Presentation on theme: "Corporate Account Takeover Presented by : Jim Vogt, CFE, CTP."— Presentation transcript:
Corporate Account Takeover Presented by : Jim Vogt, CFE, CTP
The Definition of Fraud Seven Specific Parts of Fraud A representation… about a material point… which is false… and intentionally or recklessly so… which is believed… and acted upon by the victim… to the victim’s damage. 2
MULTIPLE THREATS Fraud threats exist both inside and outside your organization It’s not a question of “if” but WHEN your organization will be threatened or impacted by one of these many threats
EXTERNAL THREATS Primary external threat is payments fraud – Check Fraud – ACH/Wire fraud, etc. Seventy-one percent of organizations experienced attempted or actual payments fraud in 2010. 93% of these companies were victims of check fraud. – ACH debits – 25 percent Other external threats – Corporate Account Takeover – Corporate Identity Theft 2011 AFP Payments Fraud and Control Survey
In the News… N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss European Cyber-Gangs Target Small U.S. Firms, Group Says e-Banking Bandits Stole $465,000 From Calif. Escrow Firm La. firm sues [bank] after losing thousands in online bank fraud Cyber attackers empty business accounts in minutes Zeus hackers could steal corporate secrets too TEXAS FIRM BLAMES BANK FOR $50,000 CYBER HEIST Computer Crooks Steal $100,000 from Ill. Town FBI Investigating Theft of $500,000 from NY School District Zeus Botnet Thriving Despite Arrests in the US, UK -News headlines from The New York Times, The Washington Post, Computer World, and Krebs on Security 6
Examples… …company fell prey to fraud after hackers were able to break into the company's network, steal bank credentials and send 26 consecutive wire transfers out of the country, totaling $465,000. …construction company, had its corporate bank account raided over a six-day period by cyber thieves who were able to move over $588,000 to dozens of money mules throughout the country. 7
Other Examples of Losses $700,000 school district $1.2 million Texas company $100,000 electronics testing firm 8
What is Corporate Account Takeover? Cyber criminals target the financial accounts of owners and employees of small and medium sized businesses Creates significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts Often these funds are not recovered 9
Corporate Account Takeover First identified in 2006 Millions of dollars are lost every year Has morphed in terms of the types of companies targeted and the technologies and techniques employed by cyber criminals Initially targeted large corporations, they now target municipalities, smaller businesses, and non-profit organizations. 10
What is Corporate Account Takeover? Purpose: Gain access to financial accounts How: cyber criminals target employees – often senior executives or accounting and HR personnel - and business partners and cause the targeted individual to spread malicious software (or "malware") Malware steals their personal information and log-in credentials. Once the account is compromised, the cyber criminal is able to electronically steal money from business accounts. 11
How is it Done? 13 1.Target victims by way of phishing, spear phishing or social engineering techniques. 2.Victims unknowingly install malware on their computers, often including key logging and screen shot capabilities. 3.The victims visit their online banking website and logon per the standard process. 4.The malware collects and transmits data back to the criminals through a back door connection. 5.The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account. Joint Fraud Advisory for Businesses - U.S. Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS ‐ ISAC).
“Phishing” for Victims Mass emails Pop-up messages Social networking or internet career sites Use these various methods to: – Ask for personal or account information – Entice employee to click on a malicious link or attachment Even “vishing” – Soliciting victims over the phone of VoIP
Other Tricks Cyber criminals use various methods, both technological and non-technological to install malware – Email attachments – Fake friend requests on a social networking site – Legitimate, but compromised, website 15
More Tricks To get employees to open email messages and/or attachments or click on links, cyber criminals will: Disguise the email to look as though it’s from a legitimate business. – Usually a scare tactic is used to entice the employee to open the email and/or provide account information. Examples include: UPS (e.g., “There has been a problem with your shipment.”) Financial institutions (e.g., “There is a problem with your banking account.”) Better Business Bureaus (e.g., “A complaint has been filed against you.”) Court systems (e.g., “You have been served a subpoena.”) Make the email appear to provide information regarding current events: – Natural disasters – Major sporting events – Celebrity news Use email addresses or other credentials stolen from company websites or victims, such as relatives, co-workers, friends, or executives to design an email to look like it is from a trusted source 16
The Mission… Get the malware installed. This allows the fraudster to “see” and track employee's activities across the business’ internal network and on the Internet The main target: visits to the financial institution and use of online banking credentials used to access accounts (account information, log in, and passwords). 17
Moving the Money To make the transaction appear legitimate, wire transfers or ACH credits are sent to the accounts of one or multiple money mules throughout the U.S Mules then withdraw the money and send it to criminal associates, usually overseas in countries like Ukraine, Russia and Moldova.
Money Mules Consumers lured into fake work-at-home scams, in which their employment involves receiving money and then forwarding the funds, usually to Eastern Europe. All you have to do is respond to the ad on Monster.com or other legitimate sites and: send a résumé with some personal information They, in turn, ask you to set up a checking account that soon starts filling with cash. You take the money to Western Union and wire it to your new employer, keeping 5% and 10% for yourself. Easy money, right? Except that it's illegal money laundering, called "money muleing" by the security industry.
Mule Recruitment-- email Location: USA Status: Opened Employee Type: Part-Time Employee Company: Broad Capital Company, Inc. Duties of the Service Representatives include holding and supporting a local business used for payments processing between the company and the clients, managing cash flows, creating reports, providing support to the clients. Every office of the company starts from the local Service Representative cooperation, so the position is very prospective. Requirements: Advanced user ability to operate computer and to use Internet and e-mail. An existing bank account opened on personal or business name Basic skills in managing payments and money transfers. Ability to schedule working hours effectively. Availability of spare time (3-4 hours per day). Legal age.
Mule Recruitment (cont’d) Payment: basic salary $2500 monthly plus payments turnover bonus. Benefits: Flexible work schedule. Possibility to combine the job with primary employment. Free training course. How to apply: To apply, please reply back with your contact details. Phone number, contact name and attach any copy of your document with photo. Please reply ONLY to our e-mail: firstname.lastname@example.org_recruit@yahoo.com
“Poof” Money is quickly gone and often not recovered 22
Other Variations Use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks Impersonate the customer over the phone to arrange funds transfers Mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account Gain customer lists and/or proprietary information - often through the spread of malware - that can also cause indirect losses and reputational damage to a business 24
BEST PRACTICES Educate your employees Exercise extreme caution when confronted with any request to divulge account information or banking access credentials Never open file attachments or click on web links if you are unsure of the source Be wary of pop-up messages Teach and require best practices for IT security
BEST PRACTICES Enhance the security of computers and networks – Install a dedicated, actively managed firewall – Create strong passwords (at least 10 characters) and update them several times per year – Install commercial anti-virus and spyware detection programs on all computer systems – Run regular scans for viruses, spyware, and malware – Ensure virus protection and other security software are updated regularly – Pay attention to warnings (viruses, etc.) – Note any changes in computer performance
BEST PRACTICES Reconcile all bank transactions (including checking online for electronic transfers) on a daily basis Enhance corporate banking processes and protocols – Multi-factor authentication – Dual control/authorization – Access controls – Watch for suspicious or out-of-pattern activity – Immediately report any transactions in your accounts that you question
BEST PRACTICES (cont.) Never leave a computer unattended while using any online banking or investing service Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc.
What is Business Identity Theft? Business identity theft (or corporate or commercial identity theft) is a relatively new development in the criminal enterprise of identity theft. In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers to purchase: – commercial electronics – home improvement materials – gift cards, and other items that can be bought and exchanged for cash or sold with relative ease. 30