Simple Training for Information Security and Payment Fraud
1 like197 views
The document discusses payment fraud risks and protections. It summarizes a survey finding that 74% of organizations were victims of payment fraud in 2016. Checks and wire transfers are most commonly targeted. Business email compromise scams targeting wire transfers are on the rise. The document provides 7 tips for protection, including employing dual control for transactions and monitoring accounts daily.
Simple Training for Information Security and Payment Fraud
- 1. Information Security – Payment Fraud Risks and Simple Protections
- 2. Agenda 1 • Introduction • Common Scams and Frauds • 7 Tips to Protect Yourself & Your Organization • Quiz • Questions
- 3. Introduction 2 • Financial scams and fraud is rampant in the United States (and worldwide). • According to the Federal Trade Commission (primarily consumer-focused): • More than 3,000,000 complaints/reports were filed in 2016. • For the 1st time, “imposter” scams surpassed identity theft in the number of complaints. • Out of the 1.3 million fraud reports we got in 2016, people reported paying $744 million to scammers – with a median payment of $450. • Most business-related financial scams and/or fraud is not reported.
- 4. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 3 • 74% of organizations were victims of payment fraud in 2016 (the largest share on record) – “suggests that fraudsters are continuing to succeed in their attempts to attack organizations’ payment systems.” • Size matters. Larger companies (based on revenue) with more accounts are more likely to have been subject to fraud (see graphic). • Checks continue to be the payment method most often targeted. 75% of organizations were victims of fraud attempts/attacks (increase from 71% in 2016)
- 5. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 4
- 6. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 5 • Wire transfers were the 2nd most-often targeted payment method; 46% reported this type of fraud. • Wire transfer fraud: • 2016 – 46% • 2015 – 48% • 2014 – 27% • 2013 – 14% • Finance professionals are increasingly dealing with business email compromise (BEC) scams; the main target for BEC scams are wire transfers.
- 7. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 6
- 8. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 7 • The rise in wire fraud appears to coincide directly with the rise in BEC scams. • Fraud via corporate/commercial credit cards accounted for the 3rd largest share of fraud – 32% • ACH debits accounted for the 4th largest share – 30% • ACH credits accounted for the 5th largest share – 11%
- 9. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 8
- 10. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 9 Other interesting information
- 11. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 10 Other interesting information
- 12. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 11 Other interesting information
- 13. 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey 12 Other interesting information
- 14. Business Email Compromise (BEC) 13 • Since 2014, there has been a sharp uptick in BEC scams. • “The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” – 2016 FBI alert • The FBI alert also indicates that BEC scams are increasing, evolving, and targeting businesses regardless of size or geographic location (all 50 states and 79 countries). • Losses have increased exponentially since January, 2015. • 74% of finance professionals report that their organizations were victims of BEC in 2016.
- 15. Business Email Compromise (BEC) 14
- 16. Business Email Compromise (BEC) 15 • The most common method of fraud through BEC is via wire transfers (60%). • 81% of organizations have either implemented or are in the process of implementing controls to guard against BEC. • 12% of organizations are considering controls implementation.
- 17. Business Email Compromise (BEC) 16
- 18. ACH Fraud 17 • 80% of organizations report that the number of ACH fraud attempts is unchanged from 2015 to 2016; 13% report a rise, and 7% report a decrease. • 16% of larger organizations reported financial losses because of ACH fraud. • Primary reasons cited for ACH fraud include: • ACH return not timely (33%) • Gaps in online security controls/criminal account takeover (29%) • Did not use ACH debit locks or ACH credit filters (24%)
- 19. ACH Fraud 18
- 20. 7 Tips to Protect Yourself & Your Organization 19 #1 Three Cs (for protecting against Business Email Compromise or “BEC”) 1. Compare email addresses; pay special attention to deceptive characters, incorrect punctuation, and misspelling. • kwill@truecompany.com vs. kvvill@truecompany.com • darcy@truecompany.com vs. darcy@true.company.com • darcy@truecompany.com vs. darcy@truecomany.com 2. Check the language; misspelled words, misused grammar, and unusual language. "I need this done today but I'm at the doctor's office. You can reach me through email." 3. Call to confirm; Emailing the client to confirm their request is futile, if you are already communicating with a suspect. *Don’t use a phone number from suspicious email correspondence. Obtain the client’s phone number from a verified source.
- 21. 7 Tips to Protect Yourself & Your Organization 20 #2 Use a Dedicated Computer for Banking 1. The “banking” computer should be used for no other purpose; no checking email, no Internet browsing, etc. 2. Ask IT to restrict the “banking” computer network connections to only those systems that are required for operation. 3. Ask IT to “harden” the “banking” computer; this means disabling unnecessary services, restricting privileged access, regular password changes, etc. 4. Consider using a non-Windows system for the “banking” computer. The American Bankers Association (ABA) first made this recommendation in 2010, and it is still valid today.
- 22. 7 Tips to Protect Yourself & Your Organization 21 #3 Be Wary of Communications You Don’t Initiate 1. Never give sensitive information to a caller who called you; sensitive information should only be given on calls that you made using known phone numbers. 2. Never give access (to your computer, to your email, to an application, etc.) to a caller who called you. 3. Validate emails that ask for financial transactions or access to something sensitive. Validate by calling (see Tip #2).
- 23. 7 Tips to Protect Yourself & Your Organization 22 #4 Employ Dual Control 1. Consider dual control on all financial transactions (or transactions that exceed certain dollar amounts). 2. Consider dual control on all changes to payment accounts; or where money goes. 3. Consider dual control on all payment account setups. 4. Consider where other sensitive (or critical) processes may require dual control. Dual control does not only apply to financial transactions, it can also be used for other critical processes. Traditionally, dual control is a system where two people have to sign a check, or validate a transaction, or have keys to a safe, etc.
- 24. 7 Tips to Protect Yourself & Your Organization 23 #6 Monitor and Balance Financial Accounts Daily Daily monitoring will not stop fraud and will not identify all fraud; however, it will help identify signs of fraud. If regular payments are made to certain vendors or customers, use trends in payment history over long periods of time (if feasible). #7 Conduct Employee Background Checks Background checks should be conducted on all personnel; however, this is especially important for personnel working with financial systems. Background checks should be conducted at time of hire and periodically thereafter.
- 25. 7 Tips to Protect Yourself & Your Organization 24 BONUS – Report Events & Incidents Immediately Report any unusual activity to information security personnel immediately. Things that are out of the ordinary may be an indication of something more serious. If you have fallen for a phishing attack or suspect that you may be a victim of an attack, report the event(s) to information security personnel immediately. We should always operate with a heightened sense of awareness. Reports events and incidents right away.
- 26. Quiz 25 1. The number of financial fraud victims is decreasing (True/False). 2. Most financial fraud happens because of a compromised mobile device (True/False). 3. When I visit the ATM to withdraw cash, I am using strong authentication (True/False). 4. The percentage of organizations experiencing wire transfer fraud has more than tripled since 2014 (True/False). 5. The three Cs will go a long way in protecting against Business Email Compromise (BEC) (True/False).
- 27. Quiz 26 6. Actual financial loss resulting from financial fraud can exceed $2,000,000 for an organization (True/False). 7. ACH debit locks or ACH credit filters are controls that can help protect against financial fraud (True/False). 8. Using a dedicated computer for online financial transactions will reduce the risk of an online attack. (True/False). 9. Financial fraud should be reported to the FBI immediately. (True/False). 10. A heightened sense of awareness is often our best defense. (True/False).
- 28. Information Security – Payment Risks and Simple Protections 27 The contents for this presentation were written and/or compiled by FRSecure. For more information about FRSecure or how FRSecure helps 100s of organizations with their information security challenges (fixing the broken industry), please visit https://frsecure.com. Contact us with any/all questions, comments, or concerns. Reference: 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey – underwritten by J.P. Morgan; https://www.afponline.org/publications-data-tools/reports/survey-research-economic-data/Details/payments-fraud-2016