value card payment. The criminal was able to select the auto‑forward functionality in a mobile email application as a result of phishing. They proceeded to mask the email, changing one of the letters in the address, and requesting a low‑value payment be made through an email card process.
One thing I’m noticing with these emails is that criminals are getting more sophisticated regarding the timing of their attempts. They’ll wait for something like a merger, acquisition, or a divestiture to strike. They often wait for those out‑of‑the‑ordinary events happening within the organization and time their efforts accordingly. When the company is going through some kind of fundamental change, there can be a lot of new players, so people tend to be less skeptical of unfamiliar names. Plus, when internal changes occur, employees often feel a sense of pressure to make sure that transitions take place as smoothly and efficiently as possible. Fraudsters know that well‑intentioned employees are more likely to skip a step in the process during these times. All of this makes it easier for fraudsters to slip through.
So my team has learned the extra alert during high‑pressure times. One of the simplest practices I recommend to beat imposter fraud is double‑check the sender’s email address. Simply scroll over every time and make sure the address is correct and it doesn’t have characters reversed or a different letter. These types of small changes aren’t immediately obviously to the untrained eye, especially on a mobile email, where it may be more difficult to see the sender information. It’s even more important to take a closer look at the sender’s email before clicking. At McGraw‑Hill, we actually added a phishing alert function to our email program so employees can easily send suspicious emails to our IT team for review. This way, we’re able to gather information about the source of the email, like the IP address of the sender, and see [if] malware is involved.
Part of preventing future attacks is keeping good data and records of past attempts. You might be able to filter out a larger portion of phishing emails just by keeping track of the ones you’ve already received. This seems obvious, but when you have folks identifying different attempts coming through different parts of your organization, it’s always a good idea to ensure you have a process in place to compile and store all these types of information for the future.
(Confronting account takeover slide)
Brian Richter: Another common fraud attack we see here is account takeover. The attempts can be almost relentless. If a criminal manages to get access to the right person’s credentials, someone in treasury or accounts payable, like me, with the ability to quickly direct funds, it can be very dangerous to the company. What I find especially concerning is the patience of these criminals. Even after they’ve obtained sensitive information, they often wait to act. If we have credentials, they have access to your stream, so they will tag what you’re doing for months. They’ll learn, they’ll understand how you talk, what you have different people doing, how you write, so that when they show your history of an actual conversation in a request that they send you — that level of sophistication is not uncommon anymore, so we need to be more vigilant than ever and really notice nuances in requests.
It’s often difficult to recognize when criminals obtain your credentials, so you have to be wary of all pop‑ups, emails that request sensitive information. For example, the most recent attempt I experienced looked like it came from Microsoft Outlook. I received a message stating that I needed to fill out a certain document with my information. When I hit the phishing alert, IP security confirmed it was actually malware attempting to pick up my credentials. But, again, at first glance, it looked legitimate.
This is — this is why I can’t emphasize enough the importance to train your team. At McGraw‑Hill, we’ve set up false alarm phishing emails to train and test our people to detect the prevalent fraud attacks. IP security sends out fictitious phishing emails that mimic a few different kinds of false senders. For example, some look like they’re from me, other executives. Some might appear to come from vendors. We need our employees to recognize all the possible angles a criminal may take. Then we watch to see how our employees react, where our possible breakdowns are, and how we can enhance the security. You really can’t strengthen your security effectively unless you know and have insight into where its weakness is. Our false alarm emails are an effective tool for assessing that. The threats are changing, so it takes — sometimes takes extra effort to make sure that the procedures account for them all.
(The new account risk: Your employees slide)
Brian Richter: I think what we’re also seeing is the old‑school fraud, like making counterfeit checks, doesn’t work anymore. There are also so many controls at the bank side already that protect against traditional fraud methods, and we have already configured our systems to prevent against those kinds of threats. As companies, banks, and security companies get better and better at controlling fraudulent withdrawals, I think the bigger risk becomes the employees. Ultimately, your employees want to be helpful and preserve important vendor relationships. Most employees won’t want — don’t want to hesitate when they think they’re dealing with executives or customers. In an effort to be helpful, they may skirt the security measures to take shortcuts that might inadvertently open the company up to more risk. Criminals know they can use this inherent hierarchy in most companies to create a sense of urgency, and that’s when the breakdown in security procedures occurs.
We make sure to test our employees on both mobile and desktop email, so if they send these types of emails to our phishing alert center, they pass. If not, they get a red pop‑up to alert them they failed. The point is to train the employees to take a second look at emails before clicking on them. I think it’s helpful for employees to see what a phishing email might look like to notice the subtleties of it. It’s one thing to talk about it in theory, and it’s another entirely to actually see one up close and realize just how easy it is to overlook the sign that could save your company from a major fraud event. Then they begin to look at each email a little differently to catch, like I mentioned earlier, the actual letters in the email address that are reversed and the smaller details they might have missed otherwise. We can prevent a great deal of risk simply by teaching our people to take this one little step.
(Web payment application fraud slide)
Brian Richter: One last thing I’ll mention here is about the attempted fraud through Web payment applications. If a criminal manages to get access to your card information, they can make purchases online with your funds. This kind of crime is easily prevented with a good debit filter, but if you don’t have adequate filters set up, there’s a chance the money will be gone before you even notice, and you might not be able to recover it. That’s a relatively new reality, I think, but one that the companies definitely need to keep in mind when they’re considering different kinds of fraud prevention.
(A security expert’s perspective slide)
John Kolar: That’s very informative, Brian. Thanks for walking us through all of that. Now I’d like to hand it over to Kevin McCleary of the U.S. Secret Service for an insider’s perspective on cybersecurity.
(The new fraud risk: your employees slide)
Kevin McCleary: Thank you, John. I’m really pleased to be here, because the Secret Service is very focused on partnering with the private sector, organizations like McGraw‑Hill Education and Wells Fargo. We work together to share threat intelligence information and assist ongoing investigations. These partnerships are a critical part of catching major cybercriminals.
(Fighting fraud together, Partnerships offer slide)
Kevin McCleary: I often tell folks that by working with us and sharing your organization’s experiences and learnings, you’re helping us catch these criminals and could very well be stopping your next fraud attack before it even happens. I’ve been working with the Secret Service for over 18 years, with a lot of experience in electronic crimes. I helped establish the Colorado Electronic Crimes Task Force years ago, and today, the Secret Service has 40 electronic crimes task forces worldwide in operation. That just goes to show how rapidly the need for increased protection, investigation, and prosecution of these crimes has become. The ultimate goal for all of us is to reduce the losses incurred by these organized cybercrime attacks and to identify and prosecute the criminals behind them.
(Fighting fraud together, National Cyber‑Forensics slide)
Kevin McCleary: I’ve recently been detailed to the National Cyber‑Forensics & Training Alliance, the NCFTA, which is a nonprofit parternship between law enforcement and the private sector. This gives me a unique perspective on the kinds of fraud attacks the private sector is facing.
(Our top three fraud threats slide)
Kevin McCleary: The top three fraud threats the Service is seeing right now are denial of service attacks, Web application attacks, and payment card skimming. I think it’s worth running through each of these threats in a little more detail. Since they are so common, it’s important that you understand each of them and a few ways to fight them.
(Denial of service attacks slide)
Kevin McCleary: The first type of fraud I mentioned, a denial of service attack, happens when your systems, usually one or more servers, is flooded with too many requests, resulting in a denial of service message. The goal here is hurting your business operations and reputation by being offline during the downtime caused by the attack, as well as the incurred mitigation costs. I’ll talk about some comprehensive security measures that might mitigate the threat of denial of service attacks in just a moment, but this is certainly one of the more difficult attacks to prevent.
It’s important to monitor your traffic capacity and make a plan for unusual spikes in the number of requests to your servers, especially if you know that denial of service to, say, your email server will severely interrupt your company’s workflow or services. If your business does experience a disruption to service, an unusually slow network, the inability to access a particular website, or a noticeable increase in the amount of spam you receive, it’s important to reach out to your technical service professionals or Internet service provider to ensure that you are not being targeted in a denial of service attack.
(Web application attacks, Network security is compromised slide)
Kevin McCleary: Next, a Web application attack occurs when a hacker compromises the security of a network and accesses or alters the data it contains. Many cybercriminals use these Web attacks as a way into the network so that they can drop malware, steal data, or learn more about the organizations if they plan to commit CEO fraud. An — an example of CEO fraud is when the criminal spoofs the CEO’s email account, then sends an email to someone in accounts payable with instructions to wire fraud — funds, and we’ve heard a couple examples of that already today. Usually, Web application attacks occur through either sequel injection, with a cybercriminal mimics a user to create or destroy database entries, or through cross‑site scripting, when a hacker co‑ops your website to run malicious code.
(Web application attacks, Web application firewall slide)
Kevin McCleary: There are quite a few things your company can do to protect against these types of attacks. I’d recommend looking into a Web application firewall to protect your data if your buzz — if your business doesn’t already have one. I’d also add that it’s important to make sure that your Web application firewall offers comprehensive protection for all levels of your system. Another security measure you can implement, depending on how you’re hosting your content management system, is some sort of virtual patching. It’s a way to proactively strengthen the security vulnerabilities in common content management software.
And one last thing I’ll say on the note of Web application attacks. You can often present cyber — prevent cybercriminals simply by blocking their IP addresses. Because they are often deploying many attacks at once, you can pretty easily block their IP addresses using software with a built‑in IP add — address reputation database. If their IP has been reported elsewhere, you’ll be able to block it from targeting your system too. Domains that are less than a few hours old or have a history of abuse will be flagged.
(Payment card skimming slide)
Kevin McCleary: And, finally, there’s payment skimming — card skimming. You’ve probably heard of it already, but it continues to be a simple way for criminals to quickly obtain cash. Card skimming is most commonly done using a device made by criminals that is placed on credit card readers at fuel pumps and ATMs to capture credit card data. They often use cameras or PIN pad overlays to capture PINs as well. They can then sell these numbers online, make counterfeit cards with the data, or make online purchases. Even though fraud is generally becoming more sophisticated, skimming is still popular because it tends to be a high‑yield crime with a relatively low risk of being caught, so don’t forget the value of keeping a close watch over your cards and where you use them.
(These three types of fraud threats add up slide)
Kevin McCleary: These three types of incidents — denial of service attacks, Web application attacks, and payment card skimming — make up 88% of the security incidences reported within the financial service industry, and 94% of the fraud perpetrators are identified as external cybercriminals, so not internal actors within your company. Not surprisingly, I would say it all comes down to money. Almost all these crimes are financially motivated. Even Web application attacks, for instance, can be lucrative for criminals if they’re able to resell user data or other sensitive information.
(Growing new threat: Attacks from anywhere slide)
Kevin McCleary: Another significant fraud trend that’s been growing over the last few years is the monetization of cybercrime itself. Before, if you wanted to commit fraud, you generally had to have some level of technical skill to develop the software, but now highly technical criminals are writing complex malware and exploit kits to sell online in criminal forums, which means that the barrier for entry to cybercrime has been lowered. Now just about anybody can write a botnet and deploy malware to launch a phishing attack. For companies and organizations, shifts like this just mean that attacks are more likely and can come from anywhere.
(What to watch for, Phishing slide)
Kevin McCleary: With all this in mind, if I were going to advise organizations on what to watch out for, I’d definitely start with phishing. It’s one of the most basic and prevalent forms of fraud, but it’s so common still because it works. Time and time again, studies show people will click on those links. Educating employees is important, because it can be an effective way to fight this. And going back to the story I shared earlier regarding the company whose payroll data was released due to a phishing attack, just because you think you’ve trained your staff doesn’t always mean the steps are being followed. This really needs to be an ongoing conversation and area of focus.
(What to watch for, Phishing, Links that do not match slide)
Phishing emails tend to have a lot in common, so make sure your employees know what to look for — links that do not match the Web address when you hover over them, a sense of urgency, requests to verify personal information or credentials, incorrect spelling or grammar, or a generic greeting. These are just a few examples of what to watch out for. Train your staff never to click links in emails or pop‑ups, download unexpected attachments, or give personal information over email. Also, if you don’t already have a spam filter in place for your company’s email, that’s an easy way to prevent phishing emails from ever reaching your inbox.
(What to watch for, Phishing, Recent uptick in ransomware slide)
Kevin McCleary: Ransomware is also growing. Ransomware, if you’re not familiar already, prevents the victim from accessing data by encrypting files and demanding a ransom in exchange for decryption. Ninety‑seven percent of ransomware and 80% of malware is delivered in a link or attachment in a phishing email, so, once again, you can see the importance of addressing phishing with your staff. This threat is more concerning to consumer industries that may not have as many security measures as the financial industry. Keeping adequate backup copies of data segregated from your network can safeguard against ransomware.
And, of course, there’s business email compromise, also called imposter fraud. That seems to be holding steady. Phishing is relevant here again, because it can often lead to business email compromise. Cybercriminals can compromise an email account to contact their phishing targets. This is what we call low‑tech fraud, and the best way to fight it is also low tech — simply implementing strict internal controls and policies. All it takes is one person to fall for a fraud scheme before the security of an entire company is compromised. That’s one of the reasons businesses really need to take a hard look at their internal controls and ensure that they have adequate defenses in place.
Now, the last thing I’ll mention is supporting a point both John and Brian made earlier, and that’s the fact that cybercriminals are becoming more sophisticated. A good thing to remember is that as fraud detection and prevention services evolve, so do fraud methods. For example, now criminal organizations will use counter‑antivirus software to make sure that their malware is effective and won’t be detected by the antivirus software companies that are out there now, so you’ve got to stay up to date. In many successful attacks, we find that operating system software is not up to date. Patching your software will add a higher level of protection.
(Know your company’s critical needs slide)
Kevin McCleary: I’d also say what security looks like at your business may differ from another organization. When you’re thinking about how to better protect your organization from fraud attacks, it’s helpful to identify your critical needs. For example, if your whole company relies on the ability to communicate with — with customers over email, a disruption to your email server might have a profound impact, or if your customer database contains the company’s most sensitive information, double down on your protection against Web application attacks first. In other words, make sure you’re thoughtfully integrating your security measures in a way that reflects your priorities.
The same goes for response planning. While your business may never fall victim to a fraud attack, you must plan for it as if it is going to happen. Have an actionable plan, and make your response procedures known to your employees. You will be much more able to mitigate harm and contain an intrusion if you already have developed a plan for addressing it. If nothing else, make sure your leadership and employees are aware of who has responsibility over various aspects of your information and recovering it, who to contact to report a breach of security, how you will notify law enforcement, and, finally, how to preserve data related to the breach.
(Audience poll slide)
John Kolar: Thanks so much, Kevin. This seems like a good opportunity to check in with our audience for a brief poll. What type of fraud poses the great — greatest concern for your company: imposter fraud, or business email compromise; account takeover fraud; malware; social engineering; or I don’t know? Please select the answer most applicable for your organization.
(Poll results slide)
John Kolar: All right. It looks like imposter fraud, or BEC, is the leading concern among our group today, and rightfully so, as this is such a growing trend amongst fraudsters. We’ll be covering more details around this topic as we move forward.
(Strategies for safeguarding your company, How McGraw‑Hill Education slide)
John Kolar: Brian, can you give us some more insight into how you’re approaching fraud prevention from a practical, day‑to‑day standpoint within your organization?
Brian Richter: Sure thing, John. I think it’s clear that fraud protection should be a priority for all of us. I’ll share a few more strategies we’re implementing at McGraw‑Hill Education to help minimize our risk.
(Strategies for safeguarding your company, Educate and empower employees slide)
Brian Richter: First of all, I echo Kevin in stressing how important it is to educate, train, and empower your employees, especially those in treasury and accounts payable. I fully believe that employees can be either your biggest risk or your greatest security asset. I’ll go back to an incident I mentioned earlier from just this past year in a case study on where we’re seeing vendors’ invoices being compromised. The fraudster team settlement instructions on an invoice into — attempted to submit the accounts payable for payment. The invoice in question was not only faxed to us but also emailed from what appeared to be the correct correspondent address, with the correct contact information. This is no shot‑in‑the‑dark fraud attempt. This was a calculated, well‑thought‑out attack with multiple layers of fraud. As you can see, it takes very vigilant employees to prevent these kinds of breaches.
What does teaching prevention look like? I know this was mentioned previously, but I can’t stress enough how helpful it’s been incorporating regular phishing email drills and to make sure our entire company is educated and alert. We are really teaching our people to take a second look. I explained to my accounts payable team that fraudsters might spend many months planning an attack. They’ll spend the time it takes to understand the company’s weaknesses. For instance, maybe they’ll request only an address change or nothing else for three to four months, just to see if you’ll actually update the address. If you don’t, they’ll try again, and they’ll wait for a statement to come a few months later. Maybe they’ll change the payment type from ACH to a check, and they’ll take note of how long that change takes to take place and whether or not it’s changed at all. I tell my team it’s not always a sudden attack at process you might have to expect. This is the kind of nuanced information that I think really helps employees understand the need for fraud protection.
We’re committed to making sure our employees not only understand the policy, but the “why” behind the policy so they are quick to fully and critically assess any requests or potential fraud attempt that may come their way. As we begin to learn more about the different types of fraud we face, we create new policies to protect the company. But the new policies can also be a source of risk for a company. When you introduce a new policy, people might begin to follow it, but they often happen to — they don’t necessarily understand the process or the purpose. That’s where fraudsters gain a foothold. They are not afraid to spend time tracking the procedures and learning how they might make a change to a vendor file, so if your employees don’t understand the purpose for every step, they won’t be able to understand possible risks and then notice when security needs to be updated.
If the culture isn’t open and welcoming towards these kinds of questions, employees are more susceptible to fraud. Employees need to be free from the fear of being seen as holding things up. In a business environment, it often champions speed and efficiency. This is one area where being willing to call out and ensure the process is followed should trump all else. What you want them to know is when something appears unusual or suspicious, they should feel safe in questioning and empowered to double‑check it.
(Strategies for safeguarding your company, Implement and enforce slide)
Brian Richter: Dual‑custody or two‑part authentication is also a critical part of our process, not only for outgoing payments but for internal processes also. For example, any change to a vendor file must be authenticated by at least two people. I’ve learned that these are the places fraud can slip through the cracks if we’re not vigilant. So for dual custody to really work, you need two different people on separate computers and mobile devices to complete a payment change: one person to initiate a payment and another to approve it. That way, no one person is able to initiate and approve a payment. I’ve been doing this type of work in the treasury world for over 20 years now, and I’ve seen a lot of change in that time, but by now I’d say most companies understand that [for] the order to safely move money and set up vendor files, you need to create a situation that requires at least two people. That alone will dramatically lower the risk of internal fraud.
We actually go one step further. There are, for one thing, very few people in the company to have access to vendor files to begin with. When we’re faced with imposter fraud, we’ve been able to catch it because no single person on our accounts payable team can alter a settlement instruction. Attempted changes get red‑flagged. Then we have a dedicated team that contacts the vendor directly, using historical information either from our systems or from our business units to confirm any changes to the settlement instructions. It’s critical to point out [that] the distinction here is following up using a different method other than the original request came. To make sure you’re communicating with the right person, always follow up with alternative methods on file. For example, if the change request comes from an email, follow up and confirm via phone from inside your internal systems.
When it comes to internal fraud, the biggest concern is the fact that we’re extremely automated. When your vendor files are set up and automatically processed, it can be difficult to detect if you’re experiencing internal fraud and leaking low‑value payments. Smaller — smaller amounts are much more difficult to detect, even when your internal controls require secondary approval. An insignificant change to an amount could be missed. Even seemingly insignificant amounts of money trickling out over time can have a sizable impact. That’s one of the reasons we have so many layers of approval and why we’re always working to improve them.
(Strategies for safeguarding your company, Implement vendor slide)
Brian Richter: I think a system with multiple layers of security and built‑in verification is the minimum. To add extra security, we’ve implemented vendor onboarding process controls. This includes adding a third layer of approval before onboarding a vendor, following the process every single time no matter how urgent the payment request may be, and, lastly, requiring a special piece of information from the vendor to authenticate the ID. Even though this will add time to your current process, I think it’s worth it, and it gives — what we stand to lose is far too much as a victim of fraud. At the increasing rates of complexity that we’re seeing fraud attempts, I think vendors are becoming accustomed to the more verification, and when added steps [are] for everyone’s protection and bottom line, we found the process to be a non‑issue.
We’re taking the time to educate our vendors, also, about the way fraud attempts can affect them. We’ve notified customers about our internal procedures so that they know what to expect from us if they request to make a change to their settlement information or another aspect of their file. Because vendors can also be affected by fraud attempts to the company, we’re always making sure that we’re keeping our vendors informed of the — of our security measures. To me, even though it’s a little more cumbersome, no company wants to add additional workload to their vendor — it’s well worth it. I think vendors are generally very understanding of the world we live in and [how] prevalent fraud is these days, so additional layers of security are not a major inconvenience in the long run. Yes, it adds a little bit of time to the process, but it’s worth it for the extra protection.
One thing we haven’t mentioned yet is credit card fraud. This probably affects merchant services just as much, if not more, than treasury, but I did want to bring it up because it will have a big impact if you’re not careful.
(Strategies for safeguarding your company, Protect against slide)
Brian Richter: We’ve recently updated our systems to better protect against credit card fraud. In addition, we’ve added fraud detection tools to help us identify possible fraud up front, before it even has a chance to come through. The technology is out there in a dozen different forms, but it essentially does the same thing. It allows you to see where the purchaser is located, what kind of device they’re on, and whether or not the card that they’re using has been associated with chargebacks or fraud in the past. It’s a great way to mitigate from the input side. I would recommend using or updating your current fraud detection technology to make sure it’s still up to date.
(Strategies for safeguarding your company, Engage authorities slide)
Brian Richter: We’re also committed to engaging authorities after an attempted breach. Even if it was unsuccessful, it’s important to alert the authorities so they can take the steps towards identifying and stopping the criminals. It’s important to remember that even — every bit of information that can be gathered on these fraudsters and learn the methods are the critical in the effort to shut them down. Partnering with authority amplifies everyone’s efforts to track down and prosecute these fraudsters.
(Strategies for safeguarding your company, Stay aware of slide)
Brian Richter: And, finally, I recommend that everybody joining us today stay aware of the threat landscape across industries. Go to conferences, talk to other treasurers, build relationships with your IT security team, and research the latest threats. What kind of fraud attempts have your colleagues experienced? What are the latest cybersecurity reports saying? And more importantly, how is the information impacting your company’s cybersecurity strategy? As quickly and constantly as the landscape is evolving, it’s critical for you to charge and educate yourself and your organization. Being proactive about discovering new technologies and prevalent measures will go a long way in reducing your fraud risk.
It will always pay off to stay informed. I go to different industry meetings, meet with people in different areas of finance to understand what they’re seeing in terms of fraud. I’m close to our internal IT security lead, who helps us stay abreast of the market through external consultants. There’s a great deal of information out there. Even from the news, you can find information about the world of fraud. You can learn the business and stay ahead of the new risks and really pay attention. With the world of treasury and accounts payable, there’s great opportunity to get informed and protect your business. And the good news is if you’re really training your employees to understand fraud risks, they’ll also start to tune into what’s happening outside of your company. When your employees know what to look for and [are] not just following policy, they’re going to bring you information on new types of fraud. That will really enable and educate your staff and prepare them and the company for — adequately for new fraud possibilities.
John Kolar: Thanks for that insight, Brian. It’s really helpful to hear those real‑world examples and practical approaches. Kevin, we’ve heard some great information from the customer side of things. Let’s talk a little bit more about what you’re seeing.
(What is the federal government doing about fraud? slide)
Kevin McCleary: Thanks, John. I’ll jump in here and share a little information from the other side, what the federal government is doing to reduce and prevent fraud.
(What is the federal government doing about fraud? The Secret Service is focused on: slide)
Kevin McCleary: The Secret Service is focused on identifying and targeting the top‑tier cybercriminals, who we believe are responsible for the majority of attacks against U.S. businesses and our financial infrastructure. We are also working to share threat information and resources across industries through our partnerships with the private sector. That’s why it’s so important for companies to build relationships and share information with law enforcement. Not only will it pay off should your company have a breach, but it also helps us move one step closer to arresting cybercriminals and mitigating fraud losses.
(What is the federal government doing about fraud? The Secret Service also wants slide)
Kevin McCleary: So while we’re working behind the scenes, we believe a few key actions organizations can take to protect themselves include: Really focus on educating and training your employees; establish strong internal controls, such as dual‑factor authentication; build relationships with law enforcement before you’re attacked. Law enforcement can’t identify and prosecute these criminals alone. We need the support of the private industry. Time is critical in capturing the evidence that will ultimately help us shut down these top‑tier cybercriminals. If you have a preexisting relationship with law enforcement before a cyber incident, you will also benefit from receiving information from your local federal law enforcement. They may have information that is beneficial to potential victim organizations before an attack even occurs.
Prepare a cybersecurity incident response plan in case of attack. Make sure to include your legal counsel in identifying an outside cyber incident response company so that you will be ready should your company be attacked. Cyber fraud attacks can pose difficult legal questions. Your company may be faced with decisions about how it will interact with government agencies or with affected clients in the case of loss or compromised data. It’s helpful to have time to plan through these kinds of issues before anything happens so that you can quickly and effectively manage any legal issues when you’re confronted with them.
Depending on your business size and sector, you may find it useful to consult private organizations who specialize in data breaches and other cyber crimes so that they can accurately answer any questions you might have related to your company risk and information. Other companies already have attorneys with good insight into issues such as cyber fraud. They may be sufficient to guide your legal plan. Regardless, the way you address legal issues in the face of a data breach could have lasting effects on your company, so it’s very important to address them proactively.
And, of course, you need to monitor and limit access to your network — both physical access, such as server rooms, and third‑party vendor access. If your organization sustains an attack, it’s extremely important to assess the scope and nature of the damage and, if necessary, take steps to limit the perpetrator from attacking again. This may involve removing permissions or privileges for certain users, rerouting network traffic, or isolating parts of the compromised network. If you decide to restore a backup version of data, ensure that it is not compromised as well. You can also contact a system administrator to help regain stolen data or determine the source of the activity.
(Audience poll slide)
John Kolar: Thank you so much, Brian and Kevin. Now, you offered some very helpful strategies and insight today. This brings me to our final — our final poll. What will be your top priority in the next 12 months for strengthening your cybersecurity — technology investment, employee training, policy procedures and controls, or collaborating with your cybersecurity group, chief information security officer?
(Poll results slide)
John Kolar: Employee training looks to be the most common. This is definitely one of the most critical steps in helping reduce your fraud risk and combat the threats that are out there today and in the future.
(Taking charge: How your company can fight fraud, Simple processes slide)
John Kolar: I will wrap up with a few tips — that we at Wells Fargo believe to be the most powerful tools. As you have heard throughout the presentation, it comes down to establishing and enforcing controls within your organization. Having the right processes and making the — sure the strategies are designed to best protect your organization’s priorities and critical functions are key.
(Taking charge: How your company can fight fraud, Establish internal controls slide)
John Kolar: Right off the bat, you need to create and require internal controls, such as dual custody for payments, vendor onboarding, updates, or remittance changes. As we’ve discussed — as we’ve already discussed, this is a simple step and well worth the extra effort and added process.
(Taking charge: How your company can fight fraud, Empower employees slide)
John Kolar: Empowering employees in an open‑door communications policy — you must have a culture where employees can feel comfortable questioning emails or payment requests or anything else that seems to be suspicious or out of the ordinary. I cannot stress this enough.
(Taking charge: How your company can fight fraud, Treat mobile devices slide)
John Kolar: Here’s a simple one, but very relevant in the age of never being without a smartphone. Treat your mobile device like a PC. There are equally — they are equally vulnerable for — to fraud attempts such as BEC or malware.
(Taking charge: How your company can fight fraud, Implement employee slide)
John Kolar: Brian and Kevin have already touched on this at length, so I’ll just state this is — that it’s important to implement employee training programs to identify and prevent imposter fraud, phishing and so forth.
(Taking charge: How your company can fight fraud, Monitor your accounts slide)
John Kolar: Monitoring your accounts daily, simply one of the best tactics for identifying unauthorized or fraudulent payments. Don’t forget — don’t get caught off‑guard after months of fraudulent payments have already slipped into the wrong hands, having to dig to figure out what happened.
(Taking charge: How your company can fight fraud, Keep your company slide)
John Kolar: Keep your company software and operating systems up to date. Outdated software creates vulnerabilities that criminal — criminals can try to exploit.
(Taking charge: How your company can fight fraud, Keep your personal slide)
John Kolar: This may seem very obvious, but you — you would be surprised how often it happens. Be sure to keep your personal and business credentials separate, and make sure there aren’t — they aren’t written on a Post‑it underneath your keyboard.
(Your greatest defense? slide)
John Kolar: However, the single most important thing a company can do to educate and empower employees is to be aware. Think of them as your frontline defense against fraud. If you have a team that’s trained, empowered, and ready to own their — own their roles in helping prevent fraud attacks, you’re going to get great reduced — greatly reduced risks.
(If you suspect fraud slide)
John Kolar: I’d like to remind everyone that if you spot an unauthorized transaction or unusual activity, immediately contact your dedicated client service officer or call 1‑800‑AT‑WELLS. If you’d like more information for fighting cyber fraud, I invite you to visit our fraud section on the Treasury Insights website by clicking the gray — gray icon at the bottom of your screen, or contact your — your treasury management representative.
Again, before we move on to the questions, you — if you attended this webinar online today for 50 minutes or longer, you’re eligible to earn 1.2 CTP credits from the Association for Financial Professionals and 1 CPE credit from the National Association of State Boards of — of Accountancy. You’ll receive your confirmation attendance certifications in the link we apply in the email, in two business days.
And with those final instructions, Tiffany, I’d like to open it up for questions.
Tiffany: At this time, I would like to remind everyone if you would like to ask a question, please press star, then the number 1 on your telephone keypad. Again, that is *1. We’ll pause for a moment to compile the Q&A roster. Your first question comes from the line of Linda.
John Kolar: Hi, Linda.
Linda: Oh, I’m sorry. That was an accident.
Tiffany: Thank you. The next question comes from the line of Emily. Emily, your line is open.
Emily: Yes. That was confirmation for the CPE?
John Kolar: I’m sorry, say that again?
Emily: Was I instructed us to hit *1 for confirmation for the CPE?
John Kolar: No, you’ll get a confirmation for attending certificate with the — you’ll receive an email with the confirmation of attending, which will also include the — the replay of the event, and you’ll get that in a couple business days.
Emily: OK. Thank you.
Tiffany: Your next question comes from the line of Tony.
Tony: Yes. I had a question regarding — can you define what you mean by require a special piece of information, such as authentication ID? We send out a generic vendor profile form, and there’s nothing on there that has a specific ID number, so what would you suggest?
John Kolar: Brian, if you’d — go ahead.
Brian Richter: Yeah, I was going to say I’ll take this one. There’s a couple things you can ask for, right? You can ask for a zip code if it’s not on your invoice. If your invoice gets picked up and taken and — and altered, then you need to have a piece of information that only your vendor would know. It may be the contract team that they had to work with, the name of the person that actually assigned them their information, but it just needs to be something that can give you some additional comfort.
Typically, the best way really is to either reach out to the business unit person that requested the vendor setup or the person that requested the work to be done and have them contact directly the vendor the way they set up them originally, OK, because you don’t want to use the email. You don’t want to use the paper document anymore, and you should, within your AP system, have maintained historical data. The one thing I will caution about, though, is, like we were discussing, they’ll take months, so they may change the address, they may change a phone number only and [leave] it for months to see if it gets updated. So you’ve got to be very cautious with what data you actually contact them at. Hopefully that was helpful.
Tony: OK. Yes. Thank you.
John Kolar: All right, Tiffany, we will take one more question, and then we have to wrap it up for today.
Tiffany: OK. And your final question comes from the line of Nancy.
Nancy: Yes. Hi. What are you seeing in terms of doxware instead of ransomware, and how do you effectively prevent against it? And then just one quick question, like when you say work with law enforcement, do you mean on the local level or on the federal level?
John Kolar: This is John. I’ll say both, both the local and federal level. The scan piece of it, I don’t know if, Kevin, you have any insight to that one.
Kevin McCleary: So the — the doxing with the — the — the telephone? So is that what you’re referring to?
Nancy: No. I was just reading online on new — instead of ransomware, there’s something new called doxware, where instead of locking up your computer so that you can’t access the data and you have to pay a ransom, they essentially take all your information and put it on the black Web, the dark Web, and sell it.
Kevin McCleary: Oh, as far as like a — a ransom you to — to make a payment in order to get your information off?
John Kolar: It —
Nancy: No. They just basically take it and take what’s useful, is my understanding. I — I’m just learning about this, so I’m just wondering what you guys know about it.
Kevin McCleary: Well, the the same way to protect yourself againstany sort of intrusion would — hold firm for that. You know, the phishing, the having up‑to‑date software on your personal computer, having the patches all, you know, up to date, not clicking on those links. those are — those are the sort of things that will protect you. One — one of the things that I always like to — to tell people is — is we all have to practice good cyber hygiene, you know, at home and at work. You don’t have to make your system impenetrable as if you’re, you know —the — the federal government. You just have to make it harder than your neighbor’s to get into. These people are relentless.
Brian Richter: Yeah, and, Kevin — Kevin, to add to that, right, data is going to be stolen. That’s just a reality of today’s world, and what — what you need to do is you need to be in close contact with your IT security, because they’re going to know what data was lost. It may be thousands of emails they have to go through, but there’s technology out there that can pick up specific words, you know, Social Security Numbers or what looks like them, and once you find out what’s taken, there’s many places you can go to figure out what the steps are that you need to take to protect either your customers, your employees or — or your vendors.
John Kolar: All right. Thanks for that, and thanks again, everyone, for joining. I think that wraps it up for today.