And now without any further delay, let’s begin today’s event. Once again, titled “Fraud: Current and Emerging Threats Facing Small Businesses.” I would like to introduce Amir Madjlessi.
Thanks so much, Christina, and good afternoon, everybody. Thank you so much for taking time out of your busy schedules for today’s presentation. You know, one of the things that I’m always motivated by is the purpose that Santander has in focusing on people and making people and businesses prosper. Now how we do that comes through in a variety of different ways.
Part of our responsibility that we take at Santander is to help businesses manage risk, grow their business, protect the cherished value that they’ve developed in their business, and to ensure that we solve business problems. And one of the emerging business problems that we see from many of the customers and prospects that we speak is this emerging threat of fraud.
And there’s a whole variety of different fraud threats that are out in the marketplace today. They come in different forms, and they are incredibly sophisticated. And the continue to evolve, that’s the other thing that continues to be challenging.
I want to share with you a couple of different recent stats in a study that has been done by the Association of Certified Fraud Examiners. Found that the median fraud loss for U.S. companies was 108,000 dollars. That’s a lot of money for all of you that are managing your capital and your businesses so prudently, and for something that’s an unfortunate even like fraud to happen, that would be difficult for your small business to absorb. The FBI reported that losses from cyber crime topped 2.7 billion dollars in 2018. That’s a startling stat, and it continues to grow meaningfully every single year.
So what are we doing here in today’s fraud webinar? Well, we’ve got to value, we’ve got to offer tools and advice. And so, for today, we wanted to offer common -- excuse me -- common trends and the common methods that fraudsters are employing. How can you protect yourself, right? There’s some real specific and controllable ways to protect yourself. And today, I wanted to invite some of our experts within Santander.
So with me joined is Tim DeRidder, the Head of Risk Management in the U.S. and for Santander Bank. And Dan Hyland is the Head of Claims, Collections and Fraud Operations at Santander. These two gentlemen wake up, go to sleep thinking about this topic, handle interactions with our customers that are incredibly sensitive and very urgent to resolve. And they are excited about offering some advice and some opportunities for you to protect yourself, which is incredibly important.
So, with that, I want to turn it over to my partner, Tim.
Awesome. Thank you, Amir, for the introduction and for having me here. I’d like to start with a few common principles when discussing fraud that I really think could help ground our discussion today.
When we look at banking, payments, and fraud together, it really becomes an ecosystem-wide discussion. And, when one type of fraud is typically detected we begin to see attack pattern shift. I typically use the analogy of a balloon animal to describe this shift. As you squeeze the balloon animal’s legs, the head will get bigger and vice versa. To address these shifts, banks and businesses alike are investing billions of dollars in capabilities and controls to protect their customers.
Another great example of this is the U.S.’s adoption of EMV chip security. These are the shiny chips that all of us have now on our credit and debit cards. This has effectively dried up a very lucrative form of counterfeit fraud within the industry, and forced fraudsters to shift to things like payment fraud and identity theft. While the thought is aspirational, trust me, fraudsters are not getting legitimate work after we strengthen the ecosystem.
Another shift that we’re continuing to see in the industry relates to data breaches, and the sheer number that are not slowing down. It used to be the fraudsters would attack businesses to obtain their payment information, but now it’s becoming far more rewarding to obtain personally identifiable information and sell this over the dark web, PII. Data such as Social Security numbers, passports, medical records, loyalty accounts, all of this data is being sold from anywhere from a dollar to thousands of dollars on the dark web.
Coming full circle, though, I want to touch on authentication and identify fraud specifically. Authentication is trying to identify the person you’re speaking with, either on the phone, someone you’re seeing in person, or interacting with online. Hopefully everybody remembers the information I just mentioned about the dark web, and the information that’s being sold. The reason this data is so valuable is because companies such as yourselves, are utilizing this data to authenticate who your customer are. These types of attacks are increasing 10 percent year-over-year, and generally they manifest themselves as misrepresentation. You could see falsification of documents that are presented to you, falsification of income, or even employment fraud.
All these industry trends that I mentioned are particularly impactful, because 30 percent of all the fraud cases that occur are with small businesses. And, unfortunately, it’s usually those same small businesses that have fewer controls. If there’s one thing I’ve learned in my long career in fraud, it’s that fraudsters tend to go after the path of least resistance. That’s a trend that I do foresee continuing.
All right, moving on from industry trends, I think it might be pretty helpful if we dive into some of the specific topics that might be impacting our business banking customers that are on the phone. The first topic I’d like to talk about is phishing. This is not the fishing which I enjoy in the summertime. My fellow presenters here are looking at me like I need better jokes.
Phishing is the sending of communications which appear to be legitimate or come from a legitimate source, in an attempt to gain PII or payment details. These communications try to create urgency, or threaten the recipient into clicking links or opening documents so that they can ultimately infect the victim with malware or viruses.
An example of this could be an email which appears to be from your bank informing you that your account has been blocked for suspicious activity. And, in order to remove this block, all you have to do is simply click the embedded link. Please, please, please, to not click the random links or respond to these emails.
Another specialized type of phishing is spear-phishing. This is a targeted attack that it typically to high profile customers and/or to business leaders, such as CFOs, accountants, or business owners, who can control money movement. An example of this attack could be an email that you receive from what appears to be your business owner. And this email instructs you to wire funds to Iceland for the procurement of new equipment. A little suspicious.
At this point, you’re probably asking, “How do I protect myself from some of these attacks that Tim mentioned?” Some of the best tactics are very basic, such as pausing. Do not react out of urgency, do not react out of fear. Truly think of the communication you’ve received as legitimate. In the spear-phishing example that I mentioned above, call your business owner. Ask them if the instructions were correct. It’s better to be thanked for the phone call than placing a call to the business owner to explain how we’ve lost the funds.
Also, look at the communication itself. Poor grammar, misspelling, or any weird placement of graphics or links are definitely a giveaway. Always point to the sender field on your email and look at the URL address. If you’ve just received an email from Apple, you would not expect the URL address to be mailerDaemon@applepiefraud.uk. You would expect something that would say @apple.com.
Also, one of the taglines that we use internally at Santander quite often is “think before you click.” Links in documents are one of the number one sources of potentially harmful viruses and malware.
That’s actually a really great segue into cyber attacks. This is where the line between fraud and hacking starts to really blur. As Amir mentioned, things are becoming more and more complex, and as these fraud attacks become complex, criminals are shifting to online and mobile applications. A primary driver of this shift is the increase in investment that most businesses are making to go digital. This typically offers businesses lower upkeep costs, gives their customers easy self-service options. But, on the other hand, these channels are remote and offer fraudsters anonymity and making them perfect targets for fraud.
Note -- very critical here -- not all front-facing digital sites or web pages for customers are targets for criminals. A perfect example is the widely publicized Target breach that was in the news and the media. In this attack, the hackers entered Target’s digital infrastructure through their heating, cooling, and ventilation system, which was connected to their Wi-Fi system.
Another particularly nasty attack, which is continuing to increase across the ecosystem is ransomware. As its name predicts, this is typically perpetrated through phishing, where the victim clicks a link or opens the attachment. At that point, the ransomware infects the victim’s device or network. Once inside, ransomware will generally block employees’ access or hold data hostage with the threat of deletion until payment is rendered.
Now at this point, we’re going to take a quick poll question before I talk about some tips and tricks on how you can protect yourselves. And just note that the poll questions and the results will be available at the end of the presentation. I’ll give everybody about 10 seconds to complete the question, and then I’ll move right to tips and tricks. You can start now.
(10 second pause)
All right. I’m going to start shifting into tips and tricks. Now that I hopefully haven’t thoroughly scared most of you, some tips and tricks to protect your business are performing regular backups of important information. Ransomware attacks will aim to delete or hold hostage records which are vitally important. There have been news articles recently on companies infected, where their customer data has been completely deleted and lost, and it’s destroyed their businesses.
Now this next one might seem basic, so bear with me. But have anti-virus or malware software installed. Make sure it’s fully updated, and perform routine sweeps. Ensure all of your critical software and operating systems are up to date. Over time, companies such as Microsoft and Apple and Google will patch updates to help eliminate vulnerabilities. Staying on old software makes you a target for fraud.
Secure all of your Wi-Fi networks -- we just talked about the Target breach -- and any access points that link to your firewall. Use strong passwords which are not mirrored across accounts. This one’s really tough, because on average, consumers have 13 unique passwords, and they have to remember them across websites. I’m even guilty of this one, too.
Some additional tips and tricks from the next page. If you offer POS terminals, make sure they’re secured in-site, and updated to the latest version of software. I cannot underestimate this next point enough. Please, please, please, invest in your employees. Train them to pause. Train them, and embed in your culture if they suspect anything weird, raise their hand and report it. See something, say something. and at any point, if you suspect potentially fraudulent activities on your Santander accounts, call your relationship manager. It’s better to be safe than sorry.
One last resource, which I’d totally be remiss if I didn’t mention it, is Santander’s Privacy and Security Hub. Our primary goal when we built this hub is to spread awareness and educate our customers on the dangers of scams and fraud. On the hub itself, we talk about what Santander does to protect our customers, what our customers can do to protect themselves, and even give an email box where you can submit potentially harmful communications: firstname.lastname@example.org. Anyone can access this resource, navigate to Santanderbank.com, head to the bottom of the page under the “Resources” header, and click on the “Privacy and Security” link. We will be updating this resource over time. Be sure to check back with that often. Remember, security is a shared responsibility.
Now, with that, I’m going to turn it over to my esteemed colleague, Dan, here, who’s going to cover and continue talking about some additional attacks, such as smishing and vishing.
Thanks, Tim, and afternoon, everyone. So, before we move into the material, we’re going to have one more survey. And the question asked, has your business encountered a fraud attempt within the last year? Yes or no. So I’ll give you about 10 seconds to respond, and then we’ll move into the material.
(10 second pause)
Okay. Move on to the next slide. So, folks, I’m going to start out talking a little bit about smishing. And Tim spoke a little bit about phishing, which is essentially an attempt to install malware or obtain sensitive information through email. So the same rules apply here, except this is through SMS or text messaging.
So you may get a text message that says, “Is this picture really of you?” and has a link. And by clicking on that link, you would effectively install malware onto your device. Another example is, “Your Apple ID is set to expire today. Click here to update.” And, again, clicking on that link would install the malware on your device.
You know, a lot of people are familiar with phishing, and they have a high level of diligence when it comes to phishing emails. But for some reason, they don’t think the same way about their mobile phones, and we should. Mobile malware is growing rapidly, and we have very powerful computers in our pockets. Our cellphones know a lot about us, they transmit all kinds of information out if they are infected, including contacts. And fraudsters will use those contacts to try to perpetrate fraud further. So, something to be aware of.
In terms of tips for reducing smishing risk, obviously, the same way you don’t want to click on a link in an email, you want to treat any links you have in an SMS message the exact same way, particularly if it’s from an unknown number. If you see a number like 5000 or all zeros, that’s typically indicative of email-to-text services so the fraudster doesn’t have to provide a phone number.
You know, generally speaking, you don’t ever want to provide any personal information, particularly about your finances. And then, also, if you get an unusual text, even if it’s from somebody that you know, a known contact, keep in mind that it’s relatively easy for a fraudster to spoof a phone number. So, if you randomly get a text message from your second cousin asking for your driver’s license number, you should probably be suspicious. Give him a call, don’t respond.
So we’ll shift into vishing. In vishing, again, similar to smishing and phishing, except this is voice. So this is over the phone. And this is typically utilized to gather sensitive information. My wife actually got a call about three weeks ago from someone posing to be from the IRS, sharing with her that we had two thousand dollars in taxes that were due, and if we didn’t pay them, then we’d have law enforcement kicking down our door the following day.
All right, so luckily she’s heard my spiel enough and sees me in the back yard in a bunker with a tin foil hat, thinking about fraud all the time, so you know, she wasn’t too concerned. But, you know, there’s a lot of people that fall victim to that. And they’ll send the money out. So we want to be aware of that.
And then, also, from a business perspective, you could have someone calling and posing to be from your IT group, your IT provider, saying that they need to change or update your log-in or password information. So those are things that we want to be cognizant of as well.
To mitigate the risk of vishing, anyone that’s calling in asking to share log-in credentials, no legitimate organization would or should ever do that, right? Microsoft calling because they detected an issue with your computer, and they need to dial in, that’s a common one. But, again, you never want to share your log-in information over the phone.
Also, anytime you’re being asked to provide PII or personal identifiable information, which is essentially Social Security numbers, driver’s license numbers, passport numbers, bank accounts, et cetera, we always want to be wary. And, as Tim mentioned several times, and this should be a running thread throughout the entire webinar, is, if something doesn’t feel right, if your spider sense starts tingling, you should take a moment and make sure that you do your diligence before you provide any information or execute any transactions.
So let’s move on to business email compromise. This is a massive threat, impacting a vast majority of businesses out there. In fact, 80 percent of companies reported BEC fraud last year, which was an increase over 2017, and I imagine it’ll continue to increase.
And at the highest level of BEC attacks, essentially, an employee or an individual receiving a communication that they believe to be from a trusted colleague or a business partner, asking them to execute some kind of monetary transaction to a new beneficiary. They believe it to be legitimate, and the funds are then sent to a fraudulent account, and they will actually keep trying to have the victim move money until they become aware that they have been deceived.
So there’s a lot of different iterations of BEC, but I’m going to just walk you through a use-case, kind of give you an idea of what those cases looks like. So the first step is identification. So, what the fraudster might do, if they have a target, the CEO of a company, they might go look for information. There’s a lot of information out there through LinkedIn and Facebook and the company’s website. They get the email address to the CEO. They might learn something about them, like they just attended a local car show, they’re a care enthusiast.
And then Time had talked about spear-phishing a little bit earlier. So, they’re going to use spear-phishing, which is essentially leveraging some information they know about the target to get them to click on a link. So they might send an attachment with a, you know, upcoming events for car shows in the area, and say, “Hey, hope you have fun at the most recent event. Here’s some upcoming events we hope you can attend.” The CEO sees it, thinks it’s innocuous, maybe opens the attachment, and malware’s effectively installed onto his computer, his or her computer.
So at that point, the fraudster is -- gets into Outlook, or whatever their email service is, and they spend the next day or two just pulling information and manufacturing the identity of the CEO. They’re looking at the CEO’s schedule, who moves money for them, what kind of formats are used or templates. How much money is typically moved? If they don’t want to ask to send a million dollars if the biggest wire that’s ever sent out of the company is 12,000.
They’re taking all of that information and kind of poising themselves to strike. And when they do, what they typically will do is create a new email address that looks very similar to the CEO’s email address. The difference is typically going to be in the domain, which is the part that’s after the “@”. So they may change a dash to an underscore, or an O to a zero, something that, you know, few of us are applying that level of scrutiny to the senders of emails.
So what they’ll then do is, they’ll send the email out to the individual from accounts receivable, for an example, posing to be the CEO. “We need to send out a 90,000 dollar wire. I can’t talk about it right now. I’m in a meeting. Have to get this done. It’ll be severe penalties, implications,” et cetera. Again, creating that call to action or sense of urgency. Believing it to be legitimate, the individual from accounts payable issues the 90,000 dollar wire using the instructions provided by the fraudster.
Once those funds reach their destination, and the fraudster’s able to successfully withdraw them, then typically, they’ll keep going back to the well. You know, “We have another wire we need to send out today.” Sometimes it’ll be escalating amounts. And it isn’t until the target becomes aware that they’re a victim and what’s happening, that the tactic stops, right? They’ll just keep kind of milking it and get as much money as they possibly can.
And, again, this happens very often. In fact, it just about a month ago, I was at the Philadelphia airport, and I was talking to a gentleman that owned a mid-size business. And he had shared that they sent out a wire for 650,000 dollars to Hong Kong. Now, luckily they caught it quickly enough that they were able to recoup most of it. But it feels like any time we’re doing these webinars or seminars, this comes up very often. It’s easy and it’s extremely effective.
So some things to think about for yourselves and your organizations. You should always question any new payment request where the context is unclear. You’ll see things like, “Charge this to admin expense, it’s a new project, few people know about this.” They’re really pushing the action in these emails. They don’t want you to stop and think about it too much.
Look for unusual differences in the sender’s email address. Now, that’s not a catch-all, because you can spoof email addresses, but we still see a lot of there, where they do just make that small change, right, in the domain. The stronger the sense of urgency, the higher your suspicions should be raised. Someone from (inaudible) saying, “This needs to be done right now,” and that’s unusual, it should raise your eyebrows every single time.
And this probably the most important piece of advice I would offer. Any new payment request to a new or modified beneficiary account should be verified with a phone call to an established phone number. Should always warrant a phone call. And make sure it’s an established number, too. We’ve seen it where a victim would say, “Hey, I called them, but they’re using the number that was just on the signature of the email,” which kind of defeats the purpose, right?
Abd then the other big thing, folks, is just awareness and education around this scam. And I’m just, you know, circulating it now throughout your businesses and with business partners and even family members -- the more people that are aware of this, the more it’s going to fail when it’s attempted. So business email compromise is something certainly to keep at the top of your mind.
And lastly, check fraud. So, 70 percent of organizations reported being exposed to check fraud in 2018. Check fraud’s been around a long time. There’s a lot of iterations of it. And you can typically bucket it into two different categories. One would be where a check’s deposited into the victim’s account. So this is all about identifying a suspect check when you receive it in your organization. So you want to look for, you know, smooth, non-perforated edges, particularly for a personal check. The bank logo is kind of faded or washed out, which potentially could be indicative of check washing or chemicals used to remove information, add new information on. Thin and flimsy or shiny paper. Another thing to look for is if the micro line, those black numbers, your account routing number at the bottom of the checks, if those happen to be raised. And then, also, just any indication in general that the check’s altered. The printing is at an angle, anything that you feel suspicious about you should certainly take into consideration.
And then what we see a lot of is checks drawn off of the victim account, right? So these would be checks drawn off of your account. And, you know, any time you’re putting a check out into the universe, you’re providing your account and routing number. So, where that’s exposed, you have fraudsters that will take that information and they’ll create counterfeit checks. And then they’ll go to an FI and try to negotiate it, right?
One thing that’s really important for businesses that are using checks in 2019, ’20, and beyond, is to have some type of security feature stacked up against it, right? That’ll prevent you from every time you have a compromise having to close your account and then open a brand new one, right? So something like Positive Pay is an example. You certainly want to talk about that and other options. And Positive Pay, for those unfamiliar with it, is essentially a tool that gives you the opportunity to review and potentially reject any checks that are trying to draw against your accounts. So, something certainly to keep in mind.
Also, keeping the proper internal controls. So, insider fraud is very prominent. You want to make sure that, where possible, that you always have dual authorization, not just for checks, for any payment types. You want to keep your check stock under lock and key. It shouldn’t be easy to just go pick up the check stock in your organization. And then, migrating payments from check to electronic, where possible, is certainly going to mitigate a lot of the risk. You should consider surprise audits. That’s always helpful. And then, check your statements routinely, which is, I think, appropriate across the board for all fraud types.
And then also, ensure governance with your business around systems access. So there’s plenty of fraud scenarios where you have a system that allows you to generate payments or checks, and you have someone who hasn’t even been with the organization for months, years. They still have access and are able to get in there and execute transactions. So, something else to be cognizant of as well.