Cyber Security and Fraud Prevention Detective Constable Sam Kinkaid, PSNI Maggie Hunter, RBS March 2018
Welcome Risks – Cyber Security / Fraud • Common threats • Case Studies – what we are seeing in Northern Ireland • Social media risks • Help and Support • Questions • Take Away’s •
Key Message The majority of cybercrime is preventable by taking simple steps to secure your cyber security. 3
Data Security WHAT do I have that is worth protecting? • WHERE is your information held? • WHO do I want to protect it from? • HOW is your information protected? • WHO has access to your information? • WHAT are the risks and consequences of a data breach? • 4
2017 Cyber Security Breaches Survey Just under 46% of businesses surveyed identified at least one breach or attack last year Of those: 72% reported staff receiving fraudulent emails 33% reported viruses / malware 27% reported people impersonating the company 17% reported Ransomware Reflective of cyber incidents experienced by NI businesses 5
Criminal Office
Email attacks Identifying the most effective phishing ‘hooks’ to get the highest • click-through rate – run as a business Enclosing genuine logos and other identifying information of • legitimate organisations in the message Providing a mixture of legitimate and malicious hyperlinks to • websites in the message – e.g. including authentic links to privacy policy and TOS of a genuine organisation An increasing use of compromised ‘genuine’ accounts as the source • of phishing emails as a means of bypassing mail filters and previous guidance 7
Case Study – Account Compromise 8
Case Study – Account Compromise 9
Emails Search your personal / work email • addresses at www.haveibeenpwned.com Will reveal any data breach involving your • email address and what other data may have been compromised. 10
Email Passwords If I can compromise your email account I have the means to • attack reset any account you have linked to it. Advice you probably use was created in 2003 by Bill Burr – US • Institute of Standards & Technology – he apologised in 2017 Current advice is to use 3 random words together with any • other requirement i.e. number, special character to create a strong separate password for your email. 11
Case Study – Malware 12
Case Study – Ransomware Infects system as a malicious email • attachment or through remote desktop vulnerability Runs quietly in background encrypting files • with common extensions i.e. .jpg, .xls, .docx New variants will spread from infected • machine throughout network Will encrypt any backup found accessible • from the network 13
Protect against Ransomware 14
Remote Desktop Remote Desktop is an application available through the Windows • Operating System. A useful system if the correct security settings are in place • Recent Ransomware attacks have involved the use of remote • desktop access and not email attachments – maybe a reaction to a rise in awareness If compromised, malware including Ransomware, keyloggers, • remote access tools can be uploaded. 15
Remote Desktop Ask the right questions:- Is RDP on? • Who set the password and how secure is it? • Is the system protected from a brute force attack? • Passwords seen by PSNI include: Password123, Passw0rd, guest, Administrat0r, querty123 16
Case Study – Network intrusion System compromised and username / passwords obtained • Suspect gains remote access to network • Corporate information or access to financial • transactions obtained Internal and External • risks 17
Fraud Risk - Social Engineering Noun (In the context of information security) ‘ the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.’ Oxford Living Dictionaries, 2016
Social Engineering Vishing Phishing Contact is made by telephone. The caller will Contact is made by email. Sender purport to be from your bank, the police or a impersonates well known companies or a fraud agency (amongst others). Purpose is to colleague / friend. Purpose is to get you to get you to reveal information they need. click on a link or open an attachment. Smishing Malware Contact is made by text message. Sender Malicious software such as Trojans or viruses. impersonates well known companies – often Downloaded from phishing emails, illegal banks. May refer to suspicious activity on an websites, ad banners. Financial malware sits account. Purpose is to get you to click on a quietly in the background until you access a link or phone a telephone number. UK online banking service.
Case Study - Vishing Call received into the accounts team • Caller claimed she was from the • bank’s Money Laundering Team and was investigating an incoming payment Some information provided by caller • Caller said all payments were frozen • Requested information from the client • to ‘unfreeze’ the account
Preventing Vishing Immediately terminate a call where ! We will NEVER ask a customer to: you have been asked to provide online banking credentials or other disclose their online banking log-on personal information details, including Smartcard codes transfer money to another bank account Do not feel pressurised to protect them from fraud Verify the caller is and why they are calling enter a card PIN into their telephone If unsure, do not reveal any information keypad Call the bank as soon as possible hand over plastic cards or cash to Independently find a number to use protect them from fraud Where possible, use a different phone line 21
Case Studies - Call Spoofing and Remote Control ! Please note – these are genuine products that are being abused by criminals !
Case Study – Remote Access Victim received a phone call from a person claiming to represent their broadband service provider. During a 2 ½ hour phone call, victim provided details to caller and access to her computer via remote access tool Victim made 1 online banking transaction to suspect, however, a further 3 transfers were made without their knowledge during the call. Loss £19,000 Also - over payment/reimbursement Note - Internet providers will not cold call customers
Case Study - Phishing (Email Spoofing – Bogus Boss) Criminals spoofed 1 email address, so that the message looked as 1 if it had come from an executive within the 2 company 3 An urgent request was made to an 2 employee to make a payment Request timed to 3 make it difficult to verify the instruction Out of Office? .
Invoice Redirection IN Invoice Redirection Case Study - Invoice Redirection Beware of fraudsters posing as a supplier or creditor who tells you • that the company’s bank details have changed If you receive a request to make a new payment or to change • bank details:- contact the supplier or creditor independently to validate avoid using contact details contained within the request confirm with your supplier or creditor that the payment has been received
Case Study - Smishing case study • SMS code manipulated so that they appear genuinely from your bank • A sense of urgency… ’Fraud on account’ • Contain an embedded link or a telephone number to call 26
Social Media Risk
Bespoke Solutions
Secure your device It takes just 2 minutes to protect yourself online
Help and Support Ulster Bank : Security Centre • Take Five: takefive-stopfraud.org.uk • Get Safe online: getsafeonline.org.uk • Cyber Aware: cyberaware.gov.uk • Bank Safe Online: banksafeonline.org.uk • PSNI : Portal • Action Fraud: actionfraud.police.uk • Financial Fraud Action UK: • financialfraudaction.org.uk @CyberProtectUK • #PSNICyberProtect •
Advice www.ncsc.gov.uk/smallbusiness 31
Bankline’s Golden Security Rules We will never ask for your full PIN & password online: only 3 random digits from each are needed to log-in We will never ask for your PIN & password or any smartcard codes over the telephone: beware of imposters We will never ask for smartcard codes to log-in: these codes are used to authorise payments We recommend you download Trusteer Rapport - free security software from ulsterbank.ie/rapport 32
33
Take Away’s Discuss threats and advice with five others • Think about the Case Studies – would you or your staff • know how to respond safely? Don’t wait for the call, e mail, text or malware to arrive – • plan now Print off the Business advice and place within your • Business or Office 34
Recommend
More recommend