Presentation on theme: "Who is Phishing in Your Company Hole? Michael Loox, CFI Head of Loss Prevention The Coffee Bean & Tea Leaf."— Presentation transcript:
Who is Phishing in Your Company Hole? Michael Loox, CFI Head of Loss Prevention The Coffee Bean & Tea Leaf
The Road To The Coffee Bean
The Coffee Bean & Tea Leaf 2 nd largest US retail specialty coffee & tea brand 933 stores in 28 countries, 15 states & Washington D.C. – largest footprint in emerging markets $518 M system-wide sales Serving over 150 million customers annually 12,000+ global team members Successful Omni-channel strategy 58 franchise relationships Regional Offices in Singapore and Malaysia 50 Years Old- Born and Brewed in So. Cal since 1963
1.United States 2.Singapore 3.Malaysia 4.Israel 5.Korea 6.Brunei 7.Indonesia 8.UAE 9.China 10. Philippines 11. Kuwait 12. Saudi Arabia 13. Sri Lanka 14. Bahrain
Current United States Markets Seattle Tacoma Airport (1 location) New Jersey, Garden State Mall: (2 locations)
Bahrain: (3 locations) Brunei (8 locations) Cambodia: (2 locations) Shanghai, China: (30 locations) Egypt: (17 locations) India: (26 locations) Indonesia: (68 locations) Israel: (2 locations) South Korea (221 locations) Iraqi Kurdistan: (1 location) Kuwait: (15 locations) Lebanon: (3 locations) Malaysia: (59 locations) Company & Franchised Singapore: (51 locations) Company Owned Mexico: (8 locations) Oman: (2 locations) Philippines: (53 locations) Qatar: (7 locations) Saudi Arabia: (11 locations) Thailand: (10 locations) Turkey: (1 location) Sri Lanka: (3 locations) UAE: (0 locations) Vietnam: (12 locations) United States: (311 locations: Company & Franchised ) Germany: (1 location) Mongolia: (1 location) Current Worldwide Markets Worldwide Store Count: 933 Jordan: (1 location)
What is Phishing? “A kind of social engineering attack in which criminals use spoofed s to trick people into disclosing sensitive information (business or personal) or installing malware on their personal or employers computers or servers.” Attack targets users not systems Attacks circumvent your organizations security measures It does not matter how many firewalls, encryption software, and two factor authentication mechanisms you have, if the person behind the keyboard falls for a phish In a 2003 IT security survey, 90% of office workers gave researchers their password in answer to a survey question for a cheap pen. Similar surveys obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords Spam is unsolicited junk which may contain a “phish”.
Origins & Evolution of Phishing Derivative of “Phreaks”- 1990’s term for Hackers First mention -January 2, 1996 in Usenet newsgroup Response to AOL preventing use of algorithmically created credit card numbers to open accounts Phisher posed as AOL staff member via or IM requesting passwords and other personal info Hijacked accounts used for spamming and fraud Response- “No one working for AOL will ask for your password or billing information”
Types and Variants of The Phish Spear Phishing- a targeted communication to employees or members of an organization. s are customized for appeal with public information available on web sites and ask for recipient to click on a link or open a zip file Whaling- is a spear phish used against high level targets such as a CEO, politician, officers in the armed forces or other “Big Phish” Vishing- callers state from “tech support”, your bank, or have you call a number to get business and credit information Smishing- same scam through text messages and IM
Phishing Season 2012 Within the last year over 37 million unique users subjected to phishing attack – up 87% Over 102,100 internet users are subject to attack each day 12% of all Phishing Attacks were launched via spam mailings. 88% came from links to web pages Over 20% of all phishing attacks mimicked a bank or other financial institution Phishing losses estimated at $1.5 billion in 2012 Major Cyber-threat to businesses
Anatomy of a Phish Every Phishing attack is built upon emotional and visual triggers with commonly added human motivators and emotion. 1.Rightful Rewards: tax refunds and prizes 2.Greed: Unwarranted lottery winnings and 419-type scams 3.False Accusations: Tax Fraud, Customer complaint, FCC, etc. 4.Curiosity: “Look who searched for you on Google” 5.Right the Wrong: Fake order confirmation from known online merchants or shopping sites citing alleged purchases made 6.Trust: Fake s from banks, service providers, or business associates/professional networks
Phish Tells Spelling and Bad Grammar- spellcheck???? Embedded links: https://www.scamuez.exehttps://www.scamuez.exe.exe files are known to launch malware Threats: “Your account will be closed” Spoofing popular websites/companies You did not initiate contact Any request for confidential or sensitive information or requesting names
Identifying the Phish What a phishing might look like?
Species of Phish
You have received a complaint in regards to your business services. The complaint was filled by Mr./Mrs. Ahmed FRIGOLA on 07/22/2013/ Case Number: Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this . Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties. The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS. The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options Council of IRS, Inc. All Rights Reserved. Zip file attached to launch malicious software
Appears to be from Coffee Bean account Malicious Zip file attachment
Put an End to Phishing Season Phishing may be used as one step in a targeted attack against your company or its employees. Corporate Espionage from competitors; foreign and domestic Theft of money from the company accounts Theft of money from employee accounts Theft of customer information Identity theft Theft of national security secrets
10 Tips for Phishing Prevention 1.Never give out personal, financial or other sensitive information to anyone who requests 2.Be suspicious of requesting sensitive information 3.Don’t click on links embedded in an 4.Enter a fake password when prompted; legitimate website will not accept fake 5.Don’t fill out forms asking for sensitive information. Use secure website only.
The other 5…….. 6.Keep your browser and operating systems up to date 7.Regularly verify all charges on credit card and bank statements 8.Always use updated antivirus and firewall software 9.When in doubt, check authenticity 10. Notify and the internetwww.ftc.org crime complaint center ifwww.ic3.gov you think you are a victim to an attack
Phishing Forecast for 2013 Phishing Via Mobile- directly attacking smartphone users Phishing Via Apps- attacking through installation of malicious apps Phishing Via Social Media- in 2010 social media attacks comprised of 8.3% of total, by end of 2011 it was 84.5% Have strong IT and Computer Usage Policy!
False Billing & Phone Scams False Billing- targets businesses by telephone, mail, and fax. The scammer will supply you with an invoice for products or services you have not ordered or received hoping it will be paid on receipt with no investigation. Mid to large businesses are targeted hoping smaller invoices are processed for payment without review Many false billing scams begin with telephone call to get key names and contacts and details about company Information helps scammer create invoice including names, account numbers for services ordinarily used.
Variations of Billing & Phone Scams Advertising & Directory Listing (Yellow Pages renewal) Billing for unauthorized listing or ad (print or web) Proposal disguised as agreement or invoice You think you are responding to free offer or renewal Use of existing company names & logo to look real Fax Back Scams Unsolicited fax offering great deals and discounts on products, services, trips High cost of fax reply buried in print or not listed. Premium fax rates can cost up to $10 / minute.
Scams continued…….. Office Supplies or Mystery Supplies Scam Invoice for supplies never ordered, never received or were not what you thought them to be Recent scammer cleared $700K sending invoices to companies for fluorescent light bulbs never received Send unordered supplies at inflated rates or low quality supplies. This is usually preceded with a fax to confirm order. Employee signs and sends back This is used a proof of order to collect payment
Demand for Payment Receive letter demanding payment for products or services never received or an unverifiable debt Official letterhead (agency, attorney, debt collector) A case number is assigned to alleged debt Written as if it were a court case Request comes from 3 rd party who has taken over debt or claims to be pursuing debt on behalf Threats of further interest and penalties Pay by this date or else……..
Demand for Payment
The Health Dept. is Calling..... Receive call from “State Health Dept.” or DOA Inform restaurant of complaint and visit today Will attempt to persuade employee to provide personal and/or credit information for ID theft and fraud Variation- will ask employee to enter a five digit verification code to confirm appointment in a subsequent call. This allows scammer to set up a fraudulent Craigslist or an online auction house account verified to your restaurant phone number. Variation- other scammers claim to be IT techs or from the bank requesting credit card info as system is “down”
Point of Sale Scams Confuses cashier during transaction Use of social engineering like a Phish Asks for change of $20 and leaves with $30 Have policy on making change; double count, don’t be rushed Counterfeit Money Best line of protection- UV machine or cash verification tower $5.00 bills washed, print $100’s Review security features on all bills $20 and above.
Credit Card / Gift Card Fraud Never hand key any credit card transaction, especially for sale of gift cards. Get swipe and signature for any transaction over your designated threshold ($25.00?) Remove remaining balances from all gift cards linked to a charge back transaction Establish credit card acceptance policy including a loss prevention training element Identify areas or groups of stores with highest % of fraud to develop a targeted response. Do not transfer balances from one gift card to another
No Scams Here…… Employee Training – Create eTraining platform (embedded) – Micro-games – Provide Internet access resources – New hire awareness module – Specific cash and credit card procedures Establish Company Hotlines for verification – Documented procedures and protocols with real time access to assist in decision making process – Ops / LP / IT / Acct. contact during business hours – When in doubt- Just say “No” and call supervisor
Integrate For Success Develop and lead a multi-departmental partnership to combat fraud and scams across all levels of your company or organization Provide awareness and response directives for each department or “impact” area Work directly with A/P to ensure; – Invoices are verified by department – Purchasing guidelines were followed – There is a new vendor approval process – Suspicious invoices are reviewed, create checklist – Systems in place to prevent duplicate invoices
If you have been scammed… Notify appropriate law enforcement agencies Send alert to other departments or restaurants to prevent/minimize other losses Alert your Loss Prevention/Security peers if applicable and/or approved by your company Review scam to determine areas in need of retraining or possible internal dishonesty