JESSICA: At the time, let’s begin today’s webinar. I would now like to turn today’s presentation over to your first speaker, Amir Madjlessi, Managing Director of Business Banking, Santander Bank, North America. Amir, you have the floor.
AMIR: Thanks so much, Jessica, and good afternoon everyone. Thank you so much for joining us today, at the end of May here. We’re excited because we’ve had many, many activities for Small Business Month as we’ve converted it into at Santander. So, we are really delighted to have all of you and respect the fact that you’ve carved out this time for us to join the webinar. You know, at Santander, I’ll share with you why we’re doing this. At Santander we’re committed to doing everything we can to help all of you, small businesses. We know that you have a shortage of time and you have limited resources to work with, so we want to make sure that we step up and find ways to we either protect or grow your business or in some cases transition your business as well. So one of the ways that we support small business is by providing information—insights, thought leadership—to help make better decisions, to introduce new ideas, to share best practices, and so on.
So today’s topic is about protecting your business from a range of threats that have become increasingly common. So I’m going to give you a “Did you know?” Did you know that 82 percent of organizations reported payment-fraud incidents in 2018?1 That is an incredible and staggering number for me. Also, another “Did you know?” Median fraud loss for US businesses is about $108,000.2 Now, this includes business disruption and lost capacity and time and cost to investigate. Those are meaningful impacts to many business owners, and so we felt compelled to now offer an opportunity to give you insight into those emerging threats and what we could do to help you.
Importantly—and we’re fortunate to have two Santander colleagues to join me today to present, so I’m joined here with Tim DeRidder—he’s the Head of Fraud Risk Management for the U.S. at Santander—and Dan Hyland, who’s the Head of Claims Collections and Fraud Operations at Santander. I have the privilege of working with both of these gentlemen here on a day-to-day basis and couldn’t be more delighted to have them here in this webinar. So I’m going to offer the floor here to Tim, and he’s going to walk through the first portion of our presentation here. Tim, over to you.
TIM: Great. Thank you so much, Amir. And thank you so much for having me. One of the most impactful things when discussing fraud that I want to start with is talking about the macroeconomic or industry shifts that are occurring in the U.S. market, because I think they’re very impactful for when we’re talking about fraud itself. When we look at banking and payments itself it’s an ecosystem problem, and when one type of fraud is detected and managed, typically we see the fraudsters begin to shift. I always give the analogy that fraud is like a balloon animal: when you start to squeeze the legs, the head starts to get bigger—as the fraud shifts. Right now, in talking to most of my peers around the industry, we see an unprecedented level of investment from many financial institutions and companies in fraud controls to protect their customers, and this has largely been driven by an expansion of EMV within the environment, and that is essentially the chips that all of us have on our credit and debit cards. As the U.S. has begun to adopt this technology—and it has dried up quite an advantageous method for fraudsters to gain funds—they do not usually get legitimate jobs, like all of us, and they will continue to shift their attacks to things like checks and wires and ACHs, which we have also seen. Another large driver of shifting fraud within the ecosystem are data breaches. Typically these data breaches continue to happen, and the shift that has occurred is that fraudsters now are not necessarily targeting companies for their card data or their payment data—again, because of the chips on our cards; they’re now targeting companies and merchants for personally identifiable information—or PII. Social security numbers. Gym membership information. Names. Email addresses of customers. And they use this data to essentially attack companies and banks through authentication or identifying if it’s actually the customer that’s reaching out to you. The last emerging threat that we see within the industry is first-party fraud—it’s a rapidly growing problem—and this impacts most companies because the interesting thing is that the customer is the fraudster with this type of a fraud attack. And it usually manifests itself with the falsification of documents, income, employment, or identity. All these trends are typically impactful because 30 percent of fraud cases occur in small businesses, and small businesses also typically have fewer protections in place than larger corporations. If there’s any one thing that I’ve learned in most of my fraud-fighting career, it’s that fraudsters tend to go after the path of least resistance.
So moving on, now I think it would probably be pretty helpful if we dive into some of the topics specifically which might be impacting some of our small business clients which are on the phone, such as all of you and yourselves. The first thing I’m going to talk about is phishing, and this is not what I typically do in my free time in the summer. This is phishing or sending of emails from what looks to be a reputable company or a person, and the attempt here is to gain, again, personally identifiable information, or the fraudsters will attempt to create a sense of urgency so that folks click a link in haste, and that link will usually infect someone’s computer or system with malware. A prime example of this is you could receive an email from your bank, and the bank says, “Hi, your account is blocked for suspicious activity, and you’re going to begin to get charged fees if you do not reply back with your social security number or your PIN.” I urge you: do not respond or click the links from these emails. Another type of phishing is called spear-phishing. It’s essentially a form of phishing that’s very targeted, and typically we will see that these attacks target high-profile folks within companies such as CFOs, business owners, or people that work in accounting, because they have access to funds. Another example that we see with these attacks are an email that looks like a business owner asking the receiver to wire funds for equipment or the payoff of a loan.
So you’re probably asking yourselves, “How do you I protect myself from some of these attacks that Tim just mentioned?” Some of the most basic things are to pause. If anything is urgently asking you to do something, think if this is truly legitimate. Also know some of the key signs. If there’s poor grammar or spelling mistakes in an email, that could be a tip. Also if there’s any weird links or graphics that look off or slightly tilted, that could be an example. One of the things that I always do in my personal life is that when I’m sending email, I will point to the sender to reveal what the real URL is of the sender. When I get an email—typically from Microsoft—I don’t expect the email address to be 500 characters long from a random email address. Also, one of the taglines that we use internally at Santander which I think could beneficially help a lot of businesses is: think before you click. Don’t just click links, because links can infect you with malware. And also, the last but not least: if you feel worried or if you feel off in any reason for anything that you receive, call the person who supposedly sent you that email or that message. Trust me, they will be infinitely happier that they received your phone call and that they talked to you about the situation.
This also leads into cyberattacks. So more and more we start to see that fraud attacks are becoming complex, and they’re bleeding over into what we call cyberattacks. Also another driver of this is that businesses—potentially such as yourselves—are heavily investing in digital sites and assets that are very low-cost and easy for your customers. Because these channels are remote and they’re easy to access, of course that makes them higher risk for fraudsters to attack them. One thing to note is that not all fancy digital sites are a target for fraudsters. I’ll use a very recent example, but in the widely publicized Target breach that occurred within the industry, the hackers actually did not attack Target’s main website; they actually attacked Target’s Wi-Fi system that was attached to their heating, ventilating, and cooling system, and they were able to get into Target’s main system through the HVAC Wi-Fi. So make sure that you protect your assets. And I’ll tell you a little bit further down in the presentation how to do so. Quickly I just want to talk about another particularly nasty cyberattack that’s becoming mainstream in the ecosystem and that’s ransomware. This is a cyberattack that’s typically perpetrated through phishing—which we just talked about—and that’s where a fraudster will attempt to have someone click on a document or a link where malware will then infect the person’s device or network. Once the fraudster is then inside of this business’s network, they will typically block access to employees or hold a business’s network ransom until a ransom amount is paid to the fraudster.
Some tips to protect your business and yourselves from cyberattacks: Definitely perform backups of your information. Typically within ransom attacks, fraudsters will threaten the businessowner or the person stating that they will delete key assets or that they will shut off all access to a business, which could be important. Make sure you’re backing up all of your important data on a regular basis. Also, it may sound basic, but make sure that you have antivirus software installed and it’s up to date. Most of these antivirus providers are up to date in the most key threats out within the ecosystem, so if you have a five-year-old version of McAfee or Norton’s, it will most likely not help you. Also make sure that you’re securing all of your Wi-Fi networks and your access points within your company. Make sure that you use strong passwords and that any of the firewalls that you have that protect the front of your business, you’re scanning them for anomalies. Sometimes even the weirdest looking of pings on a firewall could protect you. Some of the other tips and tricks that you can see from the next page up on the slide is just making sure that—again—that your point-of-sale systems, if you offer them, are all protected and have the latest versions of software installed. One of the most critical things that I do tell most folks that ask me these questions is invest in your employees. Also train them on what weird looks at, and make sure that they escalate anything that they feel is suspicious. And of course, if you suspect any fraudulent activity on your Santander bank account, please escalate to your relationship manager or your local branch as soon as possible. Now with that, I’m actually going to turn it over to Dan, who’s going to continue to talk about other attacks, such as SMiShing and Vishing.
DAN: Thanks a lot, Tim, and afternoon everyone. So I’m going to start with SMiShing and Vishing, which are actual terms. These are plays off of phishing, and the first one, SMiShing, is through SMS or—typically known as text message. And what happens is, they’re really trying—the fraudster’s trying to accomplish one of two things: either gathering sensitive information or downloading malware onto your device. So gathering sensitive information—just to give you an example of what that may look like—you get a text message saying that your card is blocked. It won’t list your actual bank, typically; they want to cast a wide net. They may not have that information. It’ll say: “If you want this card unblocked, you need to be authenticated,” and they’ll give you a number to call back into. You call the number; they will ask for your card number, your CVV code, your mother’s maiden name—however ambitious they want to be. And unfortunately, a lot of people share that information. The other look you might get is trying to install malware. So this is basically like phishing where the same rules apply. If you click on the link, even though it’s coming through a text message, they can install malware onto your device, and there’s a litany of different nefarious purposes they can leverage that malware for. It‘s really effective, too, because folks tend to be less guarded when it comes to text messages versus emails. But you know, mobile phones are very powerful computers in our pockets, so the next frontier is where a lot of this fraud is moving to, and mobile malware is—you know—it’s growing rapidly. So when you think about SMiShing, you don’t want to reply to text messages asking about your personal finances or sensitive information. If you receive a text message—even if it looks like it’s from somebody you know—there are apps out there that will allow fraudsters to spoof numbers, so if your spider sense starts tingling, it’s probably a good idea to make a phone call to whoever it is that’s texting you with some unusual request for money or information. Most SMiShing messages don’t come through looking like a traditional phone number. A lot of the times you see that it might be 5000, right? And this is indicative of a text message that is being sent via email. And finally, again, just to reiterate, those links that you receive in the SMiShing text, they operate the same as a bad link in an email, so they should be addressed as such.
So we’ll shift over to Vishing, and Vishing again, same idea, except that this is through a phone call. And typically what the fraudster’s trying to accomplish here is either solicit a payment or obtain sensitive information. An example of where they might be soliciting a payment and a common approach is where they call posing to be the IRS. You have back taxes. You are in big trouble. We have a swat team that’s about to kick down the doors unless you quickly make a payment to us. At that point, they’ll typically give you unusual instructions to make that payment, right? And then obtaining sensitive information—this is where they’ll call posing typically as a bank. They’ll ask for login credentials for online banking. There’s actually a scenario that we’ve been seeing more and more in the industry where you have a fraudster that tries to log in to online banking. Most banks have one-time password controls—Santander is certainly one of those banks—and what will happen is that the one-time password will get sent out to the actual customer. The fraudster then, having the customer’s phone number, will reach out to them, posing as the bank, and then asking them for that one-time password. That will never happen, right? The bank will never call you and randomly ask for a one-time password unless it’s, you know, initiated—you made the call; you’re talking to them and being authenticated—but you won’t catch a call out of the blue asking for that information. So you should be very weary of ever providing it.
Going to move onto the next slide here, and we’re going to talk about business email compromise. Here we go. This is a growing threat—it has been for some time. If you walk out of this call today thinking about one attack vector, this should be it. It’s very effective. It’s very popular. It’s very easy to execute. 80 percent of companies reported BEC fraud in 2018, which is an increase from the previous year. A lot of businesses have lost a lot of money—big dollars that could potentially shut your doors. So the easiest way to explain this—and there’s a lot of different iterations of it—is probably just to walk you through a common scenario. So I’m a fraudster, and I’m trying to extract money from an organization, and it’s a box company. I do some research online, I see the CFO’s name is John Doe, I do a little cursory research on him and find out that he’s on the board of directors for a local charity. So acting as that charity—and Tim talked a little bit about spear-phishing, so I have a little bit of information to lower the CFO’s defenses when he receives this email—I send him an email. I say, “Hey, there’s some events coming up for the charity. Would you take a look?” And I have an attachment on there. He opens the attachment, which effectively installs malware onto the CFO’s computer. I, the fraudster, spend the next couple of days harvesting information. I look at his schedule. I look at his signature. I look to see who moves money within his organization. And then I basically set up my attack. And what I do when I attack is I create a separate email address that looks very similar to John Doe’s. So for example, instead of email@example.com, I replace the o in boxes with a 0. Very few of us are applying that level of scrutiny to the email addresses in the emails we receive, so it goes—I use that email address and I send an email to somebody that moves money in the organization, and I ask them to process an invoice to a vendor. Looks very similar to the invoice that they process every day. They execute it, they don’t think anything of it, the money moves out the door, it goes into a fraudulent account, they pull the money out, and then what they’ll do is they’ll keep trying to get more money until that individual speaks to the CFO and finds out that they never sent them an email.
The other thing that’s worth thinking about as well when it comes to these scenarios is you have it where you can be the victim where someone else has been a victim of BEC? So this would be a scenario where you would have a vendor, they get compromised through BEC, and then the fraudster sends out fraudulent invoices to all of the clients saying, “Hey, we have new payment instructions.” People receive—the clients receive it and they start sending money out, and until they get a late notice on payment, they don’t realize what they’ve done, right? So what I would tell you is: One, when it comes to BEC, be sure that everyone within your organization is well aware of this scam. Again, it is ubiquitous. We see it all over the place. A lot of folks fall victim to it. And furthermore, you should never be executing a payment to a new or modified payee account without a phone call to an established phone number to verify it. So that should be gospel; it’s something you certainly want to preach within your respective organizations.
So finally, let’s talk a moment about check fraud. 70 percent of organizations reported being exposed to check fraud last year, and really there’s two dimensions to this: one is when you’re depositing checks that are bad and the other side of it is having fraudulent checks drawn off of your account. So some tips for depositing fraudulent checks and how to identify them up front—personal checks with no perforated edge should raise red flags, or having no bank logo or a faint logo where the material on the check is thin, flimsy, or on shiny paper—should be concerning. No microline or a microink that looks shiny or raised; typically, it should not be raised and should be dull. Anything indicative of a washed check, which is where fraudsters use chemicals to pull information off and then put new information onto the check before they deposit it, so anything that looks erased, smudged, etc. The check has a very low sequence number or serial number or no sequence number at all on it. And then if there’s a customer that’s depositing a check that’s very distracting—they’re trying to rush the process and trying to create a sense of urgency and take your attention off the item that they’re handing. So those are some things to think about when you’re accepting checks. The other side of it is having checks drawn off of your account. So it’s really important to review your bank statements regularly for any irregularities. Avoid any scenarios where the authorizing signers of the company—the company of the checks—are the same folks that are actually reconciling the account. Where applicable you should consider moving check disbursement activity to electronic payments. You want to protect your account with a bank service such as Positive Pay. Really important—especially in 2019, you know—when you put your account routing number out into the universe, there’s a multitude of ways that could be leveraged to perpetrate fraud, so it’s really important to have something in place to protect yourself and your organization. And finally, you know, if unfortunately you do have your account compromised, it is really important if you don’t have something like Positive Pay in place to ensure that you’re closing that account immediately to protect yourself.
1 Source: AFP Payments Fraud & Control Survey
2 Source: Association of Certified Fraud Examiners, 2018 Report to the Nations