Cyber and Fraud Prevention is better than cure Kent County Council Schools Finance Information Group Gill Pegrum October 2018 This presentation aims to assist to minimise the impact of fraud on your business. However, relying on the information in this presentation, although it may help to reduce the risk of fraud, will not eliminate it, nor does it guarantee that fraud will not occur. The content of this document is classified as PUBLIC
Welcome – today we will discuss the following topics Threat Landscape Social Engineering Online Banking Security Bogus Boss Fraud Invoice re-direct fraud Help & Support Questions 2 The content of this document is classified as PUBLIC
Prevention is better than cure “ Fraud undermines the credibility of the economy, ruins businesses and causes untold distress to people of all walks of life. For too long, there has been too little understanding of the problem and too great a reluctance to take ” steps to tackle it. Theresa May, 2016 3 The content of this document is classified as PUBLIC
Threat Landscape 4 The content of this document is classified as PUBLIC
Government View ‘…the scale of the threat is significant: one in three small firms, and 65% of large businesses are known to have experienced a cyber breach or attack in the past year. Of those large firms breached, a quarter were known to have been attacked at least once per month.’ ‘ My message today is clear: if you’re not concentrating on cyber, you are courting chaos and catering to criminals .’ Matt Hancock, former Minister for Digital and Culture March 2017 5 The content of this document is classified as PUBLIC
Social Engineering Noun (In the context of information security) ‘the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.’ Oxford Living Dictionaries, 2016 6 The content of this document is classified as PUBLIC
Social engineering • Never r give your full online Vishing banking details or card reader contact is made codes over the telephone, even by telephone. if the caller claims to be from Caller will purport the bank or police to be from your • The caller ID displayed on your bank, the police, phone can be easily spoof ofed ed, a fraud agency or don’t rely on it to verify the any other trusted caller organisation. • Unexpected or suspicious call? Purpose is to get you to reveal Always ys verify the caller using an information they independently verified number need 7 The content of this document is classified as PUBLIC
Social Engineering Smishing contact is made by text message. Sender impersonates well known companies – often banks. May refer to suspicious activity on an Suspicious text message? account. Purpose is to get Please forward it to us at: you to click on a link or phone a 88355 telephone number ! No UK bank will send an email or text message containing a link to their online banking service ! 8 The content of this document is classified as PUBLIC
Social Engineering • Update software and your browser – these fix security bugs and loopholes Malware • Only connect devices you trust malicious software to your computer such as Trojans or • Anti-virus and firewall software viruses. alone is not enough Downloaded from • Trusteer Rapport – provided phishing emails, illegal websites, ad by IBM banners. Financial malware sits quietly in the background until you access a UK online banking service 9 The content of this document is classified as PUBLIC
Social Engineering Phishing contact is made by email. Sender impersonates well known companies or a colleague / friend. Purpose is to get you to click on a link or open an attachment ! No UK bank will send an email or text message containing a link to their online banking service ! Please forward suspicious emails to us – phishing@natwest.com • phishing@rbs.co.uk • phishing@ulsterbank.com • 10 The content of this document is classified as PUBLIC
Data breaches • 6.5m accounts in 2012 • 167m accounts in 2016 • LinkedIn only aware when hacker tried to sell the stolen credentials • Data included un-encrypted security questions and answers (mother’s maiden name, first school etc.) • Five bitcoins - $2,300USD 11 The content of this document is classified as PUBLIC
haveibeenpwned.com 12 The content of this document is classified as PUBLIC
haveibeenpwned.com 13 The content of this document is classified as PUBLIC
Bogus boss fraud Malware 14 The content of this document is classified as PUBLIC
Malware in action Fraudster’s view Customer’s view 15 The content of this document is classified as PUBLIC
Malware in action Fraudster’s view Customer’s view 16 The content of this document is classified as PUBLIC
Malware in action Fraudster’s view Customer’s view 17 The content of this document is classified as PUBLIC
Malware – In summary Money sent Fraudster creates a Log-on details new payment captured Smartcard Request Delay challenge code intercepted experienced given 18 The content of this document is classified as PUBLIC
Online banking – best practices Restrict payments to Use $tR0n 0ng g p@zzw zwOr Ords ds that certain countries are changed regularly Limit payment values Do not allow employees to share their credentials Introduce dual authorisation of payments Regularly review user roles and profiles Limit access to only those who really need it Disable access for absent staff Keep log-on details safe and secure 19 The content of this document is classified as PUBLIC
Social engineering – What can you do? Your bank will never ask you to transfer funds to protect you from fraud • Understand your bank’s process – when will they not ask for PIN and password details? • Be cautious of requests to download screen-sharing or remote control software • Don’t trust caller ID and if you receive a sus pious call – use an independent number to call your • bank back Do not reply to unsolicited text messages • Do not log on to your bank’s online service via a link in a text message • • Verify any phone numbers you have been prompted to call Report any suspicious contact • Ensure websites are secure – look for the ‘https’ and a locked padlock or unbroken key symbol • Install a firewall and up-to-date anti-virus software • • Keep your browser and other software up to date. Suppliers regularly release updates to fix security bugs Be aware of what you connect to your computer. • Be suspicious of unsolicited or unexpected emails, even if they appear to originate from a • trusted source Be alert to emails sent from an internet account such as Yahoo!, Hotmail or Gmail • Don’t click on a link unless you’re sure it is genuine and never enter sensitive information into a • link from an email Be aware of attachments in emails – they could contain malware • 20 The content of this document is classified as PUBLIC
Bogus boss fraud 21 The content of this document is classified as PUBLIC
Bogus Boss fraud • Criminal spoofs or hacks senior executives email address • Urgent payment request is made • Urgent language may create pressure • Purpose is to get you to make the payment without question 22 The content of this document is classified as PUBLIC
Bogus Boss fraud – What can you do? FROM: sajid.singh@yourcompany..com TO: hazel.murphy@yourcompany.com SENT: 28 September 2016 16:48 • Check for irregularities SUBJECT : Urgent payment • Consider the language used Hazel, • Always contact the sender I’m stuck in a meeting and need you to make an urgent payment. • Use independently sourced Pay new supplier £35,000, quoting reference ‘ N ew Contract’. contact details Sort code: 111111, Account number: 22222222 • Follow laid down procedures Let me know when the payment has been processed. Sajid. 23 The content of this document is classified as PUBLIC
Invoice re-direct fraud 24 The content of this document is classified as PUBLIC
Invoice re-direct fraud • Change of bank details instruction is given – sometimes by phone • This could be followed by a fax or e- mail ‘confirmation’ • Headed paper and genuine details within the instruction • Purpose is to get you to change the details payments are made to 25 The content of this document is classified as PUBLIC
Invoice re-direct fraud – What can you do? Limited • Contact the supplier using an independently sourced number × • Confirm the correct details before a payment is made • Undertake a review of recent and pipeline requests • Speak with other employees responsible for this type of × request 26 The content of this document is classified as PUBLIC
Recommend
More recommend