Technology

Fraud Prevention

Information

The information provided is intended to help clients protect themselves from cyberfraud. It does not provide a comprehensive list of all types of cyberfraud activities or identify all types of cybersecurity best practices. The client company or organization is responsible for determining how to best protect against cyberfraud activities and for selecting the cybersecurity best practices that are most appropriate to its needs.

Business Email Compromise

 

The percentage of organizations experiencing business e-mail compromise (BEC) has risen from 64% in 2015 to 77% in 2017. BEC fraud attempts continue to drive the majority of losses, with 54% targeting wires. BEC is a sophisticated fraud scheme used by criminal organizations leveraging social engineering techniques to trick employees of companies into divulging company sensitive information or making payments based on fraudulent instructions by using one of the following methods:

 

  • Fraudsters compromise an employee’s email account (including Office 365 accounts) at a victim company; often referred to as email account takeover or hacking.
  • Fraudsters send a spoofed or masked email containing a forged email header that hides the true origination of a message; often referred to as spoofing or masking.
  • Fraudsters purchase/register a domain closely resembling the legitimate company’s then setup a related email account to target the victim company; often referred to as lookalike domains.
  • Trending scenarios include:
    • Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
    • Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
    • Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
    • Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
    • School Construction: Criminals search the websites of public schools, colleges, and universities who promote their construction projects then use that information to pose as the contractor or construction company and to divert the funds to the scammer’s accounts.

 

Using these various methods makes BEC emails far harder to detect and thus information can be requested or fraudulent instructions provided without looking suspicious. Best practices to help prevent business email compromise include: train employees on suspicious email trends, enable controls so all emails from outside the firm are marked as external and enable e-mail controls, such as, SPF – Sender Policy Framework, DKIM – Domain Keys Identified Mail and DMARC – Domain-based Message Authentication, Reporting & Conformance.

 

RESOURCES:

  • At work, contact your organization’s Cyber Investigation Team by submitting Investigative Support form and providing as much information as possible related to the event
  • Other Resources (within US and Europe)
    • For phishing or spoofing or scams using fake email, text messages, or copycat websites to try to steal your identity or personal information, submit a complaint to the Internet Crime Complaint Center (IC3).
    • For investment fraud or scams related to offers using fake claims to get someone to invest, contact the Securities and Exchange Commission or the Financial Industry Regulatory Authority (FINRA) or your state's securities regulator.
    • For travel and international finance scams contact the US Department of State.
    • The European Cybercrime Centre (EC3) can be used by European citizens to obtain information and report cybercrime.

 

Data Loss Prevention

 

Data loss prevention (DLP) is a solution or process that identifies confidential data and tracks that data as it moves through and out of the enterprise and prevents unauthorized disclosure to ensure that sensitive data is not lost, misused or accessed by unauthorized users. Since confidential data can reside in a variety of places (physical servers, virtual servers, databases, file servers, PCs, flash drives and mobile devices) and move through a variety of network access points (wireless, VPNs, etc.), there are a variety of ways for internal and external parties to lose, misuse, or access confidential data. We are seeing more and more growing concerns regarding a variety of issues such as corporate espionage, cybersecurity data breaches, ransomware attacks, and many others. If your firm is not protected, the repercussions can cause serious damage to you and your clients. Consider a data loss prevention solution:

 

  • Do your research on solutions that work best for your firm. Prioritize, classify, and understand the data you are trying to protect.
  • Make sure that your DLP solution is in line with DLP standards, laws, and regulations in the locations where you do business.
  • Common areas covered in a DLP solution:
    • Removable media (USB’s, CD’s, etc.)
    • Personal Email, Social Media, Internet Storage Sites, and other Website Restrictions
    • Intrusion Detection System
  • Email Safeguards (Email Spoofing, External Mail Servers, Attachment Review)
  • Continual User Awareness Training
  • Double check that all messages and attachments are appropriate for intended recipients prior to sending.
  • Encrypt confidential data while in-transit and at rest.
  • Do not send or forward any emails containing any company information to your personal email account.
  • Do not use your organization issued laptop for unapproved activity such as Facebook, Pinterest, Craigslist, gambling and dating sites, etc.
  • Do not use non-company owned leased or authorized services or devices (for example, USB drive, Dropbox) to store process or transmit non-public organization specific data
  • Do not use your organizational data on your personal computer asset if it is not connected to your company’s network even if it is for business purposes.
  • Do not send any personal data (tax documents, social security number, login credentials, etc.) externally; including to your personal email.

 

 

RESOURCES:

  • At work, check the applicable laws related to cyber breaches and find the appropriate channel to report your data breach as soon as possible.

 

Social Engineering

 

Social Engineering is a method of manipulating people into divulging sensitive information or eliciting an action that breaks normal procedures. Phishing is a form of social engineering delivered via email with intent to manipulate target audience to complete an action or provide sensitive information. 

Vishing is a form of social engineering over the telephone that wishes to gain sensitive personal and/or organization specific information. The scammer can impersonate a customer, employee, executive, or organization in an attempt to fool the victim into thinking he or she is trustworthy. For a scenario, client received a call from someone pretending to be an employee of that company. The caller asked for login credentials in order to conduct “test” payments. Client provided the credentials for 2 users without questioning or validating the caller and payments were created and released. Prevention tips include:

 

  • Always validate and authenticate who you are talking to
  • Never give out passwords or secure information on the phone

 

 

RESOURCES:

  • At work, contact your organization’s Cyber Investigation by submitting Investigative Support form and providing as much information as possible related to the event
  • At home:
    • Block the caller's number.
    • Notify the company being impersonated (if applicable).
  • Other Resources (within US and Europe)
    • In the US, you can submit a complaint about phishing, spoofing, scams using fake email, text messages, or copycat websites to try to steal your identity or personal information or malware to the Internet Crime Complaint Center (IC3). In the US, you can contact the Securities and Exchange Commission or the Financial Industry Regulatory Authority (FINRA) or your state's securities regulator for investment fraud or scams related to offers using fake claims to get someone to invest.
    • In the US, contact the Federal Trade Commission for identity theft issue.
    • In the US, contact the US Department of State for travel and international finance scams.
    • The European Cybercrime Centre (EC3) can be used by European citizens to obtain information and report cybercrime.

 

Email Spoofing

 

Email Spoofing is a method of trying to collect sensitive information from people via email by impersonating a trustworthy source. Attackers impersonate a familiar source in an attempt to gain information about the victim or their known affiliates. For a scenario, a client’s email was hacked and fraudsters obtained intelligence and email history to build email spoofing. The client then received an email that appeared to be from one of their vendors providing fraudulent payment instructions and acted on it without validating or authenticating the request. Criminals created a similar email account that appeared to be authentic from the CEO. The email address used was missing just one letter or character and the sender used urgent language to trick the targeted individual into sending a large payment. Fraud prevention tips include:

 

  • Never share your password with anyone
  • Never click on unsolicited and suspicious emails and links
  • Do not respond to requests for sharing personal and organizational information
  • Immediately report suspicious emails, calls, texts via your organization’s protocols

 

 

RESOURCES:

  • At work, contact your organization’s Cyber Investigation by submitting Investigative Support form and providing as much information as possible related to the event
  • At home:
    • Block the caller's number.
    • Notify the company being impersonated (if applicable).
  • Other Resources (within US and Europe)
    • In the US, you can submit a complaint about phishing, spoofing, scams using fake email, text messages, or copycat websites to try to steal your identity or personal information or malware to the Internet Crime Complaint Center (IC3). In the US, you can contact the Securities and Exchange Commission or the Financial Industry Regulatory Authority (FINRA) or your state's securities regulator for investment fraud or scams related to offers using fake claims to get someone to invest.
    • In the US, contact the Federal Trade Commission for identity theft issue.
    • In the US, contact the US Department of State for travel and international finance scams.
    • The European Cybercrime Centre (EC3) can be used by European citizens to obtain information and report cybercrime.

 

Malware

 

Malware is a software that is hostile or intrusive and aims to steal, manipulate or corrupt data. From there, the cyber-criminal may use the malware to monitor user habits, collect credentials and data, and modify/create payments. Examples of malware include: virus- malware that is capable of copying itself and spreading to other computers to steal information, or harm host computers typically by attaching themselves to various programs, spyware- malware that spreads typically by combining itself with legitimate software and spying on a user’s activity without their knowledge, Trojan Horse- malware that is downloaded to the user’s computer typically by disguising itself as a normal file. Then, it can steal data, modify files, and monitor user activity and ransomware. Malware that will put a lock down a user’s system until a ransom is paid, typically turning up on a computer by downloading a file or a vulnerability in network service. Scheme entails a cyber-criminal delivering financial malware on a network, computer, or device. Delivery often occurs through infected documents sent via email, but can also occur through web traffic. Once inside a network, the cyber-criminal may use the malware to monitor user habits, collect credentials and data, and modify/create payments. For a scenario, a client was re-directed to a fake login page that looked very similar to their internet banking site and after multiple failed login attempts was prompted to ask a colleague to also login on the same machine. Fraudsters were ultimately able to capture both login credentials and were able to create and release payments. Risks of malware include cyber criminals will use the information to initiate unauthorized payments, cyber criminals may use other information harvested via financial malware (credentials, etc.) to pivot and pursue a variety of other fraud schemes and cyber criminals can create a disruption of business (e.g. denial of service). Use of e-mail to deliver financial malware continues to be a dominant attack method; 1 in 412 emails contained malware in 2017. Practices to help prevent malware:

 

  • Block access to suspicious websites
  • Scan email attachments upon message receipt
  • Disable auto-run of macros when opening Microsoft Excel
  • Ensure all software and firmware is patched and updated
  • Ensure antivirus is updated and performs regular scans
  • Regularly back up and secure data
  • Flag all external emails
  • Consider restricting where possible the ability to send and receive external emails
  • Be especially vigilant during holiday and vacation periods as cyber criminals are known to attack when you may have staffing shortages

 

RESOURCES:

  • At work, contact your organization’s Cyber Investigation by submitting Investigative Support form and providing as much information as possible related to the event
  • At home:
    • Block the caller's number.
    • Notify the company being impersonated (if applicable).
  • Other Resources (within US and Europe)
    • The Internet Crime Complaint Center (IC3) in US can be used to report malware.
    • The European Cybercrime Centre (EC3) can be used by European citizens to obtain information and report cybercrime.
Back to top Back to top