Financial crimeA changing landscape

Presentation to AFP OttawaOctober 21, 2015

Ed RosenbergVP & CSOBMO Financial Group

•Evolution of crime•Overview of cyber crime•Meet the hackers/the Dark Web•Malicious insiders•Social Engineering•Business Email Compromise (BEC) •Email Account Compromise (EAC)•Ways to mitigate email compromise•Q&A

Agenda

Disclaimer: The material in this presentation provides commonly known information about fraud trends, and BMO’s observations about controls and activities. This presentation is intended to provide you and your companies with information and helpful tips, but it does not purport to be complete or provide advice or recommendations to you or your company.  You should always seek independent legal or professional advice when implementing fraud or risk initiatives.

Meet the new face of crime

Evolution of crime,1970s to the present

1970s – when kiting had a different meaning…

1980s – credit card fraud increases; vigilante groups pop up

1990s– Violence in the Workplace enters the lexicon; Internet takes shape

2000s – cyber crime emerges; skimming is a problem

2010s – the age of the faceless criminal

*“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, p.4. PwC July 2015

“The lines separating the intents of nation-states, hacktivists and organized crime are beginning to blur...”*

Cyber crime

Doppelgangers

The World Wide Web of deceit

THE WORLD WIDE WEB

OF DECEIT

FRAUDULENT

PAYMENTS

EMAIL TAKEOVERS

DOPPELGANGERS (LOOK-A-LIKE SITES)

WHAT THE INDUSTRY IS

SEEING

X

✓

Trends in corporate cyber crime

TARGETED SPEAR PHISHING ATTACKS

ADVANCED SOCIAL ENGINEERING TECHNIQUES

CUSTOMER DATA THEFT & BREACHES

IDENTITY THEFT

Average Annualized Cyber Crime Costs Per Incident*

Taken from 2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12

The costs of cyber crime

CYBER CRIME IS

COSTLY

Cyber crime: A closer look

1%

2%

4%

4%

16%

40%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

USD 5M-100M

USD 1M-5M

USD 100K-1M

USD 50K-100K

USD 1K-50K

USD 0

2014 Global

Source: Global Economic Crime Survey, 2014, PWC, pages 5, 6, 29

Companies experienced cybercrime

PREVALENCE OF CYBERCRIME 24% 48%INCREASED

CONCERN

Perceptionof cybercrime risk has increased

INDIRECT COSTS OF CYBERCRIME OF

GREATER CONCERN

Companies greatest concerns related to cybercrime

3% OF ORGANIZATIONS SUFFERED FINANCIAL LOSSES OF MORE THAN US $1 MILLION IN 2014

FINANCIAL COSTS OF CYBERCRIME

Meet the hackers

MALICIOUS INSIDERS

CARELESS

EMPLOYEES

Market Advantage, Corporate Secrets, Revenge, Business Disruption, Cyber Terrorism, Hactivism Network (Denial of Service, network intrusions); Infrastructure – Servers, desktops, mobile devices; Applications (e.g. website intrusion); Employees (spear phishing)Corporate Secrets, Intellectual property, Business Plans, Identity Information, Strategic & Financial Data; Client information, Access to Accounts

Systems Unavailable, Regulatory sanctions, Litigation, Increased Competition, Revenue Loss; Increased Costs, Reputation Loss; Brand Damage; Loss of Share

OTHER GOVERNME

NTS

OTHER COMPANIE

S

ORGANIZED CRIME

WHY

HOW

WHAT

IMPACT

?

MEET THE

HACKERS

Means and motives

• Deep Web: collection of all sites on the web that aren’t reachable by a search engine

• Tor – network developed with funding from the U.S. Navy, it uses multiple relay servers and layers of encryption to create a parallel, anonymous Internet. Tor networks are used to access the Dark Web1

• Dark Web: Not to be mistaken with the Deep Web, the Dark Web is a collection of websites that are publicly visible, but the IP addresses of the servers that run them are hidden.2

• It’s believed the Deep Web (which includes the Dark Web) accounts for 90% of all Internet sites.

The Dark Web: where the hackers ply their goods

1Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-262Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexicon-whats-dark-web

The cyber underworld

Connection with organized crime • Criminal activity via the Dark Web adds additional complexity in terms

of both internal and external threats -- or a combination of both• Organized crime buys and sells credit and debit cards, customer

information and other data on Dark Web forums such as the Silk Road

• Dark Web is also a repository of sites selling counterfeit prescription drugs – a huge problem for the pharmaceutical industry – as well as guns, narcotics and pornography etc.

Internal threats• Dark Web usage often goes undetected on corporate networks,

raising security risks, liability and potential litigation for companies• Employees access TOR on company computers to:

• Purchase illegal goods and services• Get around security controls• Establish Tor hidden services on company networks

*Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26.

Malicious insiders

• External and internal threats often share one key motive – the desire to profit from data1

• In the underworld, customer data is Big Money -- potential $$$ payout for employees who sell company secrets2

• Insiders are capable of more harm than outside hackers – they already have access to the network

• Information theft is often an inside job; when the attacker is known, 39% say it was the result of employees3

• Employee malfeasance remains the most common driver of information theft

• Insiders that lead or join an organized crime group can be more difficult to detect than a lone insider in an organization.4

1“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.2 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.63 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.74 Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.

Insider threats are real

When insiders have ties to existing organized crime groups, the risks are that much greater:

• “A motivated group of insiders can bypass normal checks and balances by reaching across departmental boundaries.

• Insiders affiliated with external organized crime groups have the resources of a large organization available to help them in their crime.

• This can include multiple insiders working for several organizations that are all part of the same criminal group.

• The impact of insiders and organized crime exceeds a normal fraud case and can cause $3M in damages on average and up to $50M in the most extreme case.”*

*Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.

Insiders and organized crime

Some general employee controls

• Make fraud prevention everyone’s responsibility:• Enforce a workplace fraud prevention policy• Ensure fraud prevention controls are inherent in a process• Implement a Whistleblower Hotline or other communication

channel• Design controls to cover vacations and urgent emergency

situations• Be alert for behaviour cues• Do rigorous pre-employment screening.

21

Social engineering

Meet the Social Engineer’s New Best Friends

SOCIAL ENGINEERING

Online profiles such as LinkedIn – critical tool in the social

engineer’s arsenal Targeting certain job profiles in your organization: Security

Analyst, Help Desk Analyst, IT Operations hackers are looking

for Full Admin Rights Titles aid in determining who to target Info gleaned from profiles also used to personalize spear

phishing emails and hack passwords

SOCIAL ENGINEERING… INCREASINGLY TARGETED

One of the best chances of getting access to company networks is through an email spear phishing attack

Spear phishing is becoming increasingly sophisticated, hard to spot a fake

Getting into the company’s system can also enable email account takeovers and other fraud

Encryption helps but… Strong encryption is a strong defense against hacking

– it’s difficult to break – but it’s not foolproof Encryption’s weak link: social engineering

SPEAR PHISHING

Business Email Compromise

Business Email Compromise (BEC) - defined as a sophisticated scam targeting businesses

working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

The scam is carried out by compromising legitimate business e-mail accounts through social

engineering or computer intrusion techniques to conduct unauthorized transfers of funds.1

1 This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA.

Business email compromise – what it is

•The BEC scam continues to grow and targets businesses of all sizes: 270% increase in identified victims and exposed loss since January 2015•The scam has been reported in all 50 states and in 79 countries•Fraudulent transfers have been reported going to 72 countries with majority of transfers going to Asian banks (China and Hong Kong)•The following BEC statistics were reported to the Internet Crime Complaint Center from October 2013 to August 2015:

Combined victims (U.S. and non-U.S): 8,179 Combined exposed dollar loss (U.S. and non-U.S): ~$800 million.1

1 Exposed dollar loss includes actual and attempted loss in United States dollars. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA.

Business email compromise – the statistics

Email Account Compromise (EAC) - is a sophisticated scam that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies and law firms.

•The EAC scam is very similar to the BEC scam except that it targets individuals rather than businesses.•Some common examples include:

Financial/Brokerage ServicesReal EstateLegal

Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.

Email account compromise

Financial/Brokerage Services •An individual’s e-mail account is compromised. The criminal poses as the victim and sends an e-mail to the victim’s FI or brokerage firm requesting a wire transfer to an account under the control of the criminal •An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.

Real Estate•A seller’s or buyer’s e-mail is compromised. The criminal intercepts transactions between the two and alters instructions for the transfer of funds•A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal. •A realtor receives a link within an e-mail from an unknown person requesting info related to property. When the realtor clicks on the link, the criminal gains access to the realtor’s e-mail and obtains client information. The criminal uses this when e-mailing the clients and attempts to change wire instructions for loan processing proceeds.

Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.

Email account compromise – some examples

XXXBEC and EAC

MITIGATION

When receiving instructions by email or fax, validate!

Implement a mandatory callback policy if you receive a request from a supplier – might not be

who you think it is…

VALIDATE REQUESTS

Subscribe to balance and transaction

threshold alerts, such as any debits above a certain $

amount

SUBSCRIBE TO ALERTS

DUAL AUTHENTICATION

32

!

TRANSACTION

LIMIT$

IMPLEMENT LIMITS

✓

Ask a secondary wire reviewer to

approve any wire requests through online

banking

Re-evaluate dollar limits – existing limits

may be too high

White papers and publications

FBI’s Public Service Announcement, August 27, 2015, 1-082715a-PSA and 1-082715b-PSA.

Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexicon-whats-dark-web/ .

2013/14 Global Fraud Report. Ernest E.J. Hilbert, Kroll, p. 6, 7, p.39.

“Spotlight On: Malicious Insiders and Organized Crime Activity” by Chris King, Software Engineering Institute, January 2012, p.9.

“How do companies navigate bribery and corruption? 2015 Anti-Bribery and Corruption Benchmarking Report” A collaboration between Kroll and Compliance Week, p.11.

2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12.

“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, PwC July 2015, p.4.

Economic crime is on the rise – but you can fight back. PwC’s 2014 Global Economic Crime Survey Canadian supplement, p.10.

Economic crime: a threat to business processes. PwC’s 2014 Global Economic Crime Survey U.S. Supplement.

“Touring the Deep Web” Adam Rice, in Information Security, February 2014, pp 22-26.

Top Ten Cybersecurity Risks: How Prepared Are You for 2013? James Michael Stewart , Global Knowledge Training LLC, 2013. www.globalknowledge.com.

“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.

Resources

Q&A