FRAUD! Business Perspective – May 2020
During the pandemic, we’ve seen incredible heroism from health care workers and first responders. And amazing generosity from so many individuals and companies helping provide food, shelter and resources for those in need. It’s heart-warming. We hope this increased empathy and looking out for each other … will be the longest lasting change in America from Covid-19.
Sadly, even during a crisis, there are a few who seek to cheat and steal. FRAUD continues. With all of us distracted, and many employees working remotely, risks can increase.
The following reviews Fraud Trends and Cybersecurity Threats. We hope you find it useful. Please feel free to contact your Lakeside Banker for more information or if we can answer questions. We would also be pleased to arrange on-line presentations to your staff.
The most important warning we can offer: Stay Vigilant! Fraud can be stopped with AWARENESS, CAREFUL COMMUNICATION, and the right PROCEDURES & TOOLS.
Transactional Activities: Let’s start with the basics; some things don’t change! Check Fraud remains the largest category by far. Wire, credit / debit card and ACH fraud then follow. Containment recommendations are consistent with the next section and conclude this review.
There are three main threat targets; all require access. If we don’t let them in, they can’t get in!
Business Email Compromise (“BEC”). There are multiple versions of this scam. Some are listed below. All rely on tricking someone into providing the email address of a senior official or other key personnel within your firm. The hacker than sends out fake emails directing an urgent wire transfer of funds. Or an email may introduce and authorize an outside ‘attorney’ or other supplier, who will then call.
The hacker’s email address is always the key; the email address will be modified slightly. “Spoofing” it’s called and it can be hard to spot. The answer is to slow down, examine unusual requests carefully and ask for another pair of eyes to review requests, too. Scrutinize rush demands that look unusual. Variations include:
- The Supplier Swindle
- Business Executive Scam
- Employee Email Hack
- Payroll Information Scam
Malware & Ransomware
Once again, this requires ACCESS. And it begins simply. An employee receives an email that contains the malware. “Spear Phishing” it’s called. All heck will break loose if the innocent or seductive looking attachment accompanying the email is opened! If it is, the malware is installed.
- That gives the attacker entry to critical systems and data.
- The attacker locks and restricts access.
- Ransom is demanded.
- Threats to delete records may follow to add urgency.
Specific to the banking industry, malware can alter a bank’s website, and trick clients to call an illegitimate number. The thief then obtains critical information. (Generously called “social engineering”.) This allows funds to be drained from a client’s account and transferred overseas. Various on-line attacks may then follow to distract and delay investigation.
How to protect yourself from Transactional or Cyberthreat Fraud – Strengthen Security Protocols
- It always starts with Awareness! All financial staff should be trained & reminded about information security, financial scams and operational protocol to protect your organization. As part of this, enhance financial controls to verify the source of any email or phone-based movement request via an alternate communication channel. Be especially careful if the funding account is new.
- COMMUNICATE! Inform your bank relationship manager and IT security staff immediately. It may also be appropriate to contact US law enforcement agencies as well as business email accounts. These attacks require sunshine to be properly disinfected.
- Put ACH & Check blocks, filters and Positive Pay in place.
- Dual controls for ACH and wire transactions are highly recommended and typically required by your financial institution.
- Enhanced authentication. Strengthen this area through mechanisms like ‘tokens’ to initiate payment through your bank’s provided online portal, to access bank accounts and even business email.
- Protect workstations and home computers. Inadvertently ‘installed’ malware is a serious threat. Consider a financial malware endpoint protection tool alongside traditional scanning utilities. You might also dedicate a secure computer for banking.
Again, please contact your Lakeside Banker to discuss how we may be of help.
Additional resources to be of help include:
- Department of Homeland Security Voluntary Program. www.us-cert.gov/ccubedvp
- Federal Bureau of Investigation Cyber Division. www.fbi.gov/investigate/cyber
- Department of Homeland Security Cyber Security Awareness Campaign. www.stopthinkconnect.org
- Federal Trade Commission Privacy and Security Site. https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy-security
- Global Cyber Alliance. www.globalcyberalliance.org
- National Council of Information Sharing and Analysis Centers. www.nationalisacs.org